From 927965125a903dffeff933841a55758732406c55 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Sat, 23 Nov 2024 02:42:13 +0000 Subject: [PATCH 01/39] Initial code commit --- .../build-dns-policies/create-policy.mdx | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 93d8565fead590..8998d2d7e419e8 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -5,7 +5,7 @@ sidebar: order: 1 --- -import { Render } from "~/components"; +import { Tabs, TabItem, Render } from "~/components" DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP. @@ -13,6 +13,8 @@ You can filter DNS traffic based on query or response parameters (such as domain To create a new DNS policy: + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. @@ -25,3 +27,29 @@ To create a new DNS policy: 6. Select **Create policy**. For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). + + +To create a new DNS policy using **cURL**: + ```sh + curl --request POST \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "All-DNS-SecurityCategories-Blocklist", + "description": "Block known security risks based on Cloudflare's threat intelligence", + "precedence": 2, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + } + }' + ``` + + \ No newline at end of file From 3c7697a4f231971a3b19bf9cb428734d64299a53 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Mon, 25 Nov 2024 16:37:53 +0000 Subject: [PATCH 02/39] Fixed typos --- .../build-dns-policies/create-policy.mdx | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 8998d2d7e419e8..1903d16caaf81b 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -37,18 +37,18 @@ To create a new DNS policy using **cURL**: --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-SecurityCategories-Blocklist", - "description": "Block known security risks based on Cloudflare's threat intelligence", - "precedence": 2, - "enabled": false, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" - } + "description": "Block known security risks based on Cloudflare's threat intelligence", + "precedence": 1, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + } }' ``` From 09414ca8cd4530ac0df5abbf31ad9c1ce7cb5f71 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Mon, 25 Nov 2024 17:01:44 +0000 Subject: [PATCH 03/39] Added terraform code --- .../build-dns-policies/create-policy.mdx | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 1903d16caaf81b..ea2b2787cb5a3c 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -38,7 +38,7 @@ To create a new DNS policy using **cURL**: --data '{ "name": "All-DNS-SecurityCategories-Blocklist", "description": "Block known security risks based on Cloudflare's threat intelligence", - "precedence": 1, + "precedence": 0, "enabled": false, "action": "block", "filters": [ @@ -52,4 +52,23 @@ To create a new DNS policy using **cURL**: }' ``` + +To create a new DNS policy using **Terraform**: +```tf +resource "cloudflare_zero_trust_gateway_policy" "security_risks_dns_policy" { + account_id = var.account_id + name = "All-DNS-SecurityCategories-Blocklist" + description = "Block known security risks based on Cloudflare's threat intelligence" + precedence = 0 + enabled = false + action = "block" + filters = ["dns"] + traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})" + rule_settings { + block_page_enabled = true + block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + } +} +``` + \ No newline at end of file From e3975b66ebd53cf1501406a9f5f83b4c1ef0f47b Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Mon, 25 Nov 2024 17:02:54 +0000 Subject: [PATCH 04/39] Fixed typo --- .../build-dns-policies/create-policy.mdx | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index ea2b2787cb5a3c..b4096fd41653a7 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -36,19 +36,19 @@ To create a new DNS policy using **cURL**: --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ - "name": "All-DNS-SecurityCategories-Blocklist", - "description": "Block known security risks based on Cloudflare's threat intelligence", - "precedence": 0, - "enabled": false, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" - } + "name": "All-DNS-SecurityCategories-Blocklist", + "description": "Block known security risks based on Cloudflare's threat intelligence", + "precedence": 0, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + } }' ``` From 0a78d47f3af8d1d11c22f29b49a1ef8a67258d25 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 11:28:38 +0000 Subject: [PATCH 05/39] Added API and Terraform code to create the allow list policy --- .../build-dns-policies/create-list.mdx | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index f260f15fbe18bb..c16ed0f0c4e1e6 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -12,8 +12,47 @@ Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of UR ## Example list policy + + The following DNS policy will allow access to all approved corporate domains included in a list called **Corporate Domains**. | Selector | Operator | Value | Action | | -------- | -------- | ------------------- | ------ | | Domain | in list | *Corporate Domains* | Allow | + + + ```sh +curl --request POST \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "All-DNS-CorporateDomain-AllowList", + "description": "Allow access to the corporate domains defined under the Corporate Domains list", + "precedence": 1, + "enabled": false, + "action": "allow", + "filters": [ + "dns" + ], + "traffic": "any(dns.domains[*] in $)" +}' + + ``` + + +To create a new DNS policy using **Terraform** to allow access to all approved corporate domains included in a list called **Corporate Domains**. +```tf +resource "cloudflare_zero_trust_gateway_policy" "allow_corporate_domain_access" { + account_id = var.account_id + name = "All-DNS-CorporateDomain-AllowList" + description = "Allow access to the corporate domains defined under the Corporate Domains list" + precedence = 1 + enabled = false + action = "allow" + filters = ["dns"] + traffic = "any(dns.domains[*] in $)" +} +``` + + \ No newline at end of file From 19c71bf04521823e8042ed6f0883e72c6f90ea2e Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 11:50:29 +0000 Subject: [PATCH 06/39] Added terraform and API code for the All-DNS-Domain-Allowlist rule --- .../recommended-dns-policies.mdx | 45 ++++++++++++++++--- 1 file changed, 39 insertions(+), 6 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 38a74a1629b71d..e9fedb97b42f9b 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -6,21 +6,54 @@ sidebar: --- -import { Details, Render } from "~/components" +import { Details, Render, Tabs, TabItem } from "~/components" We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization.
- + Allowlist any known domains and hostnames. With this policy, you ensure that your users can access your organization's domains even if the domains fall under a blocked category, such as **Newly Seen Domains** or **Login Screens**. - + | Selector | Operator | Value | Logic | Action | | -------- | -------- | --------------- | ----- | ------ | | Domain | in list | *Known Domains* | Or | Allow | | Host | in list | *Known Domains* | | | - - + + +```sh +curl --request POST \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "All-DNS-Domain-Allowlist", + "description": "Organization-wide whitelist. Explicitly allow resolution of these DNS domains", + "precedence": 0, + "enabled": false, + "action": "allow", + "filters": [ + "dns" + ], + "traffic": "any(dns.domains[*] in $) or dns.fqdn in $" +}' +``` + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { + account_id = var.account_id + name = "All-DNS-Domain-Allowlist" + description = "Organization-wide whitelist. Explicitly allow resolution of these DNS domains" + precedence = 0 + enabled = false + action = "allow" + filters = ["dns"] + traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}) or dns.fqdn in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}" +} +``` + +
@@ -120,4 +153,4 @@ Block specific IP addresses that are malicious or pose a threat to your organiza - + \ No newline at end of file From 566551a0fbe673dadea5cc16bd0d336a0c3f1e10 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 11:53:25 +0000 Subject: [PATCH 07/39] Fixed JSON capitalization --- .../secure-internet-traffic/build-dns-policies/create-list.mdx | 2 +- .../build-dns-policies/create-policy.mdx | 2 +- .../build-dns-policies/recommended-dns-policies.mdx | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index c16ed0f0c4e1e6..a273408a8d4415 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -24,7 +24,7 @@ The following DNS policy will allow access to all approved corporate domains inc ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ + --header 'Content-Type: application/JSON' \ --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-CorporateDomain-AllowList", diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index b4096fd41653a7..b11383486867bc 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -33,7 +33,7 @@ To create a new DNS policy using **cURL**: ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ + --header 'Content-Type: application/JSON' \ --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-SecurityCategories-Blocklist", diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index e9fedb97b42f9b..64b5bc4891bba0 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -24,7 +24,7 @@ Allowlist any known domains and hostnames. With this policy, you ensure that you ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ + --header 'Content-Type: application/JSON' \ --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-Domain-Allowlist", From 2a360ce47badccf435a25e1e477aeec306f48a45 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 12:03:45 +0000 Subject: [PATCH 08/39] Fixed missing import --- .../secure-internet-traffic/build-dns-policies/create-list.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index a273408a8d4415..6e82b0eb1dc8e0 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -6,6 +6,8 @@ sidebar: --- +import { Tabs, TabItem } from "~/components" + In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. An allowlist is a list of allowed domains or IP addresses, such as the domains of essential corporate applications. Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of URLs, hostnames, or other entries to use in your policies. From 5c42de6385733f00216de420b4dd051877e83093 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 12:28:25 +0000 Subject: [PATCH 09/39] Fixed styling issue --- .../secure-internet-traffic/build-dns-policies/create-list.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index 6e82b0eb1dc8e0..2fb9c4b5517bf2 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -25,7 +25,7 @@ The following DNS policy will allow access to all approved corporate domains inc ```sh curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --URL https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ --header 'Content-Type: application/JSON' \ --header "Authorization: Bearer " \ --data '{ From df6ab87416d1fa7c6138cda601696c9f6942b905 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 13:12:44 +0000 Subject: [PATCH 10/39] Added API and terraform code for Quarantined users restricted access example --- .../recommended-dns-policies.mdx | 62 ++++++++++++++++--- 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 64b5bc4891bba0..6abe7759f9692f 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -60,13 +60,61 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" {
- -| Selector | Operator | Value | Logic | Action | -| ---------------- | -------- | ------------------- | ----- | ------ | -| Domain | in list | *Known Domains* | Or | Block | -| Host | in list | *Known Domains* | And | | -| User Group Names | in | *Quarantined Users* | | | - + + +| Selector | Operator | Value | Logic | Action | +| ---------------- | ------------ | --------------------------------- | ----- | ------ | +| Domain | not in list | *Allowed Remediation Domains* | Or | Block | +| Host | not in list | *Allowed Remediation Domains* | And | | +| User Group Names | in | *Quarantined Users* | | | + + +```sh +curl --request POST \ + --URL https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/JSON' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "Quarantined-Users-DNS-Restricted-Access", + "description": "Restrict quarantined users traffic to corporate policy remediation domains, so that quarantined users can obtain help and/or remediate their security posture", + "precedence": 10, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "not(any(dns.domains[*] in $)) or not(any(dns.domains[*] in $))", + "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})", + "rule_settings": { + "block_page_enabled": true, + "notification_settings": { + "enabled": true + } + }' +``` + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" { + account_id = var.account_id + name = "Quarantined-Users-DNS-Restricted-Access" + description = "Restrict quarantined users traffic to corporate policy remediation domains, so that quarantined users can obtain help and/or remediate their security posture" + precedence = 10 + enabled = false + action = "block" + filters = ["dns"] + traffic = "not(any(dns.domains[*] in $)) or not(any(dns.domains[*] in $))" + identity = "any(identity.groups.name[*] in {\"Quarantined Users\"})" + rule_settings { + block_page_enabled = true + notification_settings { + enabled = true + } + } +} +``` + +
From 141c95a44e38b687849de4dfc3c548f6e8569bf8 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 15:53:16 +0000 Subject: [PATCH 11/39] Fixed typo --- .../build-dns-policies/recommended-dns-policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 6abe7759f9692f..5e221776babb86 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -103,7 +103,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" enabled = false action = "block" filters = ["dns"] - traffic = "not(any(dns.domains[*] in $)) or not(any(dns.domains[*] in $))" + traffic = "not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id})) or not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id}))" identity = "any(identity.groups.name[*] in {\"Quarantined Users\"})" rule_settings { block_page_enabled = true From f0dc55690d3bd4bcdc4adcbddc82036d3af86f6f Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 17:13:18 +0000 Subject: [PATCH 12/39] Added terraform and API code for the country geolocation block rule --- .../recommended-dns-policies.mdx | 48 +++++++++++++++++-- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 5e221776babb86..0916250688fb07 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -146,13 +146,55 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users"
