From 03a299bf362c5efbe3217c4822a57af8abfed0c3 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 23 Oct 2024 14:12:36 -0500 Subject: [PATCH 1/4] Create policy page --- .../build-network-policies/create-policy.mdx | 33 +++++++++++++++++++ .../build-network-policies/index.mdx | 4 +-- .../recommended-network-policies.mdx | 2 +- 3 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx new file mode 100644 index 00000000000000..7b469157707b42 --- /dev/null +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx @@ -0,0 +1,33 @@ +--- +title: Create your first DNS policy +pcx_content_type: learning-unit +sidebar: + order: 1 +--- + +import { Render } from "~/components"; + +DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP. + +You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices/install-agent/). To learn more, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). + +To create a new network policy: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. + +2. In the **Network** tab, select **Add a policy**. + +3. Name the policy. + +4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. + +5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): + + + +6. Select **Create policy**. + +For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx index 5c149b26bee341..5aa96e4ac220c7 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx @@ -3,7 +3,6 @@ title: Build network security policies pcx_content_type: overview sidebar: order: 8 - --- After creating policies for security based on DNS resolution, we can layer in additional security controls with the Gateway network firewall, which operates at Layer 4 of the OSI model. The Gateway network firewall allows you to build specific policies to block users or services' ability to connect to endpoints at specific IPs or on specific ports. You can also use [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/policies/gateway/network-policies/protocol-detection/) to block proxying specific protocols. @@ -12,4 +11,5 @@ After creating policies for security based on DNS resolution, we can layer in ad By the end of this module, you will be able to: -* Add recommended network security policies. +- Creat your first Gateway network policy. +- Add recommended network security policies. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index a7ad7a44bfff60..2c8d587b0d40ff 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -2,7 +2,7 @@ title: Recommended network policies pcx_content_type: learning-unit sidebar: - order: 1 + order: 2 --- import { Details, GlossaryTooltip, Render } from "~/components"; From 9bdeb58ff1cf871c4a35bd4db6babb981f8dc59c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 23 Oct 2024 14:35:20 -0500 Subject: [PATCH 2/4] Add policy partial --- .../gateway/network-policies/common-policies.mdx | 10 ++-------- .../build-dns-policies/create-policy.mdx | 8 +------- .../build-network-policies/create-policy.mdx | 14 ++++---------- .../gateway/policies/enforce-device-posture.mdx | 10 ++++++++++ 4 files changed, 17 insertions(+), 25 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 9d6e404395959a..09912313f67f01 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -6,10 +6,9 @@ sidebar: head: - tag: title content: Common network policies - --- -import { Render } from "~/components" +import { Render } from "~/components"; The following policies are commonly used to secure network traffic. @@ -23,12 +22,7 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). -In the following example, users can only access an application if they connect from a company device. - -| Selector | Operator | Value | Logic | Action | -| ---------------------------- | -------- | ----------------------- | ----- | ------ | -| Passed Device Posture Checks | not in | `Device serial numbers` | And | Block | -| SNI Domain | is | `internalapp.com` | | | + ## Enforce session duration diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 679410504a4df7..af26c540b484a9 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -9,25 +9,19 @@ import { Render } from "~/components"; DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP. -You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices/install-agent/). To learn more, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices/install-agent/). To create a new DNS policy: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. - 2. In the **DNS** tab, select **Add a policy**. - 3. Name the policy. - 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. - 5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): - - 6. Select **Create policy**. For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx index 7b469157707b42..19312de6567545 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx @@ -1,5 +1,5 @@ --- -title: Create your first DNS policy +title: Create your first network policy pcx_content_type: learning-unit sidebar: order: 1 @@ -14,20 +14,14 @@ You can filter DNS traffic based on query or response parameters (such as domain To create a new network policy: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. - 2. In the **Network** tab, select **Add a policy**. - 3. Name the policy. - 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. - -5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): - +5. Choose an **Action** to take when traffic matches the logical expression. - 6. Select **Create policy**. -For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/). diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx new file mode 100644 index 00000000000000..9e3d59827039ef --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -0,0 +1,10 @@ +--- +{} +--- + +In the following example, users can only access an application if they connect from a company device: + +| Selector | Operator | Value | Logic | Action | +| ---------------------------- | -------- | ----------------------- | ----- | ------ | +| Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block | +| SNI Domain | is | `internalapp.com` | | | From a1d386e0e8de1ce3acf9ca343109e264fc645b4d Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 23 Oct 2024 14:39:52 -0500 Subject: [PATCH 3/4] Add preamble --- .../build-network-policies/create-policy.mdx | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx index 19312de6567545..f851a8d4abf54b 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx @@ -7,9 +7,7 @@ sidebar: import { Render } from "~/components"; -DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP. - -You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices/install-agent/). To learn more, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +You can control network-level traffic by filtering requests by selectors such as IP addresses and ports. You can also integrate network policies with an [identity provider](/cloudflare-one/identity/idp-integration/) to apply identity-based filtering. To create a new network policy: From 5525b267545a50850ba35fd1a390a62bf19cf0b5 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 23 Oct 2024 15:43:43 -0500 Subject: [PATCH 4/4] Add context for device posture check --- .../cloudflare-one/gateway/policies/enforce-device-posture.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx index 9e3d59827039ef..a3d85e1112d6c7 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -2,7 +2,7 @@ {} --- -In the following example, users can only access an application if they connect from a company device: +In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ |