From 35997dd6263d8e07a989107845ca189d75ec2964 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 18 Dec 2024 16:57:34 -0600 Subject: [PATCH 01/22] Remove unnecessary partial --- .../gateway/dns-policies/common-policies.mdx | 86 ++++++++++++++++++- .../policies/recommended-dns-policies.mdx | 86 ------------------- 2 files changed, 82 insertions(+), 90 deletions(-) delete mode 100644 src/content/partials/cloudflare-one/gateway/policies/recommended-dns-policies.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 30afd1508749ce..f4b4c4d167aed6 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -6,16 +6,94 @@ sidebar: head: - tag: title content: Common DNS policies - --- -import { Render } from "~/components" +import { Render } from "~/components"; The following policies are commonly used to secure DNS traffic. Refer to the [DNS policies page](/cloudflare-one/policies/gateway/dns-policies/) for a comprehensive list of other selectors, operators, and actions. - +## Allow corporate domains + +This policy allows users to access official corporate domains. By deploying the policy with high [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), you ensure that employees can access trusted domains even if they fall under a blocked category like `Newly seen domains` or `Login pages`. + +| Selector | Operator | Value | Action | Precedence | +| -------- | -------- | ----------------- | ------ | ---------- | +| Domain | in list | `Allowed domains` | Allow | 1 | + +## Block security threats + +Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. + +## Block content categories + +The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](/cloudflare-one/policies/gateway/domain-categories/). + +| Selector | Operator | Value | Action | +| ------------------ | -------- | --------------------------------------------------------- | ------ | +| Content Categories | in | `Questionable Content`, `Security Risks`, `Miscellaneous` | Block | + + + +## Block banned countries + +You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's customers or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). + +| Selector | Operator | Value | Action | +| ------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| Resolved Country IP Geolocation | in | `Afghanistan`, `Belarus`, `Congo (Kinshasa)`, `Cuba`, `Iran`, `Iraq`, `Korea, North`, `Myanmar`, `Russian Federation`, `Sudan`, `Syria`, `Ukraine`, `Zimbabwe` | Block | + +## Block top-level domains + +Blocking [frequently misused](https://www.spamhaus.org/statistics/tlds/) top-level domains (TLDs) can reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations like [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries) or [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries). + +| Selector | Operator | Value | Logic | Action | +| -------- | ------------- | --------------------------------------------------------------------- | ----- | ------ | +| Domain | matches regex | `[.](cn\|ru)$` | Or | Block | +| Domain | matches regex | `[.](rest\|hair\|top\|live\|cfd\|boats\|beauty\|mom\|skin\|okinawa)$` | Or | | +| Domain | matches regex | `[.](zip\|mobi)$` | | | + +## Block phishing attacks + +To protect against [sophisticated phishing attacks](https://blog.cloudflare.com/2022-07-sms-phishing-attacks/), you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` or `sso`), while still allowing access to official corporate domains. + +| Selector | Operator | Value | Logic | Action | +| -------- | ------------- | ------------------------------------------- | ----- | ------ | +| Domain | not in list | `Corporate Domains` | And | Block | +| Domain | matches regex | `.*okta.*\|.*cloudflare.*\|.*mfa.*\|.sso.*` | | | + +## Block online tracking + +To safeguard user privacy, some organizations will block tracking domains such as `dig.whatsapp.com` as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to [this repository](https://github.com/nextdns/native-tracking-domains/tree/28991a0d5b2ab6d35588a74af82162ea7caff420/domains) for a list of widespread tracking domains that you can add to your blocklist. + +| Selector | Operator | Value | Action | +| -------- | -------- | ---------------------- | ------ | +| Domain | in list | `Top tracking domains` | Block | + +## Block malicious IPs + +Block specific IP addresses that are known to be malicious or pose a threat to your organization. This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). + +| Selector | Operator | Value | Action | +| ----------- | -------- | --------- | ------ | +| Resolved IP | in list | `DShield` | Block | + +## CIPA Filter + +The CIPA Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of [Project Cybersafe Schools](/fundamentals/reference/policies-compliances/cybersafe/) to block access to unwanted or harmful online content. + +| Selector | Operator | Value | Action | +| ------------------ | -------- | ------------- | ------ | +| Content Categories | in | `CIPA Filter` | Block | + +## Hide explicit search results + +SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can enable SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo: + +| Selector | Operator | Value | Action | +| ------------------ | -------- | ---------------- | ----------- | +| Content Categories | in | `Search Engines` | Safe Search | @@ -44,7 +122,7 @@ Enterprise users can pair these policies with an [egress policy](/cloudflare-one :::note -To ensure traffic routes via your preferred IP version, disable **Display block page**. +To ensure traffic routes via your preferred IP version, disable **Display block page**. ::: ### Force IPv4 diff --git a/src/content/partials/cloudflare-one/gateway/policies/recommended-dns-policies.mdx b/src/content/partials/cloudflare-one/gateway/policies/recommended-dns-policies.mdx deleted file mode 100644 index 7a9e9c4da50abe..00000000000000 --- a/src/content/partials/cloudflare-one/gateway/policies/recommended-dns-policies.mdx +++ /dev/null @@ -1,86 +0,0 @@ ---- -{} ---- - -import { Render } from "~/components"; - -## Allow corporate domains - -This policy allows users to access official corporate domains. By deploying the policy with high [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), you ensure that employees can access trusted domains even if they fall under a blocked category like `Newly seen domains` or `Login pages`. - -| Selector | Operator | Value | Action | Precedence | -| -------- | -------- | ----------------- | ------ | ---------- | -| Domain | in list | `Allowed domains` | Allow | 1 | - -## Block security threats - -Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. - -## Block content categories - -The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](/cloudflare-one/policies/gateway/domain-categories/). - -| Selector | Operator | Value | Action | -| ------------------ | -------- | --------------------------------------------------------- | ------ | -| Content Categories | in | `Questionable Content`, `Security Risks`, `Miscellaneous` | Block | - - - -## Block banned countries - -You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's customers or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). - -| Selector | Operator | Value | Action | -| ------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| Resolved Country IP Geolocation | in | `Afghanistan`, `Belarus`, `Congo (Kinshasa)`, `Cuba`, `Iran`, `Iraq`, `Korea, North`, `Myanmar`, `Russian Federation`, `Sudan`, `Syria`, `Ukraine`, `Zimbabwe` | Block | - -## Block top-level domains - -Blocking [frequently misused](https://www.spamhaus.org/statistics/tlds/) top-level domains (TLDs) can reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations like [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries) or [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries). - -| Selector | Operator | Value | Logic | Action | -| -------- | ------------- | --------------------------------------------------------------------- | ----- | ------ | -| Domain | matches regex | `[.](cn\|ru)$` | Or | Block | -| Domain | matches regex | `[.](rest\|hair\|top\|live\|cfd\|boats\|beauty\|mom\|skin\|okinawa)$` | Or | | -| Domain | matches regex | `[.](zip\|mobi)$` | | | - -## Block phishing attacks - -To protect against [sophisticated phishing attacks](https://blog.cloudflare.com/2022-07-sms-phishing-attacks/), you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` or `sso`), while still allowing access to official corporate domains. - -| Selector | Operator | Value | Logic | Action | -| -------- | ------------- | ------------------------------------------- | ----- | ------ | -| Domain | not in list | `Corporate Domains` | And | Block | -| Domain | matches regex | `.*okta.*\|.*cloudflare.*\|.*mfa.*\|.sso.*` | | | - -## Block online tracking - -To safeguard user privacy, some organizations will block tracking domains such as `dig.whatsapp.com` as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to [this repository](https://github.com/nextdns/native-tracking-domains/tree/28991a0d5b2ab6d35588a74af82162ea7caff420/domains) for a list of widespread tracking domains that you can add to your blocklist. - -| Selector | Operator | Value | Action | -| -------- | -------- | ---------------------- | ------ | -| Domain | in list | `Top tracking domains` | Block | - -## Block malicious IPs - -Block specific IP addresses that are known to be malicious or pose a threat to your organization. This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). - -| Selector | Operator | Value | Action | -| ----------- | -------- | --------- | ------ | -| Resolved IP | in list | `DShield` | Block | - -## CIPA Filter - -The CIPA Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of [Project Cybersafe Schools](/fundamentals/reference/policies-compliances/cybersafe/) to block access to unwanted or harmful online content. - -| Selector | Operator | Value | Action | -| ------------------ | -------- | ------------- | ------ | -| Content Categories | in | `CIPA Filter` | Block | - -## Hide explicit search results - -SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can enable SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo: - -| Selector | Operator | Value | Action | -| ------------------ | -------- | ---------------- | ----------- | -| Content Categories | in | `Search Engines` | Safe Search | From 0220c191bf0d8ad55b20d122ccf13084141ca455 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 18 Dec 2024 17:02:20 -0600 Subject: [PATCH 02/22] Fix DNS formatting --- .../gateway/dns-policies/common-policies.mdx | 52 +++++++++---------- .../gateway/policies/block-applications.mdx | 8 ++- .../policies/block-security-categories.mdx | 3 +- .../gateway/policies/policies-optional.mdx | 5 +- 4 files changed, 32 insertions(+), 36 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index f4b4c4d167aed6..949e408f1d35ed 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -16,11 +16,11 @@ Refer to the [DNS policies page](/cloudflare-one/policies/gateway/dns-policies/) ## Allow corporate domains -This policy allows users to access official corporate domains. By deploying the policy with high [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), you ensure that employees can access trusted domains even if they fall under a blocked category like `Newly seen domains` or `Login pages`. +This policy allows users to access official corporate domains. By deploying the policy with high [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), you ensure that employees can access trusted domains even if they fall under a blocked category like _Newly seen domains_ or _Login pages_. | Selector | Operator | Value | Action | Precedence | | -------- | -------- | ----------------- | ------ | ---------- | -| Domain | in list | `Allowed domains` | Allow | 1 | +| Domain | in list | _Allowed domains_ | Allow | 1 | ## Block security threats @@ -32,7 +32,7 @@ The categories included in this policy are not always a security threat, but blo | Selector | Operator | Value | Action | | ------------------ | -------- | --------------------------------------------------------- | ------ | -| Content Categories | in | `Questionable Content`, `Security Risks`, `Miscellaneous` | Block | +| Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block | @@ -42,7 +42,7 @@ You can implement policies to block websites hosted in countries categorized as | Selector | Operator | Value | Action | | ------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| Resolved Country IP Geolocation | in | `Afghanistan`, `Belarus`, `Congo (Kinshasa)`, `Cuba`, `Iran`, `Iraq`, `Korea, North`, `Myanmar`, `Russian Federation`, `Sudan`, `Syria`, `Ukraine`, `Zimbabwe` | Block | +| Resolved Country IP Geolocation | in | _Afghanistan_, _Belarus_, _Congo (Kinshasa)_, _Cuba_, _Iran_, _Iraq_, _Korea, North_, _Myanmar_, _Russian Federation_, _Sudan_, _Syria_, _Ukraine_, _Zimbabwe_ | Block | ## Block top-level domains @@ -56,20 +56,20 @@ Blocking [frequently misused](https://www.spamhaus.org/statistics/tlds/) top-lev ## Block phishing attacks -To protect against [sophisticated phishing attacks](https://blog.cloudflare.com/2022-07-sms-phishing-attacks/), you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` or `sso`), while still allowing access to official corporate domains. +To protect against [sophisticated phishing attacks](https://blog.cloudflare.com/2022-07-sms-phishing-attacks/), you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as _okta_, _2fa_, _cloudflare_ or _sso_), while still allowing access to official corporate domains. | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ------------------------------------------- | ----- | ------ | -| Domain | not in list | `Corporate Domains` | And | Block | +| Domain | not in list | _Corporate Domains_ | And | Block | | Domain | matches regex | `.*okta.*\|.*cloudflare.*\|.*mfa.*\|.sso.*` | | | ## Block online tracking -To safeguard user privacy, some organizations will block tracking domains such as `dig.whatsapp.com` as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to [this repository](https://github.com/nextdns/native-tracking-domains/tree/28991a0d5b2ab6d35588a74af82162ea7caff420/domains) for a list of widespread tracking domains that you can add to your blocklist. +To safeguard user privacy, some organizations will block tracking domains such as _dig.whatsapp.com_ as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to [this repository](https://github.com/nextdns/native-tracking-domains/tree/28991a0d5b2ab6d35588a74af82162ea7caff420/domains) for a list of widespread tracking domains that you can add to your blocklist. | Selector | Operator | Value | Action | | -------- | -------- | ---------------------- | ------ | -| Domain | in list | `Top tracking domains` | Block | +| Domain | in list | _Top tracking domains_ | Block | ## Block malicious IPs @@ -77,7 +77,7 @@ Block specific IP addresses that are known to be malicious or pose a threat to y | Selector | Operator | Value | Action | | ----------- | -------- | --------- | ------ | -| Resolved IP | in list | `DShield` | Block | +| Resolved IP | in list | _DShield_ | Block | ## CIPA Filter @@ -85,7 +85,7 @@ The CIPA Filter is a collection of subcategories that encompass a wide range of | Selector | Operator | Value | Action | | ------------------ | -------- | ------------- | ------ | -| Content Categories | in | `CIPA Filter` | Block | +| Content Categories | in | _CIPA Filter_ | Block | ## Hide explicit search results @@ -93,7 +93,7 @@ SafeSearch is a feature of search engines that helps you filter explicit or offe | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ----------- | -| Content Categories | in | `Search Engines` | Safe Search | +| Content Categories | in | _Search Engines_ | Safe Search | @@ -105,16 +105,16 @@ The following example includes two policies. The first policy allows the specifi ### 1. Allow a group -| Selector | Operator | Value | Logic | Action | -| ------------------ | -------- | ---------------- | ----- | ------ | -| Content Categories | in | Social Networks | And | Allow | -| User Group Names | in | `marketing-team` | | | +| Selector | Operator | Value | Logic | Action | +| ------------------ | -------- | ----------------- | ----- | ------ | +| Content Categories | in | _Social Networks_ | And | Allow | +| User Group Names | in | _marketing-team_ | | | ### 2. Block all other users -| Selector | Operator | Value | Action | -| ------------------ | -------- | --------------- | ------ | -| Content Categories | in | Social Networks | Block | +| Selector | Operator | Value | Action | +| ------------------ | -------- | ----------------- | ------ | +| Content Categories | in | _Social Networks_ | Block | ## Control IP version @@ -129,16 +129,16 @@ To ensure traffic routes via your preferred IP version, disable **Display block Force users to connect with IPv4. -| Selector | Operator | Value | Logic | Action | -| ----------------- | -------- | ----------- | ----- | ------ | -| Query Record Type | is | AAAA | And | Block | -| Domain | is | example.com | | | +| Selector | Operator | Value | Logic | Action | +| ----------------- | -------- | ------------- | ----- | ------ | +| Query Record Type | is | _AAAA_ | And | Block | +| Domain | is | `example.com` | | | ### Force IPv6 Force users to connect with IPv6. -| Selector | Operator | Value | Logic | Action | -| ----------------- | -------- | ----------- | ----- | ------ | -| Query Record Type | is | A | And | Block | -| Domain | is | example.com | | | +| Selector | Operator | Value | Logic | Action | +| ----------------- | -------- | ------------- | ----- | ------ | +| Query Record Type | is | _A_ | And | Block | +| Domain | is | `example.com` | | | diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx index 52601a7a10550d..26c25a5eaf2053 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx @@ -1,9 +1,8 @@ --- {} - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; ## Block unauthorized applications @@ -11,9 +10,8 @@ To minimize the risk of + | Selector | Operator | Value | Action | Precedence | | -------- | -------- | ----------------- | ------ | ---------- | | Domain | in list | _Allowed domains_ | Allow | 1 | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block security risks", + "description": "Block all default Cloudflare DNS security categories", + "precedence": 0, + "enabled": true, + "action": "allow", + "filters": [ + "dns" + ], + "traffic": "any(dns.domains[*] in $)", + "identity": "", + "device_posture": "" +}' +``` + +To get the UUID of your list, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. + + + ## Block security threats Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. From d7622031334ac94943b2e8300f73ffdbef680663 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 20 Dec 2024 15:25:07 -0600 Subject: [PATCH 04/22] Add block unauthorized applications --- .../gateway/dns-policies/common-policies.mdx | 96 ++++++++++++++++++- .../gateway/http-policies/common-policies.mdx | 10 +- .../network-policies/common-policies.mdx | 10 +- .../gateway/get-started/create-dns-policy.mdx | 2 +- .../gateway/policies/block-applications.mdx | 12 +-- 5 files changed, 113 insertions(+), 17 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index c8872d57327c52..e24e95fbf27712 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -33,8 +33,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ - "name": "Block security risks", - "description": "Block all default Cloudflare DNS security categories", + "name": "Allow corporate domains", + "description": "Allow any internal corporate domains added to a list", "precedence": 0, "enabled": true, "action": "allow", @@ -53,18 +53,108 @@ To get the UUID of your list, use the [List Zero Trust lists](/api/resources/zer ## Block security threats -Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. +Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. + + + + + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block security threats", + "description": "Block all default Cloudflare DNS security