- Block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's users or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). - + + | Selector | Operator | Value | Action | | ------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | | Resolved Country IP Geolocation | in | *Afghanistan*, *Belarus*, *Congo (Kinshasa)*, *Cuba*, *Iran*, *Iraq*, *Korea (North)*, *Myanmar*, *Russian Federation*, *Sudan*, *Syria*, *Ukraine*, *Zimbabwe* | Block | - + + +```sh +curl --request POST \ + --URL https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "All-DNS-GeoCountryIP-Blocklist", + "description": "Block traffic hosted in countries categorized as high security risks", + "precedence": 50, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + } +}' +``` + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { + account_id = var.account_id + name = "All-DNS-GeoCountryIP-Blocklist" + description = "Block traffic hosted in countries categorized as high security risks" + precedence = 50 + enabled = false + action = "block" + filters = ["dns"] + traffic = "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})" + rule_settings { + block_page_enabled = true + block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + } +} +``` + +
From 4ac36e6c9232161934d0719892fb29f9b7265915 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 17:21:42 +0000 Subject: [PATCH 13/39] Added Terraform and API code for the misuesed TLD block rule --- .../recommended-dns-policies.mdx | 48 +++++++++++++++++-- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 0916250688fb07..d583e012f51ebf 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -200,13 +200,55 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" {
- Block frequently misused top-level domains (TLDs) to reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations such as [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries) and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). - + + | Selector | Operator | Value | Action | | -------- | ------------- | -------------------------------------------------------------------------------------------------------- | ------ | | Domain | matches regex | `[.](cn\|ru)$ or [.](rest\|hair\|top\|live\|cfd\|boats\|beauty\|mom\|skin\|okinawa)$ or [.](zip\|mobi)$` | Block | - + + +```sh +curl --request POST \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ +{ + "name": "All-DNS-DomainTopLevel-Blocklist", + "description": "Block DNS queries of known risky TLDs", + "precedence": 60, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + } + } +``` + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { + account_id = var.account_id + name = "All-DNS-DomainTopLevel-Blocklist" + description = "Block DNS queries of known risky TLDs" + precedence = 60 + enabled = false + action = "block" + filters = ["dns"] + traffic = "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")" + rule_settings { + block_page_enabled = true + block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + } +} +``` + +
From 16c8ba03ce9017183fddc43658d7d750488c8b52 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Wed, 27 Nov 2024 17:40:33 +0000 Subject: [PATCH 14/39] Fixed small typo --- .../build-dns-policies/recommended-dns-policies.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index d583e012f51ebf..71f723eccb90a2 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -213,7 +213,7 @@ curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ -{ + --data '{ "name": "All-DNS-DomainTopLevel-Blocklist", "description": "Block DNS queries of known risky TLDs", "precedence": 60, @@ -227,7 +227,7 @@ curl --request POST \ "block_page_enabled": true, "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" } - } + }' ``` From f8199f5c28da5c03d9bc7084078c6e69b730954f Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Thu, 28 Nov 2024 00:56:34 +0000 Subject: [PATCH 15/39] Added terraform and API code for the Domain Phishing block rule --- .../recommended-dns-policies.mdx | 54 +++++++++++++++++-- 1 file changed, 49 insertions(+), 5 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 71f723eccb90a2..da17ee3177816d 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -24,7 +24,7 @@ Allowlist any known domains and hostnames. With this policy, you ensure that you ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/JSON' \ + --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-Domain-Allowlist", @@ -71,8 +71,8 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { ```sh curl --request POST \ - --URL https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/JSON' \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ "name": "Quarantined-Users-DNS-Restricted-Access", @@ -156,7 +156,7 @@ Block websites hosted in countries categorized as high risk. The designation of ```sh curl --request POST \ - --URL https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ @@ -256,12 +256,56 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" {
Block misused domains to protect your users against sophisticated phishing attacks, such as domains that specifically target your organization. For example, the following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` and `sso`) while still allowing access to known domains. - + + | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ------------------------------------------- | ----- | ------ | | Domain | not in list | *Known Domains* | And | Block | | Domain | matches regex | `.*okta.*\|.*cloudflare.*\|.*mfa.*\|.sso.*` | | | + + +```sh +curl --request POST \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "All-DNS-DomainPhishing-Blocklist", + "description": "Block misused domains used in phishing campaigns", + "precedence": 70, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in $))", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + } + }' +``` + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { + account_id = var.account_id + name = "All-DNS-DomainPhishing-Blocklist" + description = "Block misused domains used in phishing campaigns" + precedence = 70 + enabled = false + action = "block" + filters = ["dns"] + traffic = "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in $))" + rule_settings { + block_page_enabled = true + block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + } +} +``` + +
From dbf54f29aaa21c97f80e2371f0d718fce2b3ef7d Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Thu, 28 Nov 2024 01:34:10 +0000 Subject: [PATCH 16/39] Added tf and API code for the DNS Resolved IP Blocklist rule --- .../recommended-dns-policies.mdx | 48 ++++++++++++++++++- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index da17ee3177816d..98fe8016c545e0 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -297,7 +297,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { enabled = false action = "block" filters = ["dns"] - traffic = "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in $))" + traffic = "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.known_phishing_domains_list.id}))" rule_settings { block_page_enabled = true block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" @@ -316,10 +316,54 @@ Block specific IP addresses that are malicious or pose a threat to your organiza + + | Selector | Operator | Value | Action | | ----------- | -------- | -------------- | ------ | | Resolved IP | in list | *IP Blocklist* | Block | - + + +```sh +curl --request POST \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "All-DNS-ResolvedIP-Blocklist", + "description": "Block specific IP addresses deemed to be a risk to the Organization", + "precedence": 80, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.resolved_ips[*] in $)", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + } + }' +``` + + +````tf +resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { + account_id = var.account_id + name = "All-DNS-ResolvedIP-Blocklist" + description = "Block specific IP addresses deemed to be a risk to the Organization" + precedence = 80 + enabled = false + action = "block" + filters = ["dns"] + traffic = "any(dns.resolved_ips[*] in ${"$"}${cloudflare_zero_trust_list.ip_blocklist.id}" + rule_settings { + block_page_enabled = true + block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + } +} +``` + + From a061c44cb40386913550c629511ea09b1ce23032 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Thu, 28 Nov 2024 01:56:34 +0000 Subject: [PATCH 17/39] Modified enforce-device-posture partial to add terraform and API code --- .../policies/enforce-device-posture.mdx | 50 ++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx index a3d85e1112d6c7..0c0e130b4a2e4c 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -2,9 +2,57 @@ {} --- -In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: +import { Tabs, TabItem, Render } from "~/components"; +In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: + + | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | | Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block | | SNI Domain | is | `internalapp.com` | | | + + +```sh +curl --request POST \ + --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/json' \ + --header "Authorization: Bearer " \ + --data '{ + "name": "All-NET-ApplicationAccess-Allow", + "description": "Ensure access to the application comes from authorized WARP clients", + "precedence": 5000, + "enabled": false, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", + "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" + } + }' +``` + + +````tf +resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { + account_id = var.account_id + name = "All-NET-ApplicationAccess-Allow" + description = "Ensure access to the application comes from authorized WARP clients" + precedence = 5000 + enabled = false + action = "block" + filters = ["l4"] + traffic = "any(net.sni.domains[*] == \"internalapp.com\")" + posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))" + rule_settings { + block_page_enabled = true + block_page_reason = "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" + } +} +``` + + \ No newline at end of file From 1ab4823099b719c1f3b29412077267e8820de8e7 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Thu, 28 Nov 2024 02:14:25 +0000 Subject: [PATCH 18/39] Fixed typo --- .../build-dns-policies/recommended-dns-policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 98fe8016c545e0..f2c03e7e85ca58 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -342,7 +342,7 @@ curl --request POST \ "block_page_enabled": true, "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" } - }' + }' ``` From a15df8ffcd67b97e4ebca543ac95ace99c86742a Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Thu, 28 Nov 2024 10:41:21 +0000 Subject: [PATCH 19/39] Fixed typo --- .../build-dns-policies/recommended-dns-policies.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index f2c03e7e85ca58..965c687e9f1b1e 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -60,7 +60,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" {
- + | Selector | Operator | Value | Logic | Action | | ---------------- | ------------ | --------------------------------- | ----- | ------ | @@ -147,7 +147,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users"
Block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's users or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). - + | Selector | Operator | Value | Action | | ------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | @@ -201,7 +201,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" {
Block frequently misused top-level domains (TLDs) to reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations such as [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries) and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). - + | Selector | Operator | Value | Action | | -------- | ------------- | -------------------------------------------------------------------------------------------------------- | ------ | @@ -256,7 +256,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" {
