diff --git a/public/_redirects b/public/_redirects
index 81e69ff47b819f..01d86e22161f4e 100644
--- a/public/_redirects
+++ b/public/_redirects
@@ -648,6 +648,8 @@
/learning-paths/workers/test/intro-to-observability/ /learning-paths/workers/get-started/ 301
/learning-paths/cybersafe/area1-onboarding/area1-api/ /learning-paths/cybersafe/area1-onboarding/ 301
/learning-paths/cybersafe/area1-onboarding/area1-connection-methods/ /learning-paths/cybersafe/area1-onboarding/area1-inline/ 301
+/learning-paths/secure-internet-traffic/connect-networks/ /learning-paths/secure-internet-traffic/connect-devices-networks/ 301
+/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp/ /learning-paths/secure-internet-traffic/connect-devices/choose-on-ramp/ 301
## dns-filtering / secure-internet-traffic
/learning-paths/dns-filtering/ /learning-paths/secure-internet-traffic/ 301
@@ -1803,6 +1805,9 @@
## DNS filtering --> Secure your Internet traffic and SaaS apps
/learning-paths/dns-filtering/account/* /learning-paths/secure-internet-traffic/initial-setup/:splat 301
/learning-paths/dns-filtering/create-policy/* /learning-paths/secure-internet-traffic/build-dns-policies/:splat 301
+## Secure your Internet Traffic
+/learning-paths/secure-internet-traffic/connect-devices/* /learning-paths/secure-internet-traffic/connect-devices-networks/:splat 301
+
# Old WAF changelog entries
/waf/change-log/2019-* /waf/change-log/historical-2019/ 301
diff --git a/src/content/docs/learning-paths/replace-vpn/connect-devices/index.mdx b/src/content/docs/learning-paths/replace-vpn/connect-devices/index.mdx
index cffacf9a8b7f6b..61bac3bf3441f7 100644
--- a/src/content/docs/learning-paths/replace-vpn/connect-devices/index.mdx
+++ b/src/content/docs/learning-paths/replace-vpn/connect-devices/index.mdx
@@ -3,19 +3,14 @@ title: Connect user devices
pcx_content_type: overview
sidebar:
order: 5
-
---
-import { Render } from "~/components"
+import { Render } from "~/components";
Now that your device enrollment policies and WARP profiles are configured, you can begin deploying the WARP client to user devices for testing.
:::note
-
-
-The following steps are identical to [Connect user devices](/learning-paths/secure-internet-traffic/connect-devices/) in the Secure your Internet traffic and SaaS apps implementation guide. If you have already completed Secure your Internet traffic and SaaS apps, you can skip ahead to [Build secure access policies](/learning-paths/replace-vpn/build-policies/).
-
-
+The following steps are identical to [Device on-ramps](/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp/#device-on-ramps) in the Secure your Internet traffic and SaaS apps implementation guide. If you have already completed Secure your Internet traffic and SaaS apps, you can skip ahead to [Build secure access policies](/learning-paths/replace-vpn/build-policies/).
:::
## Objectives
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
index af26c540b484a9..93d8565fead590 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
@@ -9,7 +9,7 @@ import { Render } from "~/components";
DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP.
-You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices/install-agent/).
+You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/).
To create a new DNS policy:
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx
new file mode 100644
index 00000000000000..aeac6f870782eb
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/choose-on-ramp.mdx
@@ -0,0 +1,73 @@
+---
+title: Choose an on-ramp
+pcx_content_type: learning-unit
+sidebar:
+ order: 1
+---
+
+import { GlossaryDefinition, GlossaryTooltip, Badge } from "~/components";
+
+Similar to the network onboarding practices in the [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. This guide will quickly explore all of the options to on-ramp traffic to Cloudflare Gateway to inspect, apply policies, and filter.
+
+:::note
+The following steps are identical to [Connect user devices](/learning-paths/replace-vpn/connect-devices/) in the Replace your VPN implementation guide. If you have already completed Replace your VPN, you can skip ahead to [Network on-ramps](#network-on-ramps).