categories", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "identity": "", + "device_posture": "" +}' +``` + + ## Block content categories The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](/cloudflare-one/policies/gateway/domain-categories/). + + | Selector | Operator | Value | Action | | ------------------ | -------- | --------------------------------------------------------- | ------ | | Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block content categories", + "description": "Block common content categories that may pose a risk", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", + "identity": "", + "device_posture": "" +}' +``` + + + +## Block unauthorized applications + + + +| Selector | Operator | Value | Action | +| ----------- | -------- | ------------------------- | ------ | +| Application | in | _Artificial Intelligence_ | Block | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block unauthorized applications", + "description": "Block access to unauthorized AI applications", + "precedence": 0, + "enabled": true, + "action": "allow", + "filters": [ + "dns" + ], + "traffic": "any(app.type.ids[*] in {25})", + "identity": "", + "device_posture": "" +}' +``` + + + ## Block banned countries You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's customers or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 1970ed8b710d31..b18a6b44c0bba2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -8,7 +8,7 @@ head: content: Common HTTP policies --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; The following policies are commonly used to secure HTTP traffic. @@ -36,7 +36,13 @@ Block a section of a site without blocking the entire site. For example, you can - +## Block unauthorized applications + + + +| Selector | Operator | Value | Action | +| ----------- | -------- | ------------------------- | ------ | +| Application | in | _Artificial Intelligence_ | Block | diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 9098cd11c3331f..39646c15355690 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -8,13 +8,19 @@ head: content: Common network policies --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; The following policies are commonly used to secure network traffic. Refer to the [network policies page](/cloudflare-one/policies/gateway/network-policies/) for a comprehensive list of other selectors, operators, and actions. - +## Block unauthorized applications + + + +| Selector | Operator | Value | Action | +| ----------- | -------- | ------------------------- | ------ | +| Application | in | _Artificial Intelligence_ | Block | diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx index b76957ec17cf54..b47d472b06789d 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx @@ -37,7 +37,7 @@ To create a new DNS policy: --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ - "name": "Block security risks", + "name": "Block security threats", "description": "Block all default Cloudflare DNS security categories", "precedence": 0, "enabled": true, diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx index 26c25a5eaf2053..0f2ed7fd9b631c 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx @@ -2,16 +2,10 @@ {} --- -import { GlossaryTooltip } from "~/components"; - -## Block unauthorized applications - -To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks AI assistants: - -| Selector | Operator | Value | Action | -| ----------- | -------- | ----------------------------------------------- | ------ | -| Application | in | _Microsoft Copilot_, _ChatGPT_, _Google Gemini_ | Block | +import { GlossaryTooltip, Tabs, TabItem } from "~/components"; :::note After seven days, view your [shadow IT analytics](/cloudflare-one/insights/analytics/access/) and block additional applications based on what your users are accessing. ::: + +To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools: From c27865b7ede36d504a9e2ae11ba4f0aab871c934 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 20 Dec 2024 15:47:34 -0600 Subject: [PATCH 05/22] Add get list partial --- .../gateway/dns-policies/common-policies.mdx | 85 ++++++++++++++++++- .../gateway/policies/get-list.mdx | 5 ++ 2 files changed, 87 insertions(+), 3 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/policies/get-list.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index e24e95fbf27712..b31e5c251e197c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -47,7 +47,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ }' ``` -To get the UUID of your list, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. + @@ -141,9 +141,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ --data '{ "name": "Block unauthorized applications", "description": "Block access to unauthorized AI applications", - "precedence": 0, "enabled": true, - "action": "allow", + "action": "block", "filters": [ "dns" ], @@ -159,29 +158,109 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's customers or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries). + + | Selector | Operator | Value | Action | | ------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | | Resolved Country IP Geolocation | in | _Afghanistan_, _Belarus_, _Congo (Kinshasa)_, _Cuba_, _Iran_, _Iraq_, _Korea, North_, _Myanmar_, _Russian Federation_, _Sudan_, _Syria_, _Ukraine_, _Zimbabwe_ | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block banned countries", + "description": "Block access to banned countries", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", + "identity": "", + "device_posture": "" +}' +``` + + + ## Block top-level domains Blocking [frequently misused](https://www.spamhaus.org/statistics/tlds/) top-level domains (TLDs) can reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations like [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries) or [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries). + + | Selector | Operator | Value | Logic | Action | | -------- | ------------- | --------------------------------------------------------------------- | ----- | ------ | | Domain | matches regex | `[.](cn\|ru)$` | Or | Block | | Domain | matches regex | `[.](rest\|hair\|top\|live\|cfd\|boats\|beauty\|mom\|skin\|okinawa)$` | Or | | | Domain | matches regex | `[.](zip\|mobi)$` | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block top-level domains", + "description": "Block top-level domains that are frequently used for malicious practices", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$\") or any(dns.domains[*] matches \"[.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$\") or any(dns.domains[*] matches \"[.](zip|mobi)$\")", + "identity": "", + "device_posture": "" +}' +``` + + + ## Block phishing attacks To protect against [sophisticated phishing attacks](https://blog.cloudflare.com/2022-07-sms-phishing-attacks/), you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as _okta_, _2fa_, _cloudflare_ or _sso_), while still allowing access to official corporate domains. + + | Selector | Operator | Value | Logic | Action | | -------- | ------------- | ------------------------------------------- | ----- | ------ | | Domain | not in list | _Corporate Domains_ | And | Block | | Domain | matches regex | `.*okta.*\|.*cloudflare.*\|.*mfa.*\|.sso.*` | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block phishing attacks", + "description": "Block attempts to phish specific domains targeting your organization", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "not(any(dns.domains[*] in $)) and any(dns.domains[*] matches \".*okta.*\\|.*cloudflare.*\\|.*mfa.*\\|.sso.*\")", + "identity": "", + "device_posture": "" +}' +``` + + + + + ## Block online tracking To safeguard user privacy, some organizations will block tracking domains such as _dig.whatsapp.com_ as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to [this repository](https://github.com/nextdns/native-tracking-domains/tree/28991a0d5b2ab6d35588a74af82162ea7caff420/domains) for a list of widespread tracking domains that you can add to your blocklist. diff --git a/src/content/partials/cloudflare-one/gateway/policies/get-list.mdx b/src/content/partials/cloudflare-one/gateway/policies/get-list.mdx new file mode 100644 index 00000000000000..7fb16b252bbb5d --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/get-list.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +To get the UUID of your list, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. From 5a2b5b930d19a31490859570c3dd810e15c3ee48 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 20 Dec 2024 15:50:17 -0600 Subject: [PATCH 06/22] Remove get-list partial --- .../gateway/dns-policies/common-policies.mdx | 30 ++++++++++++++++--- .../gateway/policies/get-list.mdx | 5 ---- 2 files changed, 26 insertions(+), 9 deletions(-) delete mode 100644 src/content/partials/cloudflare-one/gateway/policies/get-list.