Block misused domains to protect your users against sophisticated phishing attacks, such as domains that specifically target your organization. For example, the following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` and `sso`) while still allowing access to known domains. - + | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ------------------------------------------- | ----- | ------ | @@ -316,7 +316,7 @@ Block specific IP addresses that are malicious or pose a threat to your organiza - + | Selector | Operator | Value | Action | | ----------- | -------- | -------------- | ------ | From a977605a78128b766c432e3ddc292ccaf326cc73 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Thu, 28 Nov 2024 10:56:03 +0000 Subject: [PATCH 20/39] Fixed small typo --- .../build-dns-policies/recommended-dns-policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 965c687e9f1b1e..3735e8cdf143cf 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -346,7 +346,7 @@ curl --request POST \ ``` -````tf +```tf resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { account_id = var.account_id name = "All-DNS-ResolvedIP-Blocklist" From 0adca5bb1cf6fa3d4d2b5452ad4952f1d7cecc78 Mon Sep 17 00:00:00 2001 From: Tiago Cerqueira Date: Thu, 28 Nov 2024 11:01:18 +0000 Subject: [PATCH 21/39] Fixed typo --- .../gateway/policies/enforce-device-posture.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx index 0c0e130b4a2e4c..4db2015fd653dd 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -5,7 +5,7 @@ import { Tabs, TabItem, Render } from "~/components"; In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: - + | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | @@ -33,11 +33,11 @@ curl --request POST \ "block_page_enabled": true, "block_reason": "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" } - }' + }' ``` -````tf +```tf resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { account_id = var.account_id name = "All-NET-ApplicationAccess-Allow" From 95be41f7ae542e76c18f28c6298c590f3365f01a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 30 Dec 2024 15:42:01 -0600 Subject: [PATCH 22/39] Fix formatting --- .../build-dns-policies/create-list.mdx | 30 ++++++---- .../build-dns-policies/create-policy.mdx | 59 +++++++++++-------- .../partials/cloudflare-one/gateway/lists.mdx | 3 +- 3 files changed, 55 insertions(+), 37 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index 2fb9c4b5517bf2..838bdddefd610a 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -3,10 +3,9 @@ title: Create an allowlist or blocklist pcx_content_type: learning-unit sidebar: order: 2 - --- -import { Tabs, TabItem } from "~/components" +import { Tabs, TabItem } from "~/components"; In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. An allowlist is a list of allowed domains or IP addresses, such as the domains of essential corporate applications. @@ -15,35 +14,42 @@ Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of UR ## Example list policy + + The following DNS policy will allow access to all approved corporate domains included in a list called **Corporate Domains**. | Selector | Operator | Value | Action | | -------- | -------- | ------------------- | ------ | -| Domain | in list | *Corporate Domains* | Allow | +| Domain | in list | _Corporate Domains_ | Allow | + + - ```sh -curl --request POST \ - --URL https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ --header 'Content-Type: application/JSON' \ - --header "Authorization: Bearer " \ + --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-CorporateDomain-AllowList", "description": "Allow access to the corporate domains defined under the Corporate Domains list", "precedence": 1, - "enabled": false, + "enabled": true, "action": "allow", "filters": [ "dns" ], - "traffic": "any(dns.domains[*] in $)" + "traffic": "any(dns.domains[*] in $)" }' +``` - ``` + + To create a new DNS policy using **Terraform** to allow access to all approved corporate domains included in a list called **Corporate Domains**. + ```tf resource "cloudflare_zero_trust_gateway_policy" "allow_corporate_domain_access" { account_id = var.account_id @@ -56,5 +62,7 @@ resource "cloudflare_zero_trust_gateway_policy" "allow_corporate_domain_access" traffic = "any(dns.domains[*] in $)" } ``` + - \ No newline at end of file + + diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index f28b5b5da63784..5e93f1f9dcdf24 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -5,7 +5,7 @@ sidebar: order: 1 --- -import { Tabs, TabItem, Render } from "~/components" +import { Render, Tabs, TabItem } from "~/components"; DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP. @@ -14,7 +14,9 @@ You can filter DNS traffic based on query or response parameters (such as domain To create a new DNS policy: + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. @@ -27,48 +29,57 @@ To create a new DNS policy: 6. Select **Create policy**. For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). + + -To create a new DNS policy using **cURL**: - ```sh - curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/JSON' \ - --header "Authorization: Bearer " \ - --data '{ + +To create a new DNS policy using cURL: + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header 'Content-Type: application/JSON' \ + --header "Authorization: Bearer " \ + --data '{ "name": "All-DNS-SecurityCategories-Blocklist", - "description": "Block known security risks based on Cloudflare's threat intelligence", - "precedence": 0, - "enabled": false, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" - } - }' - ``` + "description": "Block known security risks based on Cloudflare's threat intelligence", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to your organization" + } + }' +``` + + + To create a new DNS policy using **Terraform**: + ```tf resource "cloudflare_zero_trust_gateway_policy" "security_risks_dns_policy" { account_id = var.account_id name = "All-DNS-SecurityCategories-Blocklist" description = "Block known security risks based on Cloudflare's threat intelligence" precedence = 0 - enabled = false + enabled = true action = "block" filters = ["dns"] traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})" rule_settings { block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + block_page_reason = "This domain was blocked due to being classified as a security risk to your organization" } } ``` + + diff --git a/src/content/partials/cloudflare-one/gateway/lists.mdx b/src/content/partials/cloudflare-one/gateway/lists.mdx index 0e49c4f5f44da2..f410291bb0639f 100644 --- a/src/content/partials/cloudflare-one/gateway/lists.mdx +++ b/src/content/partials/cloudflare-one/gateway/lists.mdx @@ -38,9 +38,8 @@ You can now use this list in the policy builder by choosing the _in list_ operat ```bash curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/lists \ ---header "X-Auth-Email: " \ ---header "X-Auth-Key: " \ --header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ --data '{ "description": "Private application IPs", "items": [{"value": "10.226.0.177/32"},{"value": "10.226.1.177/32"}], From 3192b2fcf7696849fef1078fa8baf38484711648 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 6 Feb 2025 16:54:41 -0600 Subject: [PATCH 23/39] Adjust formatting --- .../recommended-dns-policies.mdx | 118 ++++++++++++------ 1 file changed, 83 insertions(+), 35 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 3735e8cdf143cf..fc4d66eee3a6d3 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -3,24 +3,29 @@ title: Recommended DNS policies pcx_content_type: learning-unit sidebar: order: 3 - --- -import { Details, Render, Tabs, TabItem } from "~/components" +import { Details, Render, Tabs, TabItem } from "~/components"; We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization. -
- + Allowlist any known domains and hostnames. With this policy, you ensure that your users can access your organization's domains even if the domains fall under a blocked category, such as **Newly Seen Domains** or **Login Screens**. + + + + | Selector | Operator | Value | Logic | Action | | -------- | -------- | --------------- | ----- | ------ | -| Domain | in list | *Known Domains* | Or | Allow | -| Host | in list | *Known Domains* | | | +| Domain | in list | _Known Domains_ | Or | Allow | +| Host | in list | _Known Domains_ | | | + + + ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ @@ -38,8 +43,11 @@ curl --request POST \ "traffic": "any(dns.domains[*] in $) or dns.fqdn in $" }' ``` + + + ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { account_id = var.account_id @@ -52,23 +60,29 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}) or dns.fqdn in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}" } ``` +
-
+ + -| Selector | Operator | Value | Logic | Action | -| ---------------- | ------------ | --------------------------------- | ----- | ------ | -| Domain | not in list | *Allowed Remediation Domains* | Or | Block | -| Host | not in list | *Allowed Remediation Domains* | And | | -| User Group Names | in | *Quarantined Users* | | | + +| Selector | Operator | Value | Logic | Action | +| ---------------- | ----------- | ----------------------------- | ----- | ------ | +| Domain | not in list | _Allowed Remediation Domains_ | Or | Block | +| Host | not in list | _Allowed Remediation Domains_ | And | | +| User Group Names | in | _Quarantined Users_ | | | + + + ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ @@ -92,8 +106,11 @@ curl --request POST \ } }' ``` + + + ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" { account_id = var.account_id @@ -113,47 +130,53 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" } } ``` + -
-
- - +
-
- - +
-
-
-
+ Block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's users or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). + + + | Selector | Operator | Value | Action | | ------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| Resolved Country IP Geolocation | in | *Afghanistan*, *Belarus*, *Congo (Kinshasa)*, *Cuba*, *Iran*, *Iraq*, *Korea (North)*, *Myanmar*, *Russian Federation*, *Sudan*, *Syria*, *Ukraine*, *Zimbabwe* | Block | +| Resolved Country IP Geolocation | in | _Afghanistan_, _Belarus_, _Congo (Kinshasa)_, _Cuba_, _Iran_, _Iraq_, _Korea (North)_, _Myanmar_, _Russian Federation_, _Sudan_, _Syria_, _Ukraine_, _Zimbabwe_ | Block | + + + ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ @@ -175,8 +198,11 @@ curl --request POST \ } }' ``` + + + ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { account_id = var.account_id @@ -193,21 +219,27 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { } } ``` + -
-
+ Block frequently misused top-level domains (TLDs) to reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations such as [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries) and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). + + + | Selector | Operator | Value | Action | | -------- | ------------- | -------------------------------------------------------------------------------------------------------- | ------ | | Domain | matches regex | `[.](cn\|ru)$ or [.](rest\|hair\|top\|live\|cfd\|boats\|beauty\|mom\|skin\|okinawa)$ or [.](zip\|mobi)$` | Block | + + + ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ @@ -229,8 +261,11 @@ curl --request POST \ } }' ``` + + + ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { account_id = var.account_id @@ -247,23 +282,28 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { } } ``` + -
-
Block misused domains to protect your users against sophisticated phishing attacks, such as domains that specifically target your organization. For example, the following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` and `sso`) while still allowing access to known domains. + + + | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ------------------------------------------- | ----- | ------ | -| Domain | not in list | *Known Domains* | And | Block | +| Domain | not in list | _Known Domains_ | And | Block | | Domain | matches regex | `.*okta.*\|.*cloudflare.*\|.*mfa.*\|.sso.*` | | | + + + ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ @@ -286,8 +326,11 @@ curl --request POST \ }' ``` + + + ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { account_id = var.account_id @@ -304,12 +347,11 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { } } ``` + -
-
Block specific IP addresses that are malicious or pose a threat to your organization. @@ -317,12 +359,17 @@ Block specific IP addresses that are malicious or pose a threat to your organiza + + | Selector | Operator | Value | Action | | ----------- | -------- | -------------- | ------ | -| Resolved IP | in list | *IP Blocklist* | Block | +| Resolved IP | in list | _IP Blocklist_ | Block | + + + ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ @@ -344,8 +391,11 @@ curl --request POST \ } }' ``` + + + ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { account_id = var.account_id @@ -362,15 +412,13 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" } } ``` + -
-
- -
\ No newline at end of file +
From df5d23954c22c35c27f1fa9fafd0e7c799073c99 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 10 Feb 2025 15:42:37 -0600 Subject: [PATCH 24/39] Add policy partial and Terraform procedure --- .../recommended-dns-policies.mdx | 2 +- ...lock-security-categories-dash-plus-api.mdx | 56 +++++++++++++++++++ .../policies/enforce-device-posture.mdx | 9 ++- 3 files changed, 65 insertions(+), 2 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index fc4d66eee3a6d3..72cd3f3987408d 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -140,7 +140,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx new file mode 100644 index 00000000000000..3427193080b495 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx @@ -0,0 +1,56 @@ +--- +{} +--- + +import { Tabs, TabItem, Render } from "~/components"; + + + + + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "Block security threats", + "description": "Block all default Cloudflare DNS security categories", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "identity": "" +}' +``` + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { + account_id = var.account_id + name = "All-DNS-SecurityCategories-Blocklist" + description = "Block all default Cloudflare DNS security categories" + precednece = 20 + enabled = false + action = "block" + filters = ["dns"] + traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})" + rule_settings { + block_page_enabled = true + notification_settings { + enabled = true + } + } +} +``` + + diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx index 06cecb38913f33..f91103b90e31f5 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -2,17 +2,21 @@ {} --- -import { Tabs, TabItem, Render } from "~/components"; +import { Tabs, TabItem } from "~/components"; In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: + + | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | | Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block | | SNI Domain | is | `internalapp.com` | | | + + ```sh curl --request POST \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ @@ -35,8 +39,10 @@ curl --request POST \ } }' ``` + + ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { account_id = var.account_id @@ -54,5 +60,6 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" } } ``` + From 81ace67cbb4e9f7c0fc6ead5bf63f016acf6c550 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 10 Feb 2025 15:57:25 -0600 Subject: [PATCH 25/39] Add dash-plus-api folder --- .../gateway/dns-policies/common-policies.mdx | 27 +------------------ .../recommended-dns-policies.mdx | 2 +- .../dns-block-security-categories.mdx} | 2 +- 3 files changed, 3 insertions(+), 28 deletions(-) rename src/content/partials/cloudflare-one/gateway/policies/{block-security-categories-dash-plus-api.mdx => dash-plus-api/dns-block-security-categories.mdx} (98%) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 3a1d5437decba7..df02afd45a2ee9 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -54,36 +54,11 @@ To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/z Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. - - - - - - -```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ ---data '{ - "name": "Block security threats", - "description": "Block all default Cloudflare DNS security categories", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", - "identity": "" -}' -``` - - - ## Block content categories The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](/cloudflare-one/policies/gateway/domain-categories/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 72cd3f3987408d..b20f847ca06275 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -140,7 +140,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx similarity index 98% rename from src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx rename to src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx index 3427193080b495..6263bb730b6c6f 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx @@ -39,7 +39,7 @@ resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { account_id = var.account_id name = "All-DNS-SecurityCategories-Blocklist" description = "Block all default Cloudflare DNS security categories" - precednece = 20 + precedence = 20 enabled = false action = "block" filters = ["dns"] From ab07e7eccacd15a34d0d2fcd7d4d466a8b2d9b20 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 10 Feb 2025 16:06:23 -0600 Subject: [PATCH 26/39] Fix device posture partial --- .../network-policies/common-policies.mdx | 33 ++-------- .../gateway/policies/block-applications.mdx | 2 +- .../network-enforce-device-posture.mdx | 66 +++++++++++++++++++ .../policies/enforce-device-posture.mdx | 57 ---------------- 4 files changed, 71 insertions(+), 87 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network-enforce-device-posture.