diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
index 083affc59fc5ea..3a1d5437decba7 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
@@ -46,6 +46,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
}'
```
+To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint.
+
## Block security threats
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
index 42597d7d81db94..8786919ed12cf9 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
@@ -18,25 +18,105 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po
+
+
| Selector | Operator | Value | Action |
| ----------- | -------- | ------------------------- | ------ |
| Application | in | _Artificial Intelligence_ | Block |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
+--data '{
+ "name": "Block unauthorized applications",
+ "description": "Block access to unauthorized AI applications",
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "any(app.type.ids[*] in {25})",
+ "identity": "",
+ "device_posture": ""
+}'
+```
+
+
+
## Check user identity
+
+
| Selector | Operator | Value | Logic | Action |
| ---------------- | -------- | ------------- | ----- | ------ |
| Application | in | _Salesforce_ | And | Block |
| User Group Names | in | _Contractors_ | | |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
+--data '{
+ "name": "Check user identity",
+ "description": "Block access to Salesforce by temporary employees and contractors",
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "any(app.ids[*] in {606})",
+ "identity": "any(identity.groups.name[*] in {\"Contractors\"})",
+ "device_posture": ""
+}'
+```
+
+
+
## Enforce device posture
-Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/).
+Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+
+
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
+--data '{
+ "name": "Enforce device posture",
+ "description": "Limit access to an internal application to approved organization devices",
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "any(net.sni.domains[*] == \"example.com\")",
+ "identity": "",
+ "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))"
+}'
+```
+
+To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint.
+
+
+
## Enforce session duration
To require users to re-authenticate after a certain amount of time has elapsed, configure [WARP sessions](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/).
@@ -47,32 +127,136 @@ Restrict user access to only the specific sites or applications configured in yo
### 1. Allow HTTP and HTTPS traffic
+
+
| Selector | Operator | Value | Logic | Action |
| ----------------- | -------- | ----------- | ----- | ------ |
| Detected Protocol | is | _TLS_ | And | Allow |
| Destination Port | in | `80`, `443` | | |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
+--data '{
+ "name": "Allow HTTP and HTTPS traffic",
+ "description": "Restrict traffic to HTTP and HTTPS traffic",
+ "enabled": true,
+ "action": "allow",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}",
+ "identity": "",
+ "device_posture": ""
+}'
+```
+
+
+
### 2. Block all other traffic
+
+
| Selector | Operator | Value | Action |
| -------- | -------- | ------------ | ------ |
-| Protocol | in | _UDP_, _TCP_ | Block |
+| Protocol | in | _TCP_, _UDP_ | Block |
+
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
+--data '{
+ "name": "Block all other traffic",
+ "description": "Block all other traffic that is not HTTP or HTTPS",
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "net.protocol in {\"tcp\" \"udp\"}",
+ "identity": "",
+ "device_posture": ""
+}'
+```
+
+
## Restrict access to private networks
Restrict access to resources which you have connected through [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/).
-The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. Make sure that the Allow policy has higher priority (by positioning it towards the top of the list in the UI).
+The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.
### 1. Allow company employees
+
+
| Selector | Operator | Value | Logic | Action |
| -------------- | ------------- | ---------------- | ----- | ------ |
| Destination IP | in | `10.0.0.0/8` | And | Allow |
| User Email | matches regex | `.*@example.com` | | |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
+--data '{
+ "name": "Allow company employees",
+ "description": "Allow any users with an organization email to reach the application",
+ "enabled": true,
+ "action": "allow",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "net.dst.ip in {10.0.0.0/8}",
+ "identity": "identity.email matches \".*@example.com\"",
+ "device_posture": ""
+}'
+```
+
+
+
### 2. Block everyone else
+
+
| Selector | Operator | Value | Action |
| -------------- | -------- | ------------ | ------ |
| Destination IP | in | `10.0.0.0/8` | Block |
+
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
+--data '{
+ "name": "Block everyone else",
+ "description": "Block any other users from accessing the application",
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "net.dst.ip in {10.0.0.0/8}",
+ "identity": "",
+ "device_posture": ""
+}'
+```
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
index fd12c0e93ec03f..7e318cbaadc4e8 100644
--- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
+++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
@@ -12,11 +12,13 @@ To create a new network policy:
2. In the **Network** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
-5. Choose an **Action** to take when traffic matches the logical expression.
+5. Choose an **Action** to take when traffic matches the logical expression. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+
+
6. Select **Create policy**.
diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
index acab3b57200def..202570afec22e7 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
@@ -2,9 +2,7 @@
{}
---
-For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
-
| Selector | Operator | Value | Logic | Action |
| ---------------------------- | -------- | ----------------------- | ----- | ------ |
-| SNI Domain | is | `internalapp.com` | And | Block |
+| SNI Domain | is | `example.com` | And | Block |
| Passed Device Posture Checks | not in | _Device serial numbers_ | | |