Skip to content

[Gateway] How sandboxing works #17743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 30, 2024
Merged

[Gateway] How sandboxing works #17743

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ceb5ccc
Add additional context
maxvp Oct 23, 2024
5cce55f
Add Mermaid chart
maxvp Oct 28, 2024
00a242e
Improve text procedure
maxvp Oct 29, 2024
1325d25
Add more info about input/output scan
maxvp Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 31 additions & 1 deletion src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,37 @@ Only available on Enterprise plans. For more information, contact your account t

In addition to [anti-virus (AV) scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware.

While the files are quarantined, Gateway will present a scanning page to your users. If a file passes scanning, Gateway will release the file from quarantine and download it to your user's device. If the file contains malware, Gateway will block the request and log the match as a Block decision in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs).
If AV scanning does not detect malware in a file download, Gateway will quarantine the file in the sandbox. If the file has not been downloaded before, Gateway will monitor the inputs and outputs of the file and display an interstitial page for the user. If the sandbox does not detect malicious activity, Gateway will release the file from quarantine and download it to your user's device. If the sandbox detects malicious activity, Gateway will block the download. For any subsequent downloads of the file, Gateway will remember and apply the allow/block decision.

Gateway will log any file sandbox decisions in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs).

```mermaid
flowchart TD
A(["User starts file download"]) --> B["File sent to AV scanner"]
B --> C["Malicious file detected?"]
C -- Yes --> D["Download blocked"]
C -- No --> G["File sent to sandbox"]
G --> n1["First time file downloaded?"]
K["Malicious activity detected?"] -- Yes --> N["Download blocked"]
K -- No --> n3["Download allowed"]
n2["Interstitial page displayed for user during scan"] --> n4["File activity monitored"]
n1 -- Yes --> n2
n4 --> K
n1 -- No --> K

B@{ shape: subproc}
C@{ shape: hex}
D@{ shape: terminal}
n1@{ shape: hex}
K@{ shape: hex}
N@{ shape: terminal}
n3@{ shape: terminal}
n2@{ shape: display}
n4@{ shape: rect}
style D stroke:#D50000
style N stroke:#D50000
style n3 stroke:#00C853
```

## Get started

Expand Down
Loading