+:::
+
+## Device on-ramps
+
+The most common way to protect and filter your end-user traffic is by using a device client. The standard Cloudflare device client supports a number of operating systems and deployment methodologies, but there can still be scenarios in which an alternative path makes sense.
+
+### Zero Trust Client
+
+Cloudflare WARP is the most common onramp to send user traffic to Gateway. It is a lightweight device client, which builds proxy tunnels using either Wireguard or MASQUE, and builds a DNS proxy using DNS-over-HTTPS. It supports all major operating systems, supports all common forms of endpoint management tooling, and has a robust series of management parameters and profiles to accurately scope the needs of a diverse user base. It has flexible operating modes and can control device traffic as a proxy, control device DNS traffic as a DNS proxy, or both. It is the most common method to send traffic from user devices to be filtered and decrypted by Cloudflare Gateway.
+
+### PAC files (Enterprise only)
+
+Cloudflare supports filtering HTTP/S traffic sent via a PAC file on a user device. PAC files configured to send traffic to Cloudflare target a domain specific to your account tenant, and receive and process all URL traffic for that device that fits the proxy profile. PAC files are most commonly used in scenarios in which the device client is not appropriate or cannot be installed -- specifically Windows pre-2008 and Windows Server 2012, and devices which cannot install client software at all.
+
+### Clientless Browser Isolation
+
+Cloudflare Browser Isolation runs a headless, Chromium-based browser for your users to accomplish their secure browsing needs. It can be activated via an Access application, a Gateway policy, or by using link-based isolation (reverse proxy). In this model, your users can connect from any device to a proxy website to browse the Internet while applying all your Gateway HTTP policies and inspection requirements.
+
+| | WARP | PAC Files | Clientless Browser Isolation |
+| --------------------------------- | ------------------------------------ | -------------- | ------------------------------------- |
+| Supported OS | macOS, Windows, Linux, iOS, Android | All desktop OS | All OS (with HTML5 compliant browser) |
+| Configurable via MDM | Yes | Yes | N/A |
+| Gateway policy types supported | DNS, Network, HTTP, Resolver, Egress | HTTP | HTTP, Resolver, Egress |
+| Identity-based policies supported | Yes | No | Yes |
+
+## Network on-ramps
+
+The primary ways to source multi-device or network traffic to Cloudflare Gateway are via Magic WAN using GRE or IPsec tunnels, the [WARP Connector](#warp-connector-) as a software-defined all-ports traffic proxy, or via upstream DNS for a whole network using [DNS filtering locations](#dns-filtering-locations).
+
+### Magic WAN
+
+:::note
+Only available on Enterprise plans.
+:::
+
+[Magic WAN](/magic-wan/) is Cloudflare's offering most analogous to a traditional SD-WAN. Magic WAN is typically deployed via an IPsec or GRE tunnel terminating on customer devices (such as firewalls or routers), or via our Magic WAN Connector hardware device. You can also be deploy Magic WAN using [Cloudflare Network Interconnect](/network-interconnect/) (CNI) at private peering locations or some public cloud instances (where compatible).
+
+Magic WAN on-ramps traffic via your connections and can send all network and HTTP traffic through Cloudflare Gateway for inspection.
+
+For more information on how Magic WAN integrates with Zero Trust, refer to [Zero Trust integration](/magic-wan/zero-trust/).
+
+### WARP Connector
+
+[WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), a software agent similar to our device client, functions as a virtual device to establish a connection between your network and the Cloudflare global network. You can install WARP Connector on a dedicated Linux server or virtual machine.
+
+WARP Connector supports egressing traffic from your private network to the Internet as a gateway. This means it can allow traffic initiated from a network to be on-ramped to Cloudflare for either public or private destinations. You can use WARP Connector to establish a secure egress path for servers or users on a network which may not each be able to run the WARP client and still apply Gateway network and HTTP inspection policies. This connection is most analogous to proxy server connectivity or site-to-site VPN.