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index b31e5c251e197c..bed0da022f7f1f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -47,8 +47,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ }' ``` - - ## Block security threats @@ -257,18 +255,42 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ }' ``` - - ## Block online tracking To safeguard user privacy, some organizations will block tracking domains such as _dig.whatsapp.com_ as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to [this repository](https://github.com/nextdns/native-tracking-domains/tree/28991a0d5b2ab6d35588a74af82162ea7caff420/domains) for a list of widespread tracking domains that you can add to your blocklist. + + | Selector | Operator | Value | Action | | -------- | -------- | ---------------------- | ------ | | Domain | in list | _Top tracking domains_ | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block online tracking", + "description": "Block domains used for tracking at an OS level", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.domains[*] in $)", + "identity": "", + "device_posture": "" +}' +``` + + + ## Block malicious IPs Block specific IP addresses that are known to be malicious or pose a threat to your organization. This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). diff --git a/src/content/partials/cloudflare-one/gateway/policies/get-list.mdx b/src/content/partials/cloudflare-one/gateway/policies/get-list.mdx deleted file mode 100644 index 7fb16b252bbb5d..00000000000000 --- a/src/content/partials/cloudflare-one/gateway/policies/get-list.mdx +++ /dev/null @@ -1,5 +0,0 @@ ---- -{} ---- - -To get the UUID of your list, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. From 849e81fafb7db55326fb1b416295a78e4212b39e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 20 Dec 2024 15:56:02 -0600 Subject: [PATCH 07/22] Add CIPA filter --- .../gateway/dns-policies/common-policies.mdx | 58 ++++++++++++++++++- 1 file changed, 55 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index bed0da022f7f1f..e3bb9ed9faff7c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -295,21 +295,73 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ Block specific IP addresses that are known to be malicious or pose a threat to your organization. This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). + + | Selector | Operator | Value | Action | | ----------- | -------- | --------- | ------ | | Resolved IP | in list | _DShield_ | Block | -## CIPA Filter + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block malicious IPs", + "description": "Block specific IP addresses that are known to be malicious or pose a threat to your organization", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.resolved_ips[*] in $)", + "identity": "", + "device_posture": "" +}' +``` + + + +## Turn on CIPA filter -The CIPA Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of [Project Cybersafe Schools](/fundamentals/reference/policies-compliances/cybersafe/) to block access to unwanted or harmful online content. +The CIPA (Children's Internet Protection Act) Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of [Project Cybersafe Schools](/fundamentals/reference/policies-compliances/cybersafe/) to block access to unwanted or harmful online content. Upon creating this policy, your organization will have minimum CIPA compliance. + + | Selector | Operator | Value | Action | | ------------------ | -------- | ------------- | ------ | | Content Categories | in | _CIPA Filter_ | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Turn on CIPA filter", + "description": "Block access to unwanted or harmful online content for children", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.content_category[*] in {182})", + "identity": "", + "device_posture": "" +}' +``` + + + ## Hide explicit search results -SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can enable SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo: +SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can force SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo: | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ----------- | From df037574b5e3b659774c84daf0186fe59f3c2cfa Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 20 Dec 2024 16:05:50 -0600 Subject: [PATCH 08/22] Remove device posture for DNS policies --- .../gateway/dns-policies/common-policies.mdx | 37 +++++++++++++------ .../gateway/get-started/create-dns-policy.mdx | 1 - 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index e3bb9ed9faff7c..4210c1e073241d 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -43,7 +43,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(dns.domains[*] in $)", "identity": "", - "device_posture": "" }' ``` @@ -78,7 +77,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "", - "device_posture": "" }' ``` @@ -112,7 +110,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", "identity": "", - "device_posture": "" }' ``` @@ -146,7 +143,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(app.type.ids[*] in {25})", "identity": "", - "device_posture": "" }' ``` @@ -180,7 +176,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", "identity": "", - "device_posture": "" }' ``` @@ -216,7 +211,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$\") or any(dns.domains[*] matches \"[.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$\") or any(dns.domains[*] matches \"[.](zip|mobi)$\")", "identity": "", - "device_posture": "" }' ``` @@ -251,7 +245,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "not(any(dns.domains[*] in $)) and any(dns.domains[*] matches \".*okta.*\\|.*cloudflare.*\\|.*mfa.*\\|.sso.*\")", "identity": "", - "device_posture": "" }' ``` @@ -285,7 +278,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(dns.domains[*] in $)", "identity": "", - "device_posture": "" }' ``` @@ -319,7 +311,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(dns.resolved_ips[*] in $)", "identity": "", - "device_posture": "" }' ``` @@ -327,7 +318,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ## Turn on CIPA filter -The CIPA (Children's Internet Protection Act) Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of [Project Cybersafe Schools](/fundamentals/reference/policies-compliances/cybersafe/) to block access to unwanted or harmful online content. Upon creating this policy, your organization will have minimum CIPA compliance. +The CIPA (Children's Internet Protection Act) Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of [Project Cybersafe Schools](/fundamentals/reference/policies-compliances/cybersafe/) to block access to unwanted or harmful online content. Upon creating this policy, your organization will have minimum [CIPA compliance](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act). @@ -353,7 +344,6 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "any(dns.content_category[*] in {182})", "identity": "", - "device_posture": "" }' ``` @@ -363,10 +353,35 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can force SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo: + + | Selector | Operator | Value | Action | | ------------------ | -------- | ---------------- | ----------- | | Content Categories | in | _Search Engines_ | Safe Search | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Hide explicit search results", + "description": "Force SafeSearch on search engines to filter explicit or offensive content", + "enabled": true, + "action": "safesearch", + "filters": [ + "dns" + ], + "traffic": "any(dns.content_category[*] in {145})", + "identity": "", +}' +``` + + + ## Restrict access to specific groups diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx index b47d472b06789d..892578f2c0188f 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx @@ -47,7 +47,6 @@ To create a new DNS policy: ], "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "", - "device_posture": "" }' ``` From 0cc6b8a48ef09057b36ab3be9056561781f0021e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 20 Dec 2024 16:10:26 -0600 Subject: [PATCH 09/22] Add check user identity policy --- .../gateway/dns-policies/common-policies.mdx | 34 ++++++++++++++++++- .../gateway/http-policies/common-policies.mdx | 9 ++++- .../network-policies/common-policies.mdx | 9 ++++- .../gateway/policies/check-user-identity.mdx | 5 +++ .../gateway/policies/policies-optional.mdx | 12 ------- 5 files changed, 54 insertions(+), 15 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/policies/check-user-identity.mdx delete mode 100644 src/content/partials/cloudflare-one/gateway/policies/policies-optional.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 4210c1e073241d..2a549f3c4e0b5e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -382,7 +382,39 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ - +## Check user identity + + + + + +| Selector | Operator | Value | Logic | Action | +| ---------------- | -------- | ------------- | ----- | ------ | +| Application | in | _Salesforce_ | And | Block | +| User Group Names | in | _Contractors_ | | | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Check user identity", + "description": "Filter traffic based on a user identity group name", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(app.ids[*] in {606})", + "identity": "any(identity.groups.name[*] in {\"Contractors\"})", +}' +``` + + ## Restrict access to specific groups diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index b18a6b44c0bba2..34a1b6266ce92d 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -44,7 +44,14 @@ Block a section of a site without blocking the entire site. For example, you can | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | - +## Check user identity + + + +| Selector | Operator | Value | Logic | Action | +| ---------------- | -------- | ------------- | ----- | ------ | +| Application | in | _Salesforce_ | And | Block | +| User Group Names | in | _Contractors_ | | | ## Skip inspection for groups of applications diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 39646c15355690..42597d7d81db94 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -22,7 +22,14 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | - +## Check user identity + + + +| Selector | Operator | Value | Logic | Action | +| ---------------- | -------- | ------------- | ----- | ------ | +| Application | in | _Salesforce_ | And | Block | +| User Group Names | in | _Contractors_ | | | ## Enforce device posture diff --git a/src/content/partials/cloudflare-one/gateway/policies/check-user-identity.mdx b/src/content/partials/cloudflare-one/gateway/policies/check-user-identity.mdx new file mode 100644 index 00000000000000..93114e5b33c53b --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policies/check-user-identity.