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index ea81857179db3a..60fc50dc3a4b13 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -87,35 +87,10 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: - - - - - - - - -```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ ---data '{ - "name": "Enforce device posture", - "description": "Limit access to an internal application to approved organization devices", - "enabled": true, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "any(net.sni.domains[*] == \"example.com\")", - "identity": "", - "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" -}' -``` - -To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint. - - + ## Enforce session duration diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx index 0ae917f3535c1c..44ca8d1db1a76d 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx @@ -2,7 +2,7 @@ {} --- -import { GlossaryTooltip, Tabs, TabItem } from "~/components"; +import { GlossaryTooltip } from "~/components"; :::note After seven days, view your [shadow IT analytics](/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing. diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network-enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network-enforce-device-posture.mdx new file mode 100644 index 00000000000000..cb257ba6e8c736 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network-enforce-device-posture.mdx @@ -0,0 +1,66 @@ +--- +{} +--- + +import { Tabs, TabItem, Render } from "~/components"; + +In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: + + + + + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "All-NET-ApplicationAccess-Allow", + "description": "Ensure access to the application comes from authorized WARP clients", + "precedence": 5000, + "enabled": false, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", + "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" + } + }' +``` + +To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint. + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { + account_id = var.account_id + name = "All-NET-ApplicationAccess-Allow" + description = "Ensure access to the application comes from authorized WARP clients" + precedence = 5000 + enabled = false + action = "block" + filters = ["l4"] + traffic = "any(net.sni.domains[*] == \"internalapp.com\")" + posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))" + rule_settings { + block_page_enabled = true + block_page_reason = "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" + } +} +``` + + + diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx index f91103b90e31f5..dd827e6d97bc19 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -2,64 +2,7 @@ {} --- -import { Tabs, TabItem } from "~/components"; - -In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: - - - - | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | | Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block | | SNI Domain | is | `internalapp.com` | | | - - - - -```sh -curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ - --data '{ - "name": "All-NET-ApplicationAccess-Allow", - "description": "Ensure access to the application comes from authorized WARP clients", - "precedence": 5000, - "enabled": false, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", - "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" - } - }' -``` - - - - -```tf -resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { - account_id = var.account_id - name = "All-NET-ApplicationAccess-Allow" - description = "Ensure access to the application comes from authorized WARP clients" - precedence = 5000 - enabled = false - action = "block" - filters = ["l4"] - traffic = "any(net.sni.domains[*] == \"internalapp.com\")" - posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))" - rule_settings { - block_page_enabled = true - block_page_reason = "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" - } -} -``` - - - From 0ab52bb37f2db4d6eaf01d2ca2bf78439e17a127 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 10 Feb 2025 17:20:39 -0600 Subject: [PATCH 27/39] Add block category partials --- .../gateway/dns-policies/common-policies.mdx | 32 ++--------- .../gateway/http-policies/common-policies.mdx | 33 ++--------- .../policies/gateway/http-policies/index.mdx | 2 +- .../recommended-dns-policies.mdx | 9 ++- .../recommended-http-policies.mdx | 56 ++++++++----------- .../gateway/policies/block-cipa.mdx | 3 +- .../gateway/policies/block-file-types.mdx | 4 +- .../dns-block-content-categories.mdx | 49 ++++++++++++++++ .../dns-block-security-categories.mdx | 6 -- .../http-block-content-categories.mdx | 35 ++++++++++++ ...mdx => content-categories-description.mdx} | 12 +--- 11 files changed, 129 insertions(+), 112 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx rename src/content/partials/learning-paths/zero-trust/{blocklist-content-categories.mdx => content-categories-description.mdx} (55%) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index df02afd45a2ee9..a47d0db3dd408e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -63,34 +63,10 @@ Block [security categories](/cloudflare-one/policies/gateway/domain-categories/# The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](/cloudflare-one/policies/gateway/domain-categories/). - - -| Selector | Operator | Value | Action | -| ------------------ | -------- | --------------------------------------------------------- | ------ | -| Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block | - - - - - -```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ ---data '{ - "name": "Block content categories", - "description": "Block common content categories that may pose a risk", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", - "identity": "" -}' -``` - - + ## Block unauthorized applications diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 14ee2c097db031..8a7c364df75187 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -92,35 +92,10 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ Block content categories which go against your organization's acceptable use policy. - - -| Selector | Operator | Value | Action | -| ------------------ | -------- | -------------------------- | ------ | -| Content Categories | in | _Adult Themes_, _Gambling_ | Block | - - - - - -```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ ---data '{ - "name": "Block content categories", - "description": "Block access to unauthorized adult and gambling applications", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(http.request.uri.content_category[*] in {2 67 125 133 99})", - "identity": "", - "device_posture": "" -}' -``` - - + ## Block unauthorized applications diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index 2438f96edb5e39..8bd8dbace18aa6 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -85,7 +85,7 @@ The Allow action allows outbound traffic to reach destinations you specify withi | Selector | Operator | Value | Action | | ------------------ | -------- | ----------- | ------ | -| Content Categories | in | `Education` | Allow | +| Content Categories | in | _Education_ | Allow | #### Untrusted certificates diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index b20f847ca06275..93e263e3c5d948 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -149,8 +149,13 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users"
+ +
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx index f82377bc71b8a7..4e84d678fe4ed5 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx @@ -3,86 +3,81 @@ title: Recommended HTTP policies pcx_content_type: learning-unit sidebar: order: 5 - --- -import { Details, Render } from "~/components" +import { Details, Render } from "~/components"; We recommend you add the following HTTP policies to build an Internet and SaaS app security strategy for your organization. -
Bypass HTTP inspection for applications that use embedded certificates. This will help avoid any certificate pinning errors that may arise from an initial rollout. - - +
-
Bypass HTTPS inspection for Android applications (such as Google Drive) that use certificate pinning, which is incompatible with Gateway inspection. | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | --------------------------------- | ----- | -------------- | -| Application | in | *Google Drive* | And | Do Not Inspect | -| Passed Device Posture Checks | in | *OS Version Android (OS version)* | | | - +| Application | in | _Google Drive_ | And | Do Not Inspect | +| Passed Device Posture Checks | in | _OS Version Android (OS version)_ | | |
-
Bypass HTTP inspection for a custom list of domains identified as incompatible with TLS inspection. | Selector | Operator | Value | Logic | Action | | -------- | -------- | ------------------------ | ----- | -------------- | -| Domain | in list | *DomainInspectionBypass* | Or | Do Not Inspect | -| Domain | in list | *Known Domains* | | | - +| Domain | in list | _DomainInspectionBypass_ | Or | Do Not Inspect | +| Domain | in list | _Known Domains_ | | |
-
| Selector | Operator | Value | Action | | -------------- | -------- | -------------------- | ------ | -| Security Risks | in | *All security risks* | Block | - +| Security Risks | in | _All security risks_ | Block |
-
- + +
-
-
-
-
-
Isolate traffic for privileged users who regularly access critical systems or execute actions such as threat analysis and malware testing. @@ -91,33 +86,28 @@ Security teams often need to perform threat analysis or malware testing that cou | Selector | Operator | Value | Action | | ---------------- | -------- | ------------------ | ------- | -| User Group Names | in | *Privileged Users* | Isolate | - +| User Group Names | in | _Privileged Users_ | Isolate |
-
| Selector | Operator | Value | Logic | Action | | ---------------- | ----------- | ------------------------------- | ----- | ------ | -| Destination IP | not in list | *Quarantined-Users-IPAllowlist* | And | Block | -| User Group Names | in | *Quarantined Users* | | | - +| Destination IP | not in list | _Quarantined-Users-IPAllowlist_ | And | Block | +| User Group Names | in | _Quarantined Users_ | | |
-
Isolate high risk domains or create a custom list of known risky domains to avoid data exfiltration or malware infection. Ideally, your incident response teams can update the blocklist with an [API automation](/security-center/intel-apis/) to provide real-time threat protection. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ---------------------------------- | ----- | ------- | -| Content Categories | in | *New Domain*, *Newly Seen Domains* | Or | Isolate | -| Domain | in list | *Domain Isolation* | | | - +| Content Categories | in | _New Domain_, _Newly Seen Domains_ | Or | Isolate | +| Domain | in list | _Domain Isolation_ | | |
diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx index b83b301e0ad152..e4763c549421e6 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx @@ -1,8 +1,7 @@ --- {} - --- | Selector | Operator | Value | Action | | ------------------ | -------- | ------------- | ------ | -| Content categories | in | `CIPA Filter` | Block | +| Content Categories | in | _CIPA Filter_ | Block | diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx index 5fca4c2e41b791..872da260edc6f8 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx @@ -18,9 +18,9 @@ Block the upload or download of files based on their type. ```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Block file types", "description": "Block the upload or download of files based on their type", diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx new file mode 100644 index 00000000000000..b6e0399be146cb --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx @@ -0,0 +1,49 @@ +--- +{} +--- + +import { Tabs, TabItem } from "~/components"; + + + +| Selector | Operator | Value | Action | +| ------------------ | -------- | --------------------------------------------------------- | ------ | +| Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block | + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "Block content categories", + "description": "Block common content categories that may pose a risk", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", + "identity": "" +}' +``` + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { + account_id = var.account_id + name = "Block content categories" + description = "Block common content categories that may pose a risk" + enabled = true + action = "block" + filters = ["dns"] + traffic = "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})" + identity = "" +} +``` + + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx index 6263bb730b6c6f..199bf5b5de3f75 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx @@ -44,12 +44,6 @@ resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { action = "block" filters = ["dns"] traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})" - rule_settings { - block_page_enabled = true - notification_settings { - enabled = true - } - } } ``` diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx new file mode 100644 index 00000000000000..ac25bee7bb48b9 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx @@ -0,0 +1,35 @@ +--- +{} +--- + +import { Tabs, TabItem } from "~/components"; + + + +| Selector | Operator | Value | Action | +| ------------------ | -------- | ------------------------------------------------------------------------------------- | ------ | +| Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_, _Adult Themes_, _Gambling_ | Block | + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "Block content categories", + "description": "Block access to unauthorized applications", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})", + "identity": "", + "device_posture": "" +}' +``` + + + diff --git a/src/content/partials/learning-paths/zero-trust/blocklist-content-categories.mdx b/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx similarity index 55% rename from src/content/partials/learning-paths/zero-trust/blocklist-content-categories.mdx rename to src/content/partials/learning-paths/zero-trust/content-categories-description.mdx index c16cf0157551e2..6634f356d9ceb7 100644 --- a/src/content/partials/learning-paths/zero-trust/blocklist-content-categories.mdx +++ b/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx @@ -1,14 +1,8 @@ --- -inputParameters: blocklistPolicyType;;blockedContentCategories - +params: + - policyType --- -import { Markdown } from "~/components" - -Entries in the [security risk content subcategory](/cloudflare-one/policies/gateway/domain-categories/#security-risk-subcategories), such as **New Domains**, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your **Trusted Domains** list used in **All-{props.one}-Domain-Allowlist**. +Entries in the [security risk content subcategory](/cloudflare-one/policies/gateway/domain-categories/#security-risk-subcategories), such as **New Domains**, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your **Trusted Domains** list used in **All-{props.policyType}-Domain-Allowlist**. After your test is complete, we recommend you change the action to Block to minimize risk to your organization. - -| Selector | Operator | Value | Action | -| ------------------ | -------- | ----- | ------ | -| Content Categories | in | {props.two} | Allow | From 6915edff3b500fc1435c9f16a428635288d7dd44 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 10 Feb 2025 17:58:58 -0600 Subject: [PATCH 28/39] Add block application partials --- .../gateway/dns-policies/common-policies.mdx | 32 +++-------------- .../gateway/http-policies/common-policies.mdx | 33 +++-------------- .../recommended-dns-policies.mdx | 9 +++-- .../recommended-http-policies.mdx | 5 +++ .../dash-plus-api/dns-block-applications.mdx | 34 ++++++++++++++++++ .../dash-plus-api/http-block-applications.mdx | 35 +++++++++++++++++++ .../zero-trust/blocklist-application.mdx | 9 ++--- 7 files changed, 91 insertions(+), 66 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx create mode 100644 src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-applications.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index a47d0db3dd408e..14d252247ac594 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -72,34 +72,10 @@ The categories included in this policy are not always a security threat, but blo - - -| Selector | Operator | Value | Action | -| ----------- | -------- | ------------------------- | ------ | -| Application | in | _Artificial Intelligence_ | Block | - - - - - -```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ ---data '{ - "name": "Block unauthorized applications", - "description": "Block access to unauthorized AI applications", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(app.type.ids[*] in {25})", - "identity": "" -}' -``` - - + ## Block banned countries diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 8a7c364df75187..d907fad2b013cb 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -101,35 +101,10 @@ Block content categories which go against your organization's acceptable use pol - - -| Selector | Operator | Value | Action | -| ----------- | -------- | ------------------------- | ------ | -| Application | in | _Artificial Intelligence_ | Block | - - - - - -```bash -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer " \ ---data '{ - "name": "Block unauthorized applications", - "description": "Block access to unauthorized AI applications", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(app.type.ids[*] in {25})", - "identity": "", - "device_posture": "" -}' -``` - - + ## Check user identity diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 93e263e3c5d948..678c83dc847f41 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -33,7 +33,7 @@ curl --request POST \ --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-Domain-Allowlist", - "description": "Organization-wide whitelist. Explicitly allow resolution of these DNS domains", + "description": "Organization-wide allowlist. Explicitly allow resolution of these DNS domains", "precedence": 0, "enabled": false, "action": "allow", @@ -52,7 +52,7 @@ curl --request POST \ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { account_id = var.account_id name = "All-DNS-Domain-Allowlist" - description = "Organization-wide whitelist. Explicitly allow resolution of these DNS domains" + description = "Organization-wide allowlist. Explicitly allow resolution of these DNS domains" precedence = 0 enabled = false action = "allow" @@ -164,6 +164,11 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" + +
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx index 4e84d678fe4ed5..2cf68d6088a59c 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx @@ -76,6 +76,11 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w + +
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx new file mode 100644 index 00000000000000..6563ee373d37a9 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx @@ -0,0 +1,34 @@ +--- +{} +--- + +import { Tabs, TabItem } from "~/components"; + + + +| Selector | Operator | Value | Action | +| ----------- | -------- | ------------------------- | ------ | +| Application | in | _Artificial Intelligence_ | Block | + + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \ +--data '{ + "name": "Block unauthorized applications", + "description": "Block access to unauthorized AI applications", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(app.type.ids[*] in {25})", + "identity": "" +}' +``` + + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-applications.mdx new file mode 100644 index 00000000000000..d24e0141de39f3 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-applications.mdx @@ -0,0 +1,35 @@ +--- +{} +--- + +import { Tabs, TabItem } from "~/components"; + + + +| Selector | Operator | Value | Action | +| ----------- | -------- | ------------------------- | ------ | +| Application | in | _Artificial Intelligence_ | Block | + + + + +```bash +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "Block content categories", + "description": "Block access to unauthorized AI applications", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(app.type.ids[*] in {25})", + "identity": "", + "device_posture": "" +}' +``` + + + diff --git a/src/content/partials/learning-paths/zero-trust/blocklist-application.mdx b/src/content/partials/learning-paths/zero-trust/blocklist-application.mdx index 98640024e6b857..485694bcd2ad7c 100644 --- a/src/content/partials/learning-paths/zero-trust/blocklist-application.mdx +++ b/src/content/partials/learning-paths/zero-trust/blocklist-application.mdx @@ -1,12 +1,7 @@ --- {} - --- -import { GlossaryTooltip } from "~/components" - -Block unauthorized applications to limit your users' access to certain web-based tools and minimize the risk of shadow IT. For example, the following policy blocks popular AI chatbots. +import { GlossaryTooltip } from "~/components"; -| Selector | Operator | Value | Action | -| ----------- | -------- | ----------------------------------------------- | ------ | -| Application | in | *Microsoft Copilot*, *ChatGPT*, *Google Gemini* | Block | +Block unauthorized applications to limit your users' access to certain web-based tools and minimize the risk of shadow IT. For example, the following policy blocks known AI tools: From 13147be4a41749f6cef17ebad4764b065c3ce3d1 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 10 Feb 2025 18:13:40 -0600 Subject: [PATCH 29/39] Add TF for application policy --- .../dash-plus-api/dns-block-applications.mdx | 18 +++++++++++++++++- .../http-block-content-categories.mdx | 17 ++++++++++++++++- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx index 6563ee373d37a9..b15467d8ce1ecd 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx @@ -11,7 +11,6 @@ import { Tabs, TabItem } from "~/components"; | Application | in | _Artificial Intelligence_ | Block | - ```bash @@ -31,4 +30,21 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ }' ``` + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { + account_id = var.account_id + name = "All-DNS-Application-Blocklist" + description = "Block access to unauthorized AI applications" + enabled = true + action = "block" + filters = ["dns"] + traffic = "any(app.type.ids[*] in {25})" + identity = "" +} +``` + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx index ac25bee7bb48b9..14a795238d0326 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx @@ -32,4 +32,19 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ``` - + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { + account_id = var.account_id + name = "All-HTTP-Application-Blocklist" + description = "Block access to unauthorized AI applications" + enabled = true + action = "block" + filters = ["dns"] + traffic = "any(app.type.ids[*] in {25})" + identity = "" +} +``` + + From 5e77ecc07df68149aa191a2bfc2a9e782ed10f8e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 14:14:28 -0600 Subject: [PATCH 30/39] Convert to US spelling --- .../recommended-dns-policies.mdx | 16 ++++++++-------- .../docs/pages/configuration/debugging-pages.mdx | 4 +--- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 678c83dc847f41..3116c64c9ee0e9 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -204,7 +204,7 @@ curl --request POST \ "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", "rule_settings": { "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + "block_reason": "This domain was blocked due to being classified as a security risk to the organization" } }' ``` @@ -225,7 +225,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { traffic = "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})" rule_settings { block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + block_page_reason = "This domain was blocked due to being classified as a security risk to the organization" } } ``` @@ -267,7 +267,7 @@ curl --request POST \ "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")", "rule_settings": { "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + "block_reason": "This domain was blocked due to being classified as a security risk to the organization" } }' ``` @@ -288,7 +288,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { traffic = "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")" rule_settings { block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + block_page_reason = "This domain was blocked due to being classified as a security risk to the organization" } } ``` @@ -331,7 +331,7 @@ curl --request POST \ "traffic": "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in $))", "rule_settings": { "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + "block_reason": "This domain was blocked due to being classified as a security risk to the organization" } }' @@ -353,7 +353,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { traffic = "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.known_phishing_domains_list.id}))" rule_settings { block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + block_page_reason = "This domain was blocked due to being classified as a security risk to the organization" } } ``` @@ -397,7 +397,7 @@ curl --request POST \ "traffic": "any(dns.resolved_ips[*] in $)", "rule_settings": { "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" + "block_reason": "This domain was blocked due to being classified as a security risk to the organization" } }' ``` @@ -418,7 +418,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" traffic = "any(dns.resolved_ips[*] in ${"$"}${cloudflare_zero_trust_list.ip_blocklist.id}" rule_settings { block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" + block_page_reason = "This domain was blocked due to being classified as a security risk to the organization" } } ``` diff --git a/src/content/docs/pages/configuration/debugging-pages.mdx b/src/content/docs/pages/configuration/debugging-pages.mdx index d5ecaec0fccd71..afc86858ac2c0b 100644 --- a/src/content/docs/pages/configuration/debugging-pages.mdx +++ b/src/content/docs/pages/configuration/debugging-pages.mdx @@ -26,7 +26,7 @@ To fix this in GitHub: 1. Log in to your GitHub account. 2. Go to **Settings** from your user icon > find **Applications** under Integrations. 3. Find **Cloudflare Pages** > **Configure** > scroll down and select **Uninstall**. -4. Re-authorize your GitHub user/organisation on the Cloudflare dashboard. +4. Re-authorize your GitHub user/organization on the Cloudflare dashboard. To fix this in GitLab: @@ -70,10 +70,8 @@ Possible errors in this step could be caused by faulty setup in your Pages proje :::note - Make sure there are no emojis or special characters as part of your commit message in a Pages project that is integrated with GitHub or GitLab as it can potentially cause issues when building the project. - ::: ### Deploying to Cloudflare's global network From 29cc080e859ce57fb74422c5b986fbbaf818b57a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 14:18:02 -0600 Subject: [PATCH 31/39] Decouple blocklist policy --- .../recommended-dns-policies.mdx | 34 ++++++++++++++++++- .../recommended-http-policies.mdx | 6 ++++ .../zero-trust/blocklist-domain-host.mdx | 14 ++------ 3 files changed, 42 insertions(+), 12 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 3116c64c9ee0e9..eb5cce0b89812e 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -429,6 +429,38 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule"