+
+For more information on setting up Cloudflare Tunnel via WARP Connector, refer to [Set up WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/).
+
+### DNS filtering locations
+
+
+
+The fastest way to start filtering DNS queries from a location is by changing the DNS resolvers at the router or updating the upstream resolution to Cloudflare DNS resolution endpoints. This can also be accomplished from individual devices, or an network or subnet which sets resolver IPs for clients via DHCP.
+
+For more information on setting up DNS locations, refer to [Add locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/).
+
+| | Magic WAN | WARP Connector | DNS Locations |
+| ------------------------------ | --------------------- | --------------------- | ------------- |
+| Gateway policy types supported | Network, HTTP, Egress | Network, HTTP, Egress | DNS, Resolver |
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx
new file mode 100644
index 00000000000000..f6061b3d430367
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/index.mdx
@@ -0,0 +1,18 @@
+---
+title: Connect devices and networks to Cloudflare
+pcx_content_type: overview
+sidebar:
+ order: 2
+---
+
+import { Render } from "~/components";
+
+After setting up your Cloudflare account and Zero Trust organization, you can begin connecting your users' devices and networks to Cloudflare.
+
+## Objectives
+
+By the end of this module, you will be able to:
+
+
+
+- Determine when and how to use PAC files.
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent.mdx
new file mode 100644
index 00000000000000..c95da6d78c4392
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent.mdx
@@ -0,0 +1,15 @@
+---
+title: Download and install WARP
+pcx_content_type: learning-unit
+sidebar:
+ order: 2
+---
+
+import { Render } from "~/components";
+
+
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/mdm.mdx
similarity index 67%
rename from src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx
rename to src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/mdm.mdx
index f70336e68ba0a8..7e8c724a572ac0 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/mdm.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/mdm.mdx
@@ -2,10 +2,9 @@
title: MDM deployment
pcx_content_type: learning-unit
sidebar:
- order: 2
-
+ order: 3
---
-import { Render } from "~/components"
+import { Render } from "~/components";
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/validate-traffic-in-gateway.mdx
similarity index 92%
rename from src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx
rename to src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/validate-traffic-in-gateway.mdx
index 90cb1bc86d6c98..36ed083e6416d4 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/validate-traffic-in-gateway.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices-networks/validate-traffic-in-gateway.mdx
@@ -2,11 +2,10 @@
title: Verify device connectivity
pcx_content_type: learning-unit
sidebar:
- order: 3
-
+ order: 4
---
-import { Render } from "~/components"
+import { Render } from "~/components";
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx
deleted file mode 100644
index ebb6ed296d5112..00000000000000
--- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/index.mdx
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Connect user devices
-pcx_content_type: overview
-sidebar:
- order: 4
-
----
-
-import { Render } from "~/components"
-
-After setting up your Cloudflare account and Zero Trust organization, you can begin connecting user devices to Cloudflare.
-
-:::note
-
-
-The following steps are identical to [Connect user devices](/learning-paths/replace-vpn/connect-devices/) in the Replace your VPN implementation guide. If you have already completed Replace your VPN, you can skip ahead to [Connect networks to Cloudflare](/learning-paths/secure-internet-traffic/connect-networks/).
-
-
-:::
-
-## Objectives
-
-By the end of this module, you will be able to:
-
-
-
-* Determine when and how to use PAC files.
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx
deleted file mode 100644
index 86485203f58495..00000000000000
--- a/src/content/docs/learning-paths/secure-internet-traffic/connect-devices/install-agent.mdx
+++ /dev/null
@@ -1,11 +0,0 @@
----
-title: Download and install WARP
-pcx_content_type: learning-unit
-sidebar:
- order: 1
-
----
-
-import { Render } from "~/components"
-
-
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx
deleted file mode 100644
index a88d79f549d745..00000000000000
--- a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/choose-on-ramp.mdx
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Choose an on-ramp
-pcx_content_type: learning-unit
-sidebar:
- order: 2
----
-
-import { GlossaryDefinition, GlossaryTooltip, Badge } from "~/components";
-
-Similar to the network onboarding practices in the [Replace your VPN](/learning-paths/replace-vpn/connect-private-network/) implementation guide, there are a number of ways to on-ramp your network traffic to the Cloudflare global network. In our recommended approach to security, you will source traffic from devices that would otherwise go to the Internet through a default route. Relevant targets for this may be branch offices, network subnets that need a secure path to the Internet, or anywhere that you control the Internet paths for groups of devices.
