diff --git a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx index 3ba48998e52941b..4b7c9ac1392fe0b 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Applications and app types sidebar: - order: 8 + order: 9 --- import { GlossaryDefinition, GlossaryTooltip } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 0bcf0888fa0834f..3972268233fc834 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Block page sidebar: - order: 11 + order: 14 banner: content: The default global Cloudflare root certificate expired on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- diff --git a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx b/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx index 2cd51bdf1a54166..0e1a23edf1ff014 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Domain categories sidebar: - order: 9 + order: 10 --- import { Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx index f8bf4dca95234e0..22e766fcf7a5c56 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx @@ -2,8 +2,7 @@ pcx_content_type: reference title: Global policies sidebar: - order: 7 - + order: 8 --- Cloudflare Zero Trust applies a set of global policies to all accounts. @@ -14,8 +13,6 @@ The following policies are sorted by [order of precedence](/cloudflare-one/polic ## Network proxy policies - - | Name | ID | Criteria | Value | Action | Description | | --------------------------------- | -------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -------------------------------------------------------------------------------------------------------- | | Allow CF Network Error Logging L4 | `00000001-e4af-4b82-8f8c-c79c1d5d212e` | Hostname | `*.nel.cloudflare.com` | allow | Allows SNI domains for WARP registration. | @@ -24,12 +21,8 @@ The following policies are sorted by [order of precedence](/cloudflare-one/polic | Allow Zero Trust Services | `00000001-e1e8-421b-a0fe-895397489f28` | Hostname | `dash.teams.cloudflare.com`, `help.teams.cloudflare.com`, `blocked.teams.cloudflare.com`, `api.cloudflare.com`, `cloudflarestatus.com`, `www.cloudflarestatus.com`, and `one.dash.cloudflare.com` | allow | Allows Cloudflare Zero Trust services. | | Allow Access Apps L4 | `00000001-daa2-41e2-8a88-698af4066951` | Hostname | `*.cloudflareaccess.com` | allow | Allows [Cloudflare Access](/cloudflare-one/policies/access/) applications. | - - ## HTTP inspection policies - - | Name | ID | Criteria | Value | Action | Description | | -------------------------------------- | -------------------------------------- | ---------------- | ------------------------------------------------------------------ | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | Prevent Account Change Block | `00000001-d1f2-461a-8253-501c8d882a15` | Hostname | `*.cloudflareclient.com` | bypass | Ensures users cannot accidentally block themselves from making account changes. | @@ -49,4 +42,3 @@ The following policies are sorted by [order of precedence](/cloudflare-one/polic | Always Blocked Categories | `00000001-bed5-462e-b0f1-2e2c3555e9f7` | Content Category | Child Abuse | block | Blocks child abuse materials. | | Don't Isolate RBI Help Pages | `00000001-1a18-431f-9c9d-bce431f1002a` | Hostname | `developers.cloudflare.com` and `help.cloudflarebrowser.com` | noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues. | | Don't AV Scan CF Speed | `00000001-c194-408f-87dd-9a366ce76e12` | Hostname | `speed.cloudflare.com` | noscan | Allows files transferred by the Cloudflare speed test. | - diff --git a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx index a656f174f6687a1..b517806d4dbee87 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Identity-based policies sidebar: - order: 10 + order: 7 --- import { Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx new file mode 100644 index 000000000000000..4b944890e769614 --- /dev/null +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -0,0 +1,94 @@ +--- +pcx_content_type: how-to +title: Managed service providers (MSPs) +sidebar: + order: 15 +--- + +:::note +Only available on Enterprise plans. For more information, contact your account team. +::: + +Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. + +The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. + +## Get started + +{/* Don't need to surface much of the policy creation flow here */} + +To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). + +## Account types + +The Gateway Tenant platform supports tiered and siloed account configurations. + +### Tiered accounts + +In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: + +- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) +- Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) +- Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) +- Creating [lists](/cloudflare-one/policies/gateway/lists/) + +Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). + +Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. + +```mermaid +flowchart TD +%% Accessibility + accTitle: How Gateway policies work in a tiered account configuration + accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. + +%% Flowchart + subgraph s1["Parent account"] + n1["Block malware"] + n2["Block DNS tunnel"] + n3["Block spyware"] + end + subgraph s2["Child account A"] + n4["Block social media"] + end + subgraph s3["Child account B"] + n5["Block instant messaging"] + end + n1 ~~~ n2 + n2 ~~~ n3 + A["Tenant"] --Administers--> s1 + s1 -- "Applies policies to" --> s2 & s3 + + n1@{ shape: lean-l} + n2@{ shape: lean-l} + n3@{ shape: lean-l} + n4@{ shape: lean-l} + n5@{ shape: lean-l} +``` + +### Siloed accounts + +In a siloed account configuration, each account operates independently within the same tenant. MSPs manage each account's own security policies, resources, and configurations separately. + +```mermaid +flowchart TD +%% Accessibility + accTitle: How Gateway policies work in a siloed account configuration + accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration. + +%% Flowchart + subgraph s1["Siloed account A"] + n1["Block social media"] + end + subgraph s2["Siloed account C"] + n2["Block instant messaing"] + end + subgraph s3["Siloed account B"] + n3["Block news"] + end + A["Tenant"] -- Administers --> s1 & s3 & s2 + + n1@{ shape: lean-l} + n2@{ shape: lean-l} + n3@{ shape: lean-l} +``` diff --git a/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx b/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx index 888924875b3844d..00663c799620567 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Order of enforcement sidebar: - order: 12 + order: 11 --- import { Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx b/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx index 499d43e77d773d5..b230310d501cf32 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Proxy sidebar: - order: 14 + order: 12 --- import { Badge } from "~/components";