- + + + + + + +| Selector | Operator | Value | Logic | Action | +| -------- | ------------- | ------------------ | ----- | ------ | +| Domain | in list | _Domain Blocklist_ | Or | Block | +| Host | in list | _Host Blocklist_ | Or | | +| Host | matches regex | `.*example\.com` | | | + + + + + +```sh + +``` + + + + + +```tf + +``` + + +
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx index 2cf68d6088a59c..d2465dc47cf9a3 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx @@ -70,6 +70,12 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w +| Selector | Operator | Value | Logic | Action | +| -------- | ------------- | ------------------ | ----- | ------ | +| Domain | in list | _Domain Blocklist_ | Or | Block | +| Host | in list | _Host Blocklist_ | Or | | +| Host | matches regex | `.*example\.com` | | | +
diff --git a/src/content/partials/learning-paths/zero-trust/blocklist-domain-host.mdx b/src/content/partials/learning-paths/zero-trust/blocklist-domain-host.mdx index a3d5e0ba8335ff..6f45050582ad44 100644 --- a/src/content/partials/learning-paths/zero-trust/blocklist-domain-host.mdx +++ b/src/content/partials/learning-paths/zero-trust/blocklist-domain-host.mdx @@ -1,14 +1,6 @@ --- -inputParameters: blocklistPolicyType - +params: + - blocklistPolicyType --- -import { Markdown } from "~/components" - -Block specific domains or hosts that are malicious or pose a threat to your organization. Like **All-{props.one}-ResolvedIP-Blocklist**, this blocklist can be updated manually or via API automation. - -| Selector | Operator | Value | Logic | Action | -| -------- | ------------- | ------------------ | ----- | ------ | -| Domain | in list | *Domain Blocklist* | Or | Block | -| Host | in list | *Host Blocklist* | Or | | -| Host | matches regex | `.*example\.com` | | | +Block specific domains or hosts that are malicious or pose a threat to your organization. Like **All-{props.blocklistPolicyType}-ResolvedIP-Blocklist**, this blocklist can be updated manually or via API automation. From e41b92f99ead33bbfec4dbf11ba0ddc713764835 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 14:23:06 -0600 Subject: [PATCH 32/39] Add domain blocklist API calls --- .../recommended-dns-policies.mdx | 34 +++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index eb5cce0b89812e..a5c448c6b76735 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -449,7 +449,24 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" ```sh - +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \ + --data '{ + "name": "All-DNS-DomainHost-Blocklist", + "description": "Block specific domains or hosts that are malicious or pose a threat to your organization.", + "precedence": 100, + "enabled": false, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.domains[*] in $) and dns.fqdn in $ and dns.fqdn matches \".*example\\.com\"", + "rule_settings": { + "block_page_enabled": true, + "block_reason": "This domain was blocked due to being classified as a security risk to the organization" + } + }' ``` @@ -457,7 +474,20 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" ```tf - +resource "cloudflare_zero_trust_gateway_policy" "block_dns_domain_host" { + account_id = var.account_id + name = "All-DNS-DomainHost-Blocklist" + description = "Block specific domains or hosts that are malicious or pose a threat to your organization." + precedence = 100 + enabled = false + action = "block" + filters = ["dns"] + traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_blocklist.id}) and dns.fqdn in ${"$"}${cloudflare_zero_trust_list.host_blocklist.id} and dns.fqdn matches \".*example\\.com\"" + rule_settings = { + block_page_enabled = true + block_reason = "This domain was blocked due to being classified as a security risk to the organization" + } +} ``` From 2a8126328f92c9c6f3ffb12bfefb1e264926ed7b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 14:29:21 -0600 Subject: [PATCH 33/39] Fix styling and precendece --- .../recommended-dns-policies.mdx | 44 ++++++++----------- .../dash-plus-api/dns-block-applications.mdx | 1 + .../dns-block-content-categories.mdx | 1 + .../dns-block-security-categories.mdx | 1 + 4 files changed, 22 insertions(+), 25 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index a5c448c6b76735..85649030b93aad 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -27,10 +27,9 @@ Allowlist any known domains and hostnames. With this policy, you ensure that you ```sh -curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "All-DNS-Domain-Allowlist", "description": "Organization-wide allowlist. Explicitly allow resolution of these DNS domains", @@ -84,10 +83,9 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { ```sh -curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "Quarantined-Users-DNS-Restricted-Access", "description": "Restrict quarantined users traffic to corporate policy remediation domains, so that quarantined users can obtain help and/or remediate their security posture", @@ -188,10 +186,9 @@ Block websites hosted in countries categorized as high risk. The designation of ```sh -curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "All-DNS-GeoCountryIP-Blocklist", "description": "Block traffic hosted in countries categorized as high security risks", @@ -251,10 +248,9 @@ Block frequently misused top-level domains (TLDs) to reduce security risks, espe ```sh -curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "All-DNS-DomainTopLevel-Blocklist", "description": "Block DNS queries of known risky TLDs", @@ -315,10 +311,9 @@ Block misused domains to protect your users against sophisticated phishing attac ```sh -curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "All-DNS-DomainPhishing-Blocklist", "description": "Block misused domains used in phishing campaigns", @@ -381,10 +376,9 @@ Block specific IP addresses that are malicious or pose a threat to your organiza ```sh -curl --request POST \ - --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/json' \ - --header "Authorization: Bearer " \ +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ "name": "All-DNS-ResolvedIP-Blocklist", "description": "Block specific IP addresses deemed to be a risk to the Organization", @@ -478,7 +472,7 @@ resource "cloudflare_zero_trust_gateway_policy" "block_dns_domain_host" { account_id = var.account_id name = "All-DNS-DomainHost-Blocklist" description = "Block specific domains or hosts that are malicious or pose a threat to your organization." - precedence = 100 + precedence = 90 enabled = false action = "block" filters = ["dns"] diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx index b15467d8ce1ecd..5b64c0d9fe338f 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx @@ -20,6 +20,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --data '{ "name": "Block unauthorized applications", "description": "Block access to unauthorized AI applications", + "precedence": 40, "enabled": true, "action": "block", "filters": [ diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx index b6e0399be146cb..c1ea911bd05644 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx @@ -20,6 +20,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --data '{ "name": "Block content categories", "description": "Block common content categories that may pose a risk", + "precedence": 30, "enabled": true, "action": "block", "filters": [ diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx index 199bf5b5de3f75..dc466f5d80e5a4 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx @@ -21,6 +21,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --data '{ "name": "Block security threats", "description": "Block all default Cloudflare DNS security categories", + "precedence": 20, "enabled": true, "action": "block", "filters": [ From 18a7bf216333b218272c5de7ffa1b24141ec4a39 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 14:36:08 -0600 Subject: [PATCH 34/39] Move partials into subfolder --- .../policies/gateway/dns-policies/common-policies.mdx | 6 +++--- .../policies/gateway/http-policies/common-policies.mdx | 4 ++-- .../policies/gateway/network-policies/common-policies.mdx | 2 +- .../build-dns-policies/recommended-dns-policies.mdx | 8 ++++---- .../build-http-policies/recommended-http-policies.mdx | 4 ++-- .../block-applications.mdx} | 0 .../block-content-categories.mdx} | 0 .../block-security-categories.mdx} | 0 .../block-applications.mdx} | 0 .../block-content-categories.mdx} | 0 .../enforce-device-posture.mdx} | 0 11 files changed, 12 insertions(+), 12 deletions(-) rename src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/{dns-block-applications.mdx => dns/block-applications.mdx} (100%) rename src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/{dns-block-content-categories.mdx => dns/block-content-categories.mdx} (100%) rename src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/{dns-block-security-categories.mdx => dns/block-security-categories.mdx} (100%) rename src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/{http-block-applications.mdx => http/block-applications.mdx} (100%) rename src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/{http-block-content-categories.mdx => http/block-content-categories.mdx} (100%) rename src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/{network-enforce-device-posture.mdx => network/enforce-device-posture.mdx} (100%) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 14d252247ac594..b822d87d1d2640 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -55,7 +55,7 @@ To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/z Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. @@ -64,7 +64,7 @@ Block [security categories](/cloudflare-one/policies/gateway/domain-categories/# The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](/cloudflare-one/policies/gateway/domain-categories/). @@ -73,7 +73,7 @@ The categories included in this policy are not always a security threat, but blo diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index d907fad2b013cb..80b2c161bcb151 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -93,7 +93,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ Block content categories which go against your organization's acceptable use policy. @@ -102,7 +102,7 @@ Block content categories which go against your organization's acceptable use pol diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 60fc50dc3a4b13..0a59858c0af0b4 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -88,7 +88,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 85649030b93aad..8262235e488202 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -138,7 +138,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" @@ -152,7 +152,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" /> @@ -163,7 +163,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" @@ -449,7 +449,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --data '{ "name": "All-DNS-DomainHost-Blocklist", "description": "Block specific domains or hosts that are malicious or pose a threat to your organization.", - "precedence": 100, + "precedence": 90, "enabled": false, "action": "block", "filters": [ diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx index d2465dc47cf9a3..74050d89e8c362 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx @@ -60,7 +60,7 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w /> @@ -83,7 +83,7 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx similarity index 100% rename from src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-applications.mdx rename to src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx similarity index 100% rename from src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-content-categories.mdx rename to src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx similarity index 100% rename from src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns-block-security-categories.mdx rename to src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx similarity index 100% rename from src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-applications.mdx rename to src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx similarity index 100% rename from src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http-block-content-categories.mdx rename to src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network-enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx similarity index 100% rename from src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network-enforce-device-posture.mdx rename to src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx From ef88048d13814565d43d79792eea4ba69a03ce85 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 14:49:20 -0600 Subject: [PATCH 35/39] Remove Details tags --- .../build-dns-policies/create-list.mdx | 2 +- .../build-dns-policies/create-policy.mdx | 2 +- .../recommended-dns-policies.mdx | 40 ++++++------------- 3 files changed, 15 insertions(+), 29 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index 838bdddefd610a..6643d886d3ca26 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -29,7 +29,7 @@ The following DNS policy will allow access to all approved corporate domains inc ```sh curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/JSON' \ + --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-CorporateDomain-AllowList", diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 5e93f1f9dcdf24..2ddfdf3ece0791 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -38,7 +38,7 @@ To create a new DNS policy using cURL: ```sh curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ - --header 'Content-Type: application/JSON' \ + --header 'Content-Type: application/json' \ --header "Authorization: Bearer " \ --data '{ "name": "All-DNS-SecurityCategories-Blocklist", diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 8262235e488202..f0e0c92f74789a 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -9,7 +9,7 @@ import { Details, Render, Tabs, TabItem } from "~/components"; We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization. -