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +Configure access on a per user or group basis by adding [identity-based conditions](/cloudflare-one/policies/gateway/identity-selectors/) to your policies. diff --git a/src/content/partials/cloudflare-one/gateway/policies/policies-optional.mdx b/src/content/partials/cloudflare-one/gateway/policies/policies-optional.mdx deleted file mode 100644 index c45897d90d1fb5..00000000000000 --- a/src/content/partials/cloudflare-one/gateway/policies/policies-optional.mdx +++ /dev/null @@ -1,12 +0,0 @@ ---- -{} ---- - -## Check user identity - -Configure access on a per user or group basis by adding [identity-based conditions](/cloudflare-one/policies/gateway/identity-selectors/) to your policies. - -| Selector | Operator | Value | Logic | Action | -| ---------------- | -------- | ------------- | ----- | ------ | -| Application | in | _Salesforce_ | And | Block | -| User Group Names | in | _Contractors_ | | | From 04e4cc28272d12e9aef3ecac899bf49c53995d23 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 20 Dec 2024 16:31:39 -0600 Subject: [PATCH 10/22] Add block content categories policies --- .../gateway/dns-policies/common-policies.mdx | 113 +++++++++++++++++- .../gateway/http-policies/common-policies.mdx | 86 ++++++++++++- .../gateway/policies/content-categories.mdx | 11 -- 3 files changed, 192 insertions(+), 18 deletions(-) delete mode 100644 src/content/partials/cloudflare-one/gateway/policies/content-categories.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 2a549f3c4e0b5e..471311145253ea 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -391,7 +391,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------- | ----- | ------ | | Application | in | _Salesforce_ | And | Block | -| User Group Names | in | _Contractors_ | | | +| User Group Names | in | `Contractors` | | | @@ -424,40 +424,141 @@ The following example includes two policies. The first policy allows the specifi ### 1. Allow a group + + | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ----------------- | ----- | ------ | | Content Categories | in | _Social Networks_ | And | Allow | -| User Group Names | in | _marketing-team_ | | | +| User Group Names | in | `Marketing` | | | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Allow social media for Marketing", + "description": "Allow access to social media sites for users in the Marketing group", + "precedence": 1, + "enabled": true, + "action": "allow", + "filters": [ + "dns" + ], + "traffic": "any(dns.content_category[*] in {149})", + "identity": "any(identity.groups.name[*] in {\"Marketing\"})", +}' +``` + + ### 2. Block all other users + + | Selector | Operator | Value | Action | | ------------------ | -------- | ----------------- | ------ | | Content Categories | in | _Social Networks_ | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block social media", + "description": "Block social media for all other users", + "precedence": 2, + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.content_category[*] in {149})", + "identity": "", +}' +``` + + + ## Control IP version Enterprise users can pair these policies with an [egress policy](/cloudflare-one/policies/gateway/egress-policies/) to control which IP address is used to egress to the origin server. :::note - -To ensure traffic routes via your preferred IP version, disable **Display block page**. +To ensure traffic routes through your preferred IP version, disable **Display block page**. ::: ### Force IPv4 -Force users to connect with IPv4. +Force users to connect with IPv4 by blocking IPv6 resolution. + + | Selector | Operator | Value | Logic | Action | | ----------------- | -------- | ------------- | ----- | ------ | | Query Record Type | is | _AAAA_ | And | Block | | Domain | is | `example.com` | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Force IPv4", + "description": "Force users to connect with IPv4 by blocking IPv6 resolution", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "dns.query_rtype == \"AAAA\" and any(dns.domains[*] == \"example.com\")", + "identity": "", +}' +``` + + + ### Force IPv6 -Force users to connect with IPv6. +Force users to connect with IPv6 by blocking IPv4 resolution. + + | Selector | Operator | Value | Logic | Action | | ----------------- | -------- | ------------- | ----- | ------ | | Query Record Type | is | _A_ | And | Block | | Domain | is | `example.com` | | | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Force IPv6", + "description": "Force users to connect with IPv6 by blocking IPv4 resolution", + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "dns.query_rtype == \"A\" and any(dns.domains[*] == \"example.com\")", + "identity": "", +}' +``` + + diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 34a1b6266ce92d..d4889a9d310e8b 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -22,19 +22,103 @@ Block attempts to reach sites by hostname or URL paths. Different approaches may Block all subdomains that use a host. + + | Selector | Operator | Value | Action | | -------- | ------------- | ---------------- | ------ | | Host | matches regex | `.*example\.com` | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block sites by hostname", + "description": "Block all subdomains that use a specific hostname", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "http.request.host matches \".*example\\.com\"", + "identity": "", + "device_posture": "" +}' +``` + + + ### Block sites by URL Block a section of a site without blocking the entire site. For example, you can block a specific subreddit, such as `reddit.com/r/gaming`, without blocking `reddit.com`. + + | Selector | Operator | Value | Action | | -------- | ------------- | ----------- | ------ | | URL | matches regex | `/r/gaming` | Block | - + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block sites by URL", + "description": "Block specific parts of a site without blocking the hostname", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "http.request.uri matches \"/r/gaming\"", + "identity": "", + "device_posture": "" +}' +``` + + + +## Block content categories + +Block content categories which go against your organization's acceptable use policy. + + + +| Selector | Operator | Value | Action | +| ------------------ | -------- | -------------------------- | ------ | +| Content Categories | in | _Adult Themes_, _Gambling_ | Block | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block adult categories", + "description": "Block access to unauthorized adult and gambling applications", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(http.request.uri.content_category[*] in {2 67 125 133 99})", + "identity": "", + "device_posture": "" +}' +``` + + ## Block unauthorized applications diff --git a/src/content/partials/cloudflare-one/gateway/policies/content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/content-categories.mdx deleted file mode 100644 index 16b50c2e778ba1..00000000000000 --- a/src/content/partials/cloudflare-one/gateway/policies/content-categories.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -{} ---- - -## Block content categories - -Block content categories which go against your organization's acceptable use policy. - -| Selector | Operator | Value | Action | -| ------------------ | -------- | ---------------------- | ------ | -| Content categories | in | Adult Themes, Gambling | Block | From ad867e8c5db15ae110f25377fe68583fa0ddd319 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 12:40:48 -0600 Subject: [PATCH 11/22] Add block AI --- .../gateway/http-policies/common-policies.mdx | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index d4889a9d310e8b..266d3f1a27419f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -105,7 +105,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ - "name": "Block adult categories", + "name": "Block content categories", "description": "Block access to unauthorized adult and gambling applications", "enabled": true, "action": "block", @@ -124,10 +124,36 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ + + | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block unauthorized applications", + "description": "Block access to unauthorized AI applications", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(app.type.ids[*] in {25})", + "identity": "", + "device_posture": "" +}' +``` + + + ## Check user identity From 2a2f6fb2cc1c40592c7010004e0dffb8c9fb15ff Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 12:46:00 -0600 Subject: [PATCH 12/22] Add check user identity policy --- .../gateway/http-policies/common-policies.mdx | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 266d3f1a27419f..1565a48458aa91 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -158,11 +158,37 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ + + | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------- | ----- | ------ | | Application | in | _Salesforce_ | And | Block | | User Group Names | in | _Contractors_ | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Check user identity", + "description": "Block access to Salesforce by temporary employees and contractors", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(app.ids[*] in {606})", + "identity": "any(identity.groups.name[*] in {\"Contractors\"})", + "device_posture": "" +}' +``` + + + ## Skip inspection for groups of applications Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The [TLS inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy. From db8b92619c7fb99e7eef2d0bcaa5c18a0aaef68a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 12:50:04 -0600 Subject: [PATCH 13/22] Add DNI policy --- .../gateway/http-policies/common-policies.mdx | 35 ++++++++++++++++--- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 1565a48458aa91..fa73c0308ea287 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -191,16 +191,41 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ## Skip inspection for groups of applications -Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The [TLS inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy. +Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy. Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/policies/gateway/order-of-enforcement/#http-policies). We recommend moving your Do Not Inspect policies to the top of the list to reduce confusion. -| Selector | Operator | Value | Action | -| ----------- | -------- | -------------- | -------------- | -| Application | in | Do Not Inspect | Do Not Inspect | + -:::note +| Selector | Operator | Value | Action | +| ----------- | -------- | ---------------- | -------------- | +| Application | in | _Do Not Inspect_ | Do Not Inspect | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Bypass incompatible applications", + "description": "Skip TLS decryption for applications that are incompatible with Gateway", + "enabled": true, + "action": "off", + "filters": [ + "http" + ], + "traffic": "any(app.type.ids[*] in {16})", + "identity": "", + "device_posture": "" +}' +``` + + + +:::note You can select either individual applications or the entire Do Not Inspect set, which will update as new applications are added. ::: From 6362f1c6ad0b53ad0057d34c522dd153882da9d0 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 12:55:45 -0600 Subject: [PATCH 14/22] Add first device posture check example --- .../gateway/dns-policies/common-policies.mdx | 2 ++ .../gateway/http-policies/common-policies.mdx | 28 +++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 471311145253ea..21c70e8ff24cc3 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -46,6 +46,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ }' ``` +To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. + ## Block security threats diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index fa73c0308ea287..2e9c3e8314a6f3 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -237,10 +237,38 @@ Require devices to have certain software installed or other configuration attrib Perform an [OS version check](/cloudflare-one/identity/devices/warp-client-checks/os-version/) to ensure users are running at least a minimum version. + + | Selector | Operator | Value | Action | | ---------------------------- | -------- | -------------------- | ------ | | Passed Device Posture Checks | in | `Minimum OS version` | Allow | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Require OS version", + "description": "Perform an OS version check for minimum version", + "enabled": true, + "action": "allow", + "filters": [ + "http" + ], + "traffic": "", + "identity": "", + "device_posture": "any(device_posture.checks.passed[*] in {\"\"})", +}' +``` + +To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint. + + + ### Check for a specific file Perform a [file check](/cloudflare-one/identity/devices/warp-client-checks/file-check/) to ensure users have a certain file on their system. From 44d0385aea7ca2ea6f837fa925afe56ce878724e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 13:02:16 -0600 Subject: [PATCH 15/22] Add device posture examples --- .../gateway/dns-policies/common-policies.mdx | 6 +++ .../gateway/http-policies/common-policies.mdx | 38 ++++++++++++++++--- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 21c70e8ff24cc3..51f54d8c060d6c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -250,6 +250,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ }' ``` +To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. + ## Block online tracking @@ -283,6 +285,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ }' ``` +To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. + ## Block malicious IPs @@ -316,6 +320,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ }' ``` +To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. + ## Turn on CIPA filter diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 2e9c3e8314a6f3..7f9714b14f8ad4 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -241,7 +241,7 @@ Perform an [OS version check](/cloudflare-one/identity/devices/warp-client-check | Selector | Operator | Value | Action | | ---------------------------- | -------- | -------------------- | ------ | -| Passed Device Posture Checks | in | `Minimum OS version` | Allow | +| Passed Device Posture Checks | in | _Minimum OS version_ | Allow | @@ -261,7 +261,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ ], "traffic": "", "identity": "", - "device_posture": "any(device_posture.checks.passed[*] in {\"\"})", + "device_posture": "any(device_posture.checks.passed[*] in {\"\"})" }' ``` @@ -271,14 +271,42 @@ To get the UUIDs of your device posture checks, use the [List device posture rul ### Check for a specific file -Perform a [file check](/cloudflare-one/identity/devices/warp-client-checks/file-check/) to ensure users have a certain file on their system. +Perform a [file check](/cloudflare-one/identity/devices/warp-client-checks/file-check/) to ensure users have a certain file on their device. Since the file path will be different for each operating system, you can configure a file check for each system and use the **Or** logical operator to only require one of the checks to pass. + + | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ------------------ | ----- | ------ | -| Passed Device Posture Checks | in | `macOS File Check` | Or | Allow | -| Passed Device Posture Checks | in | `Linux File Check` | | | +| Passed Device Posture Checks | in | _macOS File Check_ | Or | Allow | +| Passed Device Posture Checks | in | _Linux File Check_ | | | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Check for specific file", + "description": "Ensure users have a specific file on their device regardless of operating system", + "enabled": true, + "action": "allow", + "filters": [ + "http" + ], + "traffic": "", + "identity": "", + "device_posture": "any(device_posture.checks.passed[*] in {\"\"}) or any(device_posture.checks.passed[*] in {\"\"})" +}' +``` + +To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint. + + ## Enforce session duration From f7a33776c5ab205ae0f498250685f8f31ddd9c5b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 13:49:42 -0600 Subject: [PATCH 16/22] Add isolation policies --- .../browser-isolation/isolation-policies.mdx | 175 +++++++++++++++--- .../gateway/http-policies/common-policies.mdx | 6 - .../gateway/policies/isolate-chatgpt.mdx | 10 - 3 files changed, 153 insertions(+), 38 deletions(-) delete mode 100644 src/content/partials/cloudflare-one/gateway/policies/isolate-chatgpt.mdx diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx b/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx index 8878956bf3b615..2c18f1fd7cf848 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx @@ -3,10 +3,9 @@ pcx_content_type: reference title: Isolation policies sidebar: order: 2 - --- -import { Render } from "~/components" +import { Render, Tabs, TabItem } from "~/components"; With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content. @@ -28,12 +27,10 @@ If instead you need to isolate specific pages, you can list the domains for whic :::note[Isolate identity providers for applications] - Existing cookies and sessions from non-isolated browsing are not sent to the remote browser. Websites that implement single sign-on using third-party cookies will also need to be isolated. For example, if `example.com` authenticates using Google Workspace, you will also need to isolate the top level [Google Workspace URLs](https://support.google.com/a/answer/9012184). - ::: ## Do Not Isolate @@ -46,7 +43,7 @@ You can choose to disable isolation for certain destinations or categories. The ## Policy settings -The following optional settings appear in the Gateway HTTP policy builder when you select the *Isolate* action. Enable these settings to [prevent data loss](https://blog.cloudflare.com/data-protection-browser/) when users interact with untrusted websites in the remote browser. +The following optional settings appear in the Gateway HTTP policy builder when you select the _Isolate_ action. Enable these settings to [prevent data loss](https://blog.cloudflare.com/data-protection-browser/) when users interact with untrusted websites in the remote browser. ### Disable copy / paste @@ -62,7 +59,7 @@ Prohibits users from performing keyboard input into the remote web page. :::note -Mouse input remains available (to allow users to browse a website by following hyperlinks and scrolling). This does not prevent user input into third-party virtual keyboards within a remote web page. +Mouse input remains available (to allow users to browse a website by following hyperlinks and scrolling). This does not prevent user input into third-party virtual keyboards within a remote web page. ::: ### Disable upload @@ -71,7 +68,7 @@ Prohibits users from uploading files from their local machine into a remote web :::note -This option does not prevent files being uploaded to websites from third-party cloud file managers or files downloaded into the remote browser download bar from other isolated websites. To prevent files being uploaded from the remote browser into an isolated website, use HTTP Policies to block by [Upload Mime Type](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-mime-type). +This option does not prevent files being uploaded to websites from third-party cloud file managers or files downloaded into the remote browser download bar from other isolated websites. To prevent files being uploaded from the remote browser into an isolated website, use HTTP Policies to block by [Upload Mime Type](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-mime-type). ::: ### Disable download @@ -80,7 +77,7 @@ Prohibits users from exporting files from the remote browser to their local mach :::note -This option does not prevent files from being downloaded into the remote browser. To prevent files being downloaded into the remote browser, use HTTP Policies to block by [Download Mime Type](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-mime-type). +This option does not prevent files from being downloaded into the remote browser. To prevent files being downloaded into the remote browser, use HTTP Policies to block by [Download Mime Type](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-mime-type). ::: ### Disable clipboard redirection @@ -91,7 +88,7 @@ Prevents copying isolated content from the remote browser to their local clipboa This option does not prevent clipboard interactions between isolated websites. Use [Disable copy / paste](/cloudflare-one/policies/browser-isolation/isolation-policies/#disable-copy--paste) to