-
-## Available on-ramps
-
-The primary ways to source multi-device or network traffic to the Cloudflare network are via the [WARP Connector](#warp-connector-) as an all-ports traffic proxy, or via upstream DNS for a whole network using [DNS filtering locations](#dns-filtering-locations). Alternatively, Enterprise users can add [Magic WAN](#magic-wan) to their plan and configure Magic WAN Connector or a dedicated third-party device.
-
-### WARP Connector
-
-[WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), a software agent similar to our device client, functions as a virtual device to establish a connection between your network and the Cloudflare global network. You can install WARP Connector on a dedicated Linux server or virtual machine.
-
-WARP Connector supports both ingressing and egressing traffic to and from your private network. This means it can proxy traffic initiated from a user running WARP into a private network (like `cloudflared`), or allow traffic initiated from a network to be on-ramped to Cloudflare for either public or private destinations. You can use WARP Connector to establish a secure egress path for servers or users on a network which may not each be able to run the WARP client and still apply Gateway network and HTTP inspection policies. This connection is most analogous to site-to-site VPN or proxy server connectivity.
-
-For more information on setting up Cloudflare Tunnel via WARP Connector, refer to [Set up WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/).
-
-### DNS filtering locations
-
-
-
-The fastest way to start filtering DNS queries from a location is by changing the DNS resolvers at the router. Alternatively, you can on-ramp devices or specific applications via [DNS over HTTPS](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/) or [DNS over TLS](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-tls/).
-
-For more information on setting up DNS locations, refer to [Add locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/).
-
-### Magic WAN
-
-:::note
-Only available on Enterprise plans.
-:::
-
-[Magic WAN](/magic-wan/) is Cloudflare's offering most analogous to a traditional SD-WAN. Magic WAN is typically deployed via an IPsec or GRE tunnel terminating on customer devices (such as firewalls or routers), or via our Magic WAN Connector hardware device. You can also be deploy Magic WAN using [Cloudflare Network Interconnect](/network-interconnect/) (CNI) at private peering locations or some public cloud instances (where compatible).
-
-Magic WAN on-ramps and off-ramps traffic via your connections after transiting the Cloudflare global network. Gateway can also apply network and HTTP policies to this traffic for secure egress.
-
-For more information on how Magic WAN integrates with Zero Trust, refer to [Zero Trust integration](/magic-wan/zero-trust/).
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/index.mdx
deleted file mode 100644
index 63132d13b90359..00000000000000
--- a/src/content/docs/learning-paths/secure-internet-traffic/connect-networks/index.mdx
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Connect networks to Cloudflare
-pcx_content_type: overview
-sidebar:
- order: 5
-
----
-
-After connecting your devices to Cloudflare, you can route their traffic through your DNS, network, and HTTP policies. However, not every device can run a Zero Trust client. This module offers detail on connecting your networks to the Cloudflare global network to apply your policies.
-
-## Objectives
-
-By the end of this module, you will be able to:
-
-* Understand the various methods for routing network traffic to Cloudflare.
-* Decide which network on-ramp to use for your organization.
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/initial-setup/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/initial-setup/index.mdx
index 839b0c1f974f64..ecf44bc6d5b901 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/initial-setup/index.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/initial-setup/index.mdx
@@ -2,11 +2,10 @@
title: Get started with Zero Trust
pcx_content_type: overview
sidebar:
- order: 2
-
+ order: 1
---
-import { Render } from "~/components"
+import { Render } from "~/components";
Start securing your users and networks with Cloudflare Zero Trust.