+## All-DNS-Domain-Allowlist Allowlist any known domains and hostnames. With this policy, you ensure that your users can access your organization's domains even if the domains fall under a blocked category, such as **Newly Seen Domains** or **Login Screens**. @@ -39,7 +39,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "filters": [ "dns" ], - "traffic": "any(dns.domains[*] in $) or dns.fqdn in $" + "traffic": "any(dns.domains[*] in $) or dns.fqdn in $" }' ``` @@ -62,9 +62,8 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { -
-
+## Quarantined-Users-DNS-Restricted-Access @@ -95,7 +94,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "filters": [ "dns" ], - "traffic": "not(any(dns.domains[*] in $)) or not(any(dns.domains[*] in $))", + "traffic": "not(any(dns.domains[*] in $)) or not(any(dns.domains[*] in $))", "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})", "rule_settings": { "block_page_enabled": true, @@ -131,9 +130,8 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" -
-
+## All-DNS-SecurityCategories-Blocklist @@ -142,9 +140,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" product="cloudflare-one" /> -
- -
+## All-DNS-ContentCategories-Blocklist -
- -
+## All-DNS-Application-Blocklist @@ -167,9 +161,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" product="cloudflare-one" /> -
- -
+## All-DNS-GeoCountryIP-Blocklist Block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's users or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). @@ -229,9 +221,8 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { -
-
+## All-DNS-DomainTopLevel-Blocklist Block frequently misused top-level domains (TLDs) to reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations such as [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries) and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). @@ -291,9 +282,8 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { -
-
+## All-DNS-DomainPhishing-Blocklist Block misused domains to protect your users against sophisticated phishing attacks, such as domains that specifically target your organization. For example, the following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` and `sso`) while still allowing access to known domains. @@ -355,9 +345,8 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { -
-
+## All-DNS-ResolvedIP-Blocklist Block specific IP addresses that are malicious or pose a threat to your organization. @@ -388,7 +377,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "filters": [ "dns" ], - "traffic": "any(dns.resolved_ips[*] in $)", + "traffic": "any(dns.resolved_ips[*] in $)", "rule_settings": { "block_page_enabled": true, "block_reason": "This domain was blocked due to being classified as a security risk to the organization" @@ -419,9 +408,8 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" -
-
+## All-DNS-DomainHost-Blocklist - -
From a4d73337771e5bc1ee0296385c9e32ce9628afad Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 16:18:40 -0600 Subject: [PATCH 36/39] Fix misc API call styling --- .../recommended-dns-policies.mdx | 124 +++++------------- .../dash-plus-api/dns/block-applications.mdx | 2 +- .../dns/block-content-categories.mdx | 4 +- .../dns/block-security-categories.mdx | 6 +- 4 files changed, 42 insertions(+), 94 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index f0e0c92f74789a..111e5562d49a4e 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -28,11 +28,11 @@ Allowlist any known domains and hostnames. With this policy, you ensure that you ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ "name": "All-DNS-Domain-Allowlist", - "description": "Organization-wide allowlist. Explicitly allow resolution of these DNS domains", + "description": "Allowlist any known domains and hostnames", "precedence": 0, "enabled": false, "action": "allow", @@ -51,7 +51,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { account_id = var.account_id name = "All-DNS-Domain-Allowlist" - description = "Organization-wide allowlist. Explicitly allow resolution of these DNS domains" + description = "Allowlist any known domains and hostnames" precedence = 0 enabled = false action = "allow" @@ -83,11 +83,11 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ "name": "Quarantined-Users-DNS-Restricted-Access", - "description": "Restrict quarantined users traffic to corporate policy remediation domains, so that quarantined users can obtain help and/or remediate their security posture", + "description": "Restrict access for users included in an identity provider (IdP) user group for risky users", "precedence": 10, "enabled": false, "action": "block", @@ -95,13 +95,8 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "dns" ], "traffic": "not(any(dns.domains[*] in $)) or not(any(dns.domains[*] in $))", - "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})", - "rule_settings": { - "block_page_enabled": true, - "notification_settings": { - "enabled": true - } - }' + "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})" +}' ``` @@ -112,19 +107,13 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" { account_id = var.account_id name = "Quarantined-Users-DNS-Restricted-Access" - description = "Restrict quarantined users traffic to corporate policy remediation domains, so that quarantined users can obtain help and/or remediate their security posture" + description = "Restrict access for users included in an identity provider (IdP) user group for risky users" precedence = 10 enabled = false action = "block" filters = ["dns"] traffic = "not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id})) or not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id}))" identity = "any(identity.groups.name[*] in {\"Quarantined Users\"})" - rule_settings { - block_page_enabled = true - notification_settings { - enabled = true - } - } } ``` @@ -179,9 +168,9 @@ Block websites hosted in countries categorized as high risk. The designation of ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ "name": "All-DNS-GeoCountryIP-Blocklist", "description": "Block traffic hosted in countries categorized as high security risks", "precedence": 50, @@ -190,11 +179,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "filters": [ "dns" ], - "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organization" - } + "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})" }' ``` @@ -212,10 +197,6 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { action = "block" filters = ["dns"] traffic = "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})" - rule_settings { - block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organization" - } } ``` @@ -240,9 +221,9 @@ Block frequently misused top-level domains (TLDs) to reduce security risks, espe ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ "name": "All-DNS-DomainTopLevel-Blocklist", "description": "Block DNS queries of known risky TLDs", "precedence": 60, @@ -251,12 +232,8 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "filters": [ "dns" ], - "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organization" - } - }' + "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")" +}' ``` @@ -273,10 +250,6 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { action = "block" filters = ["dns"] traffic = "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")" - rule_settings { - block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organization" - } } ``` @@ -302,9 +275,9 @@ Block misused domains to protect your users against sophisticated phishing attac ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ "name": "All-DNS-DomainPhishing-Blocklist", "description": "Block misused domains used in phishing campaigns", "precedence": 70, @@ -313,13 +286,8 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "filters": [ "dns" ], - "traffic": "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in $))", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organization" - } - - }' + "traffic": "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in $))" +}' ``` @@ -336,10 +304,6 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { action = "block" filters = ["dns"] traffic = "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.known_phishing_domains_list.id}))" - rule_settings { - block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organization" - } } ``` @@ -366,9 +330,9 @@ Block specific IP addresses that are malicious or pose a threat to your organiza ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ "name": "All-DNS-ResolvedIP-Blocklist", "description": "Block specific IP addresses deemed to be a risk to the Organization", "precedence": 80, @@ -377,12 +341,8 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "filters": [ "dns" ], - "traffic": "any(dns.resolved_ips[*] in $)", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organization" - } - }' + "traffic": "any(dns.resolved_ips[*] in $)" +}' ``` @@ -399,10 +359,6 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" action = "block" filters = ["dns"] traffic = "any(dns.resolved_ips[*] in ${"$"}${cloudflare_zero_trust_list.ip_blocklist.id}" - rule_settings { - block_page_enabled = true - block_page_reason = "This domain was blocked due to being classified as a security risk to the organization" - } } ``` @@ -432,9 +388,9 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" ```sh curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \ - --data '{ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \ +--data '{ "name": "All-DNS-DomainHost-Blocklist", "description": "Block specific domains or hosts that are malicious or pose a threat to your organization.", "precedence": 90, @@ -443,12 +399,8 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "filters": [ "dns" ], - "traffic": "any(dns.domains[*] in $) and dns.fqdn in $ and dns.fqdn matches \".*example\\.com\"", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain was blocked due to being classified as a security risk to the organization" - } - }' + "traffic": "any(dns.domains[*] in $) and dns.fqdn in $ and dns.fqdn matches \".*example\\.com\"" +}' ``` @@ -465,10 +417,6 @@ resource "cloudflare_zero_trust_gateway_policy" "block_dns_domain_host" { action = "block" filters = ["dns"] traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_blocklist.id}) and dns.fqdn in ${"$"}${cloudflare_zero_trust_list.host_blocklist.id} and dns.fqdn matches \".*example\\.com\"" - rule_settings = { - block_page_enabled = true - block_reason = "This domain was blocked due to being classified as a security risk to the organization" - } } ``` diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx index 5b64c0d9fe338f..4ca90e736203a9 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx @@ -18,7 +18,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \ --data '{ - "name": "Block unauthorized applications", + "name": "All-DNS-Application-Blocklist", "description": "Block access to unauthorized AI applications", "precedence": 40, "enabled": true, diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx index c1ea911bd05644..550127c3806d34 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx @@ -18,7 +18,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ - "name": "Block content categories", + "name": "All-DNS-ContentCategories-Blocklist", "description": "Block common content categories that may pose a risk", "precedence": 30, "enabled": true, @@ -37,7 +37,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```tf resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { account_id = var.account_id - name = "Block content categories" + name = "All-DNS-ContentCategories-Blocklist" description = "Block common content categories that may pose a risk" enabled = true action = "block" diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx index dc466f5d80e5a4..75269c27cf92db 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx @@ -19,8 +19,8 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ - "name": "Block security threats", - "description": "Block all default Cloudflare DNS security categories", + "name": "All-DNS-SecurityCategories-Blocklist", + "description": "Block security categories based on Cloudflare's threat intelligence", "precedence": 20, "enabled": true, "action": "block", @@ -39,7 +39,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { account_id = var.account_id name = "All-DNS-SecurityCategories-Blocklist" - description = "Block all default Cloudflare DNS security categories" + description = "Block security categories based on Cloudflare's threat intelligence" precedence = 20 enabled = false action = "block" From 3cf4b2f498ca5ffa9ed23fc0d0b3be8bdb76c674 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 16:22:28 -0600 Subject: [PATCH 37/39] Remove Details tags from all recommended policy pages --- .../recommended-dns-policies.mdx | 2 +- .../recommended-http-policies.mdx | 42 +++++-------------- .../recommended-network-policies.mdx | 30 ++++--------- 3 files changed, 20 insertions(+), 54 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 111e5562d49a4e..170fdac2c6087b 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -5,7 +5,7 @@ sidebar: order: 3 --- -import { Details, Render, Tabs, TabItem } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx index 74050d89e8c362..46bdd5bc69507d 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx @@ -5,11 +5,11 @@ sidebar: order: 5 --- -import { Details, Render } from "~/components"; +import { Render } from "~/components"; We recommend you add the following HTTP policies to build an Internet and SaaS app security strategy for your organization. -