prohibit clipboard use on sensitive isolated applications. -Disable copy / paste and Disable clipboard redirection are mutually exclusive and cannot be used in conjunction with each other. +Disable copy / paste and Disable clipboard redirection are mutually exclusive and cannot be used in conjunction with each other. ::: ## Common policies @@ -100,36 +97,170 @@ Disable copy / paste and Disable clipboard redirection are mutually exclusive an Isolate security threats such as malware and phishing. -| Selector | Operator | Value | Action | -| -------------- | -------- | ------------------ | ------- | -| Security Risks | in | All security risks | Isolate | + + +| Selector | Operator | Value | Action | +| ------------------- | -------- | -------------------- | ------- | +| Security Categories | in | _All security risks_ | Isolate | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Isolate all security threats", + "description": "Isolate security threats such as malware and phishing", + "enabled": true, + "action": "isolate", + "filters": [ + "http" + ], + "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "identity": "", + "device_posture": "" +}' +``` + + ### Isolate high risk content Isolate high risk content categories such as newly registered domains. -| Selector | Operator | Value | Action | -| ------------------ | -------- | -------------- | ------- | -| Content categories | in | Security Risks | Isolate | + + +| Selector | Operator | Value | Action | +| ------------------ | -------- | ---------------- | ------- | +| Content Categories | in | _Security Risks_ | Isolate | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Isolate high risk content", + "description": "Isolate high risk content categories such as newly registered domains", + "enabled": true, + "action": "isolate", + "filters": [ + "http" + ], + "traffic": "any(http.request.uri.content_category[*] in {32 169 177 128})", + "identity": "", + "device_posture": "" +}' +``` + + ### Isolate news and media Isolate news and media sites, which are targets for malvertising attacks. -| Selector | Operator | Value | Action | -| ------------------ | -------- | -------------- | ------- | -| Content categories | in | News and Media | Isolate | + + +| Selector | Operator | Value | Action | +| ------------------ | -------- | ---------------- | ------- | +| Content Categories | in | _News and Media_ | Isolate | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Isolate news and media", + "description": "Isolate news and media sites, which are targets for malvertising attacks", + "enabled": true, + "action": "isolate", + "filters": [ + "http" + ], + "traffic": "any(http.request.uri.content_category[*] in {122})", + "identity": "", + "device_posture": "" +}' +``` + + ### Isolate uncategorized content Isolate content that has not been categorized by [Cloudflare Radar](/radar/). -| Selector | Operator | Value | Action | -| ------------------ | -------- | ---------------------- | ------- | -| Content categories | not in | All content categories | Isolate | + + +| Selector | Operator | Value | Action | +| ------------------ | -------- | ------------------------ | ------- | +| Content Categories | not in | _All content categories_ | Isolate | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Isolate uncategorized content", + "description": "Isolate content not categorized by Cloudflare Radar", + "enabled": true, + "action": "isolate", + "filters": [ + "http" + ], + "traffic": "not(any(http.request.uri.content_category[*] in {2 67 125 133 3 75 183 89 182 6 90 91 144 150 7 70 74 76 79 92 96 100 106 107 116 120 121 122 127 139 156 164 99 9 101 137 10 103 146 11 12 77 98 108 110 111 118 126 129 172 168 113 33 179 166 15 115 119 124 141 161 17 85 87 102 157 135 138 180 162 140 142 32 169 177 128 22 73 82 88 148 23 24 181 71 72 173 78 84 86 94 97 104 105 114 174 93 130 132 136 147 149 154 158 152 26 69 184 81 95 109 123 145 155 159 160 163 165 167}))", + "identity": "", + "device_posture": "" +}' +``` + + ### Isolate ChatGPT Isolate the use of ChatGPT. - + + +| Selector | Operator | Value | Action | +| ----------- | -------- | --------- | ------- | +| Application | in | _ChatGPT_ | Isolate | + +In **Configure policy settings**, you can customize restrictions for ChatGPT. For example, to prevent your users from inputting sensitive information, you can select **Disable copy / paste** and **Disable file uploads**. + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Isolate ChatGPT", + "description": "Isolate the use of ChatGPT", + "enabled": true, + "action": "isolate", + "filters": [ + "http" + ], + "traffic": "any(app.ids[*] in {1199})", + "identity": "", + "device_posture": "" +}' +``` + + diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 7f9714b14f8ad4..20a01144bfab2f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -358,9 +358,3 @@ Block file downloads from Gmail. | ---------------- | -------- | --------------------------------------- | ----- | ------ | | Host | is | `mail-attachment.googleusercontent.com` | And | Block | | URL Path & Query | is | `/attachment/u/0` | | | - -## Isolate ChatGPT - -[Browser Isolation](/cloudflare-one/policies/browser-isolation/) users can isolate interactions with ChatGPT. - - diff --git a/src/content/partials/cloudflare-one/gateway/policies/isolate-chatgpt.mdx b/src/content/partials/cloudflare-one/gateway/policies/isolate-chatgpt.mdx deleted file mode 100644 index 3f085a92b08652..00000000000000 --- a/src/content/partials/cloudflare-one/gateway/policies/isolate-chatgpt.mdx +++ /dev/null @@ -1,10 +0,0 @@ ---- -{} - ---- - -| Selector | Operator | Value | Action | -| ----------- | -------- | --------- | ------- | -| Application | in | *ChatGPT* | Isolate | - -In **Configure policy settings**, you can customize restrictions for ChatGPT. For example, to prevent your users from inputting sensitive information, you can select **Disable copy / paste** and **Disable file uploads**. From a82544f27eaaaba8ea99ec63793a042bacbf9346 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 14:07:57 -0600 Subject: [PATCH 17/22] Add Google policies --- .../dlp-policies/common-policies.mdx | 2 + .../gateway/http-policies/common-policies.mdx | 97 ++++++++++++++++--- .../gateway/policies/block-file-types.mdx | 36 ++++++- 3 files changed, 117 insertions(+), 18 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies.mdx index 8f68b37b4f8f52..af098b8d5ffe78 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies.mdx @@ -21,6 +21,8 @@ The **Allow** action functions as an implicit logger, providing visibility into | DLP Profile | in | _Financial Information_ | And | Allow | | Content Categories | in | _File Sharing_ | | | +## Block file types + For more information on what file formats DLP can scan, refer to [Supported file types](/cloudflare-one/policies/data-loss-prevention/#supported-file-types). diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 20a01144bfab2f..31f3a9c513a722 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -320,9 +320,37 @@ If you are using the [Browser Isolation add-on](/cloudflare-one/policies/browser When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption. -| Selector | Operator | Value | Action | -| -------- | -------- | ------------------- | -------------- | -| Domain | in | `internal.site.com` | Do Not Inspect | + + +| Selector | Operator | Value | Action | +| -------- | -------- | ---------------------- | -------------- | +| Domain | in | `internal.example.com` | Do Not Inspect | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Bypass internal site inspection", + "description": "Bypass TLS decryption for internal sites with self-signed certificates", + "enabled": true, + "action": "off", + "filters": [ + "http" + ], + "traffic": "any(http.conn.domains[*] in {\"internal.example.com\"})", + "identity": "", + "device_posture": "" +}' +``` + + + +## Block file types @@ -332,29 +360,72 @@ For more information on supported file types, refer to [Download and Upload File To enable Gateway inspection for Google Drive traffic, you must [add a Cloudflare certificate to Google Drive](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#google-drive-for-desktop). -### Block Google Drive uploads - -Block file uploads to Google Drive. - -| Selector | Operator | Value | Logic | Action | -| ---------------- | ------------- | ------------ | ----- | ------ | -| Application | in | Google Drive | And | Block | -| Upload Mime Type | matches regex | `.*` | | | - ### Block Google Drive downloads Block file downloads from Google Drive. + + | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | -------------------------- | ----- | ------ | -| Application | in | Google Drive | And | Block | +| Application | in | _Google Drive_ | And | Block | | URL Path & Query | matches regex | `.*(e=download\|export).*` | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block Google Drive downloads", + "description": "Block file downloads from Google Drive", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(app.ids[*] in {554}) and http.request.uri.path_and_query matches \".*(e=download\\|export).*\"", + "identity": "", + "device_posture": "" +}' +``` + + + ### Block Gmail downloads Block file downloads from Gmail. + + | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | --------------------------------------- | ----- | ------ | | Host | is | `mail-attachment.googleusercontent.com` | And | Block | | URL Path & Query | is | `/attachment/u/0` | | | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block Gmail downloads", + "description": "Block file downloads from Gmail", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "http.request.host == \"mail-attachment.googleusercontent.com\" and http.request.uri.path_and_query matches \"/attachment/u/0\"", + "identity": "", + "device_posture": "" +}' +``` + + diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx index fda7276c094061..206f67004a61e0 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx @@ -2,11 +2,37 @@ {} --- -## Block file types +import { Tabs, TabItem } from "~/components"; Block the upload or download of files based on their type. -| Selector | Operator | Value | Logic | Action | -| ------------------ | -------- | --------------------------------------- | ----- | ------ | -| Upload File Type | in | _Microsoft Office Word Document (docx)_ | And | Block | -| Download File Type | in | _PDF (pdf)_ | | | + + +| Selector | Operator | Value | Logic | Action | +| ------------------- | -------- | --------------------------------------- | ----- | ------ | +| Upload File Types | in | _Microsoft Office Word Document (docx)_ | And | Block | +| Download File Types | in | _PDF (pdf)_ | | | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block file types", + "description": "Block the upload or download of files based on their type", + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(http.upload.file.types[*] in {\"docx\"}) and any(http.download.file.types[*] in {\"pdf\"})", + "identity": "", + "device_posture": "" +}' +``` + + From c9ffe9b383ca3f9b180fe827e8ed91df407c6235 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 14:31:42 -0600 Subject: [PATCH 18/22] Add first policies --- .../network-policies/common-policies.mdx | 82 ++++++++++++++++++- .../get-started/create-network-policy.mdx | 4 +- .../policies/enforce-device-posture.mdx | 4 +- 3 files changed, 85 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 42597d7d81db94..19687f1926588f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -18,25 +18,105 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po + + | Selector | Operator | Value | Action | | ----------- | -------- | ------------------------- | ------ | | Application | in | _Artificial Intelligence_ | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block unauthorized applications", + "description": "Block access to unauthorized AI applications", + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "any(app.type.ids[*] in {25})", + "identity": "", + "device_posture": "" +}' +``` + + + ## Check user identity + + | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ------------- | ----- | ------ | | Application | in | _Salesforce_ | And | Block | | User Group Names | in | _Contractors_ | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Check user identity", + "description": "Block access to Salesforce by temporary employees and contractors", + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "any(app.ids[*] in {606})", + "identity": "any(identity.groups.name[*] in {\"Contractors\"})", + "device_posture": "" +}' +``` + + + ## Enforce device posture -Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). +Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: + + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Enforce device posture", + "description": "Limit access to an internal application to approved organization devices", + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "any(net.sni.domains[*] == \"example.com\")", + "identity": "", + "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" +}' +``` + +To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint. + + + ## Enforce session duration To require users to re-authenticate after a certain amount of time has elapsed, configure [WARP sessions](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx index fd12c0e93ec03f..7e318cbaadc4e8 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx @@ -12,11 +12,13 @@ To create a new network policy: 2. In the **Network** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. +5. Choose an **Action** to take when traffic matches the logical expression. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: + + 6. Select **Create policy**. diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx index acab3b57200def..202570afec22e7 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -2,9 +2,7 @@ {} --- -For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: - | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | -| SNI Domain | is | `internalapp.com` | And | Block | +| SNI Domain | is | `example.com` | And | Block | | Passed Device Posture Checks | not in | _Device serial numbers_ | | | From 1d6e4e4f80ecfbe88ad030716f8455ee32223a54 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 14:38:22 -0600 Subject: [PATCH 19/22] Add HTTP/HTTPS policy --- .../network-policies/common-policies.mdx | 54 ++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 19687f1926588f..ac21114c1dc0a2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -127,16 +127,68 @@ Restrict user access to only the specific sites or applications configured in yo ### 1. Allow HTTP and HTTPS traffic + + | Selector | Operator | Value | Logic | Action | | ----------------- | -------- | ----------- | ----- | ------ | | Detected Protocol | is | _TLS_ | And | Allow | | Destination Port | in | `80`, `443` | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Allow HTTP and HTTPS traffic", + "description": "Restrict traffic to HTTP and HTTPS traffic", + "enabled": true, + "action": "allow", + "filters": [ + "l4" + ], + "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}", + "identity": "", + "device_posture": "" +}' +``` + + + ### 2. Block all other traffic + + | Selector | Operator | Value | Action | | -------- | -------- | ------------ | ------ | -| Protocol | in | _UDP_, _TCP_ | Block | +| Protocol | in | _TCP_, _UDP_ | Block | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block all other traffic", + "description": "Block all other traffic that is not HTTP or HTTPS", + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "net.protocol in {\"tcp\" \"udp\"}", + "identity": "", + "device_posture": "" +}' +``` + + ## Restrict access to private networks From 26655407320ea682fec775aa47def590eeaf799f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 26 Dec 2024 14:43:56 -0600 Subject: [PATCH 20/22] Add private network policies --- .../network-policies/common-policies.mdx | 54 ++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index ac21114c1dc0a2..42d0d55ad66059 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -194,17 +194,69 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ Restrict access to resources which you have connected through [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). -The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. Make sure that the Allow policy has higher priority (by positioning it towards the top of the list in the UI). +The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. ### 1. Allow company employees + + | Selector | Operator | Value | Logic | Action | | -------------- | ------------- | ---------------- | ----- | ------ | | Destination IP | in | `10.0.0.0/8` | And | Allow | | User Email | matches regex | `.*@example.com` | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Allow company employees", + "description": "Allow any users with an organization email to reach the application", + "enabled": true, + "action": "allow", + "filters": [ + "l4" + ], + "traffic": "net.dst.ip in {10.0.0.0/8}", + "identity": "identity.email matches \".*@example.com\"", + "device_posture": "" +}' +``` + + + ### 2. Block everyone else + + | Selector | Operator | Value | Action | | -------------- | -------- | ------------ | ------ | | Destination IP | in | `10.0.0.0/8` | Block | + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer " \ +--data '{ + "name": "Block everyone else", + "description": "Block any other users from accessing the application", + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "net.dst.ip in {10.0.0.0/8}", + "identity": "", + "device_posture": "" +}' +``` + + From e382fddc1b0d53122e2f84b9f918c761b40838a1 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 27 Dec 2024 11:22:09 -0600 Subject: [PATCH 21/22] Update command styling --- .../network-policies/common-policies.mdx | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 42d0d55ad66059..5858802d3d5ad3 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -28,8 +28,8 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po -```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +```bash +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -63,8 +63,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ -```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +```bash +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -95,8 +95,8 @@ Require devices to have certain software installed or other configuration attrib -```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +```bash +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -138,8 +138,8 @@ Restrict user access to only the specific sites or applications configured in yo -```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +```bash +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -170,8 +170,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ -```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +```bash +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -209,8 +209,8 @@ The following example consists of two policies: the first allows specific users -```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +```bash +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ @@ -241,8 +241,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ -```sh -curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule\ +```bash +curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " \ --data '{ From cfcc528d03090103f3845f1cf0f2e01c05d2b6bd Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 30 Dec 2024 09:58:54 -0600 Subject: [PATCH 22/22] Update variable --- .../policies/gateway/network-policies/common-policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index 5858802d3d5ad3..8786919ed12cf9 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -109,7 +109,7 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \ ], "traffic": "any(net.sni.domains[*] == \"example.com\")", "identity": "", - "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" + "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" }' ```