+## All-HTTP-Application-InspectBypass Bypass HTTP inspection for applications that use embedded certificates. This will help avoid any certificate pinning errors that may arise from an initial rollout. @@ -18,9 +18,7 @@ Bypass HTTP inspection for applications that use embedded certificates. This wil product="cloudflare-one" /> -
- -
+## Android-HTTP-Application-InspectionBypass Bypass HTTPS inspection for Android applications (such as Google Drive) that use certificate pinning, which is incompatible with Gateway inspection. @@ -29,9 +27,7 @@ Bypass HTTPS inspection for Android applications (such as Google Drive) that use | Application | in | _Google Drive_ | And | Do Not Inspect | | Passed Device Posture Checks | in | _OS Version Android (OS version)_ | | | -
- -
+## All-HTTP-Domain-Inspection-Bypass Bypass HTTP inspection for a custom list of domains identified as incompatible with TLS inspection. @@ -40,9 +36,7 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w | Domain | in list | _DomainInspectionBypass_ | Or | Do Not Inspect | | Domain | in list | _Known Domains_ | | | -
- -
+## All-HTTP-SecurityRisks-Blocklist @@ -50,9 +44,7 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w | -------------- | -------- | -------------------- | ------ | | Security Risks | in | _All security risks_ | Block | -
- -
+## All-HTTP-ContentCategories-Blocklist -
- -
+## All-HTTP-DomainHost-Blocklist @@ -76,9 +66,7 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w | Host | in list | _Host Blocklist_ | Or | | | Host | matches regex | `.*example\.com` | | | -
- -
+## All-HTTP-Application-Blocklist @@ -87,9 +75,7 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w product="cloudflare-one" /> -
- -
+## PrivilegedUsers-HTTP-Any-Isolate Isolate traffic for privileged users who regularly access critical systems or execute actions such as threat analysis and malware testing. @@ -99,9 +85,7 @@ Security teams often need to perform threat analysis or malware testing that cou | ---------------- | -------- | ------------------ | ------- | | User Group Names | in | _Privileged Users_ | Isolate | -
- -
+## Quarantined-Users-HTTP-Restricted-Access @@ -110,9 +94,7 @@ Security teams often need to perform threat analysis or malware testing that cou | Destination IP | not in list | _Quarantined-Users-IPAllowlist_ | And | Block | | User Group Names | in | _Quarantined Users_ | | | -
- -
+## All-HTTP-Domain-Isolate Isolate high risk domains or create a custom list of known risky domains to avoid data exfiltration or malware infection. Ideally, your incident response teams can update the blocklist with an [API automation](/security-center/intel-apis/) to provide real-time threat protection. @@ -120,5 +102,3 @@ Isolate high risk domains or create a custom list of known risky domains to avoi | ------------------ | -------- | ---------------------------------- | ----- | ------- | | Content Categories | in | _New Domain_, _Newly Seen Domains_ | Or | Isolate | | Domain | in list | _Domain Isolation_ | | | - -
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index 2c8d587b0d40ff..39759ff8ebfc52 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -5,13 +5,13 @@ sidebar: order: 2 --- -import { Details, GlossaryTooltip, Render } from "~/components"; +import { GlossaryTooltip, Render } from "~/components"; We recommend you add the following network policies to build an Internet and SaaS app security strategy for your organization. For more information on building network policies, refer to [Network policies](/cloudflare-one/policies/gateway/network-policies/). -
+## Quarantined-Users-NET-Restricted-Access @@ -22,9 +22,7 @@ For more information on building network policies, refer to [Network policies](/ | Domain SNI | not in list | _Quarantined-Users-DomainAllowlist_ | And | | | User Group Names | in | _Quarantined Users_ | | | -
- -
+## Posture-Fail-NET-Restricted-Access Restrict access for devices where baseline posture checks have not passed. If posture checks are integrated with service providers such as Crowdstrike or Intune via the API, this policy dynamically blocks access for devices that do not meet predetermined security requirements. @@ -37,9 +35,7 @@ Restrict access for devices where baseline posture checks have not passed. If po You can add a number of WARP client device posture checks as needed, such as [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/) and [Domain joined](/cloudflare-one/identity/devices/warp-client-checks/domain-joined/). For more information on device posture checks, refer to [Enforce device posture](/cloudflare-one/identity/devices/). -
- -
+## FinanceUsers-NET-HTTPS-FinanceServers (example) Allow HTTPS access for user groups. For example, the following policy gives finance users access to any known financial applications: @@ -48,9 +44,7 @@ Allow HTTPS access for user groups. For example, the following policy gives fina | Destination IP | in list | _Finance Servers_ | And | Allow | | User Group Names | in | _Finance Users_ | | | -
- -
+## All-NET-Internet-Blocklist Block traffic to destination IPs, SNIs, and domain SNIs that are malicious or pose a threat to your organization. @@ -66,9 +60,7 @@ Block traffic to destination IPs, +## All-NET-SSH-Internet-Allowlist Allow SSH traffic to specific endpoints on the Internet for specific users. You can create a similar policy for other non-web endpoints that required access. @@ -81,9 +73,7 @@ Optionally, you can include a selector to filter by source IP or IdP group. | Detected Protocol | is | _SSH_ | And | | | User Group Names | in | _SSH-Allowed-Users_ | | | -
- -
+## All-NET-NO-HTTP-HTTPS-Internet-Deny Block all non-web traffic towards the Internet. By using the **Detected Protocol** selector, you will ensure alternative ports for HTTP and HTTPS are allowed. @@ -92,14 +82,10 @@ Block all non-web traffic towards the Internet. By using the **Detected Protocol | Destination IP | not in list | _InternalNetwork_ | And | Block | | Detected Protocol | not in | _HTTP_, _HTTP2_ | | | -
- -
+## All-NET-InternalNetwork-ImplicitDeny Implicitly deny all of your internal IP ranges included in a list. We recommend you place this policy at the [bottom of your policy list](/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#order-of-precedence) to ensure you explicitly approve traffic defined in the above policies. | Selector | Operator | Value | Action | | -------------- | -------- | ---------------------- | ------ | | Destination IP | in list | _Internal Network IPs_ | Block | - -
From ad0e381a3d9a0f194f5d252181d462261ecc7833 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 16:33:49 -0600 Subject: [PATCH 38/39] Add missing network recommended policy --- .../recommended-network-policies.mdx | 9 +++++++++ .../dash-plus-api/network/enforce-device-posture.mdx | 12 ++---------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index 39759ff8ebfc52..547f210fbc4504 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -89,3 +89,12 @@ Implicitly deny all of your internal IP ranges included in a list. We recommend | Selector | Operator | Value | Action | | -------------- | -------- | ---------------------- | ------ | | Destination IP | in list | _Internal Network IPs_ | Block | + +## All-NET-ApplicationAccess-Allow + +Only allow network traffic from known and approved devices. + + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx index cb257ba6e8c736..ee34601b650aec 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx @@ -31,12 +31,8 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "l4" ], "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", - "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))", - "rule_settings": { - "block_page_enabled": true, - "block_reason": "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" - } - }' + "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" +}' ``` To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint. @@ -55,10 +51,6 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" filters = ["l4"] traffic = "any(net.sni.domains[*] == \"internalapp.com\")" posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))" - rule_settings { - block_page_enabled = true - block_page_reason = "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance" - } } ``` From 9f562954ac6c11660c54ae44bef1f60cfa6e5a79 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 16:38:22 -0600 Subject: [PATCH 39/39] Update policies to enabled=true --- .../recommended-dns-policies.mdx | 28 +++++++++---------- .../dns/block-security-categories.mdx | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 170fdac2c6087b..2d7395440321ef 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -34,7 +34,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "name": "All-DNS-Domain-Allowlist", "description": "Allowlist any known domains and hostnames", "precedence": 0, - "enabled": false, + "enabled": true, "action": "allow", "filters": [ "dns" @@ -53,7 +53,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { name = "All-DNS-Domain-Allowlist" description = "Allowlist any known domains and hostnames" precedence = 0 - enabled = false + enabled = true action = "allow" filters = ["dns"] traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}) or dns.fqdn in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}" @@ -89,7 +89,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "name": "Quarantined-Users-DNS-Restricted-Access", "description": "Restrict access for users included in an identity provider (IdP) user group for risky users", "precedence": 10, - "enabled": false, + "enabled": true, "action": "block", "filters": [ "dns" @@ -109,7 +109,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" name = "Quarantined-Users-DNS-Restricted-Access" description = "Restrict access for users included in an identity provider (IdP) user group for risky users" precedence = 10 - enabled = false + enabled = true action = "block" filters = ["dns"] traffic = "not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id})) or not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id}))" @@ -174,7 +174,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "name": "All-DNS-GeoCountryIP-Blocklist", "description": "Block traffic hosted in countries categorized as high security risks", "precedence": 50, - "enabled": false, + "enabled": true, "action": "block", "filters": [ "dns" @@ -193,7 +193,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { name = "All-DNS-GeoCountryIP-Blocklist" description = "Block traffic hosted in countries categorized as high security risks" precedence = 50 - enabled = false + enabled = true action = "block" filters = ["dns"] traffic = "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})" @@ -227,7 +227,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "name": "All-DNS-DomainTopLevel-Blocklist", "description": "Block DNS queries of known risky TLDs", "precedence": 60, - "enabled": false, + "enabled": true, "action": "block", "filters": [ "dns" @@ -246,7 +246,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { name = "All-DNS-DomainTopLevel-Blocklist" description = "Block DNS queries of known risky TLDs" precedence = 60 - enabled = false + enabled = true action = "block" filters = ["dns"] traffic = "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")" @@ -281,7 +281,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "name": "All-DNS-DomainPhishing-Blocklist", "description": "Block misused domains used in phishing campaigns", "precedence": 70, - "enabled": false, + "enabled": true, "action": "block", "filters": [ "dns" @@ -300,7 +300,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { name = "All-DNS-DomainPhishing-Blocklist" description = "Block misused domains used in phishing campaigns" precedence = 70 - enabled = false + enabled = true action = "block" filters = ["dns"] traffic = "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.known_phishing_domains_list.id}))" @@ -336,7 +336,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "name": "All-DNS-ResolvedIP-Blocklist", "description": "Block specific IP addresses deemed to be a risk to the Organization", "precedence": 80, - "enabled": false, + "enabled": true, "action": "block", "filters": [ "dns" @@ -355,7 +355,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" name = "All-DNS-ResolvedIP-Blocklist" description = "Block specific IP addresses deemed to be a risk to the Organization" precedence = 80 - enabled = false + enabled = true action = "block" filters = ["dns"] traffic = "any(dns.resolved_ips[*] in ${"$"}${cloudflare_zero_trust_list.ip_blocklist.id}" @@ -394,7 +394,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "name": "All-DNS-DomainHost-Blocklist", "description": "Block specific domains or hosts that are malicious or pose a threat to your organization.", "precedence": 90, - "enabled": false, + "enabled": true, "action": "block", "filters": [ "dns" @@ -413,7 +413,7 @@ resource "cloudflare_zero_trust_gateway_policy" "block_dns_domain_host" { name = "All-DNS-DomainHost-Blocklist" description = "Block specific domains or hosts that are malicious or pose a threat to your organization." precedence = 90 - enabled = false + enabled = true action = "block" filters = ["dns"] traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_blocklist.id}) and dns.fqdn in ${"$"}${cloudflare_zero_trust_list.host_blocklist.id} and dns.fqdn matches \".*example\\.com\"" diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx index 75269c27cf92db..0a27fb3feea382 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx @@ -41,7 +41,7 @@ resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { name = "All-DNS-SecurityCategories-Blocklist" description = "Block security categories based on Cloudflare's threat intelligence" precedence = 20 - enabled = false + enabled = true action = "block" filters = ["dns"] traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"