From 890852301439530530c174aa19e83edd7785ee81 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Wed, 19 Feb 2025 18:09:05 +0000 Subject: [PATCH 1/2] [CF1] override code troubleshooting --- .../configure-warp/warp-settings/index.mdx | 35 ++++++++++++++++--- .../cloudflare-one/faq/troubleshooting.mdx | 4 +++ 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx index f0c420c36f43ab3..16628a249b404db 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx @@ -27,13 +27,31 @@ WARP settings define the WARP client modes and permissions available to end user :::note -In order to enable **Admin override**, [**Lock WARP switch**](#lock-warp-switch) must also be enabled. +To enable **Admin override**, you must have first enabled the [**Lock WARP switch**](#lock-warp-switch). ::: -When `Enabled`, end users can turn off the WARP client using an override code provided by an admin. This feature allows users to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection). +When **Admin override** is turned on, end users can turn off the WARP client using an override code provided by an admin. -You can set a **Timeout** to define how long a user can toggle on or off the WARP switch. The timer starts when the user first enters their code into the WARP client. The code remains valid and can be reused anytime during this time period. For example, if **Timeout** is 24 hours, the user can re-enter the code at 23:59:00 and continue to turn off WARP until 47:59:00 (up to 48 hours total). +To enable **Admin override**: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. +2. Toggle **Admin override** on. +3. (Optional) Set the **Timeout** to your desired time. **Timeout** is set to 1 hour by default. + +**Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection). + +As admin, you can set a **Timeout** to define how long a user can toggle on or off the WARP switch after entering the override code. Cloudflare generates a new override code every hour that the admin can access and send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user. For example, if admin generates a code with a **Timeout** of one hour at 9:00 AM and the end user inputs the override code in their device at 9:59AM, the user will be able to toggle WARP on and off until 10:59AM (a one hour duration.) + +However, if admin generates an override code at 9:00 AM that has a one hour Timeout and the user attempts to enter it at 10:00 AM, the override code will not work. + +If an admin generated an override code at 9:00 AM and set a **Timeout** to three hours, a user who enters the override code at 9:59 AM would be able to toggle WARP off for three hours (until 12:59 PM). A user who enters the same override code at 10AM would only be able to toggle WARP off for two hours (until 12 PM) because the 9:00 AM hour block would be counted as used. + +To learn more about override code timeouts and how Cloudflare calculates an override code's validity, refer to Troubleshooting. + +::: + +Be aware that if [**Auto connect**](#auto-connect) is enabled, WARP will turn on according to the value set by **Auto connect** even when an override code has been entered by the user. To prevent WARP from auto connecting, temporarily disable **Auto connect** or temporarily set a longer **Timeout** for **Auto connect**. #### Retrieve the override code @@ -163,10 +181,17 @@ For more details on WireGuard versus MASQUE, refer to our [blog post](https://bl Allows the user to turn off the WARP switch and disconnect the client. +To enable the Lock WARP switch: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. +2. Find the profile you would like to enable the Lock WARP switch for and select the three dot icon next to the profile. +3. Select **Configure**. +4. Under **Configure settings**, toggle the **Lock WARP switch** on. + **Value:** -- `Disabled`: (default) The user is able to turn the switch on or off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks. -- `Enabled`: The user is prevented from turning off the switch. The WARP client will always start in the connected state. +- `Disabled`: (default) The user is able to turn the WARP switch on or off at their discretion. When the WARP switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks. +- `Enabled`: The user is prevented from turning off the WARP switch. The WARP client will always start in the connected state. On MDM deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them. diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index 96d9ffa8d8ff506..fb1aef331f7a81a 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -267,3 +267,7 @@ Turning off TLS decryption should be a temporary measure. TLS decryption should ## I am getting an `Error 401: deleted_client - The OAuth Client was deleted` authorization error. + +## I entered an override code for WARP that was supposed to be valid for 3 hours but the override code expired faster than I expected. + +## I disabled WARP using an override code but WARP turned on by itself before my override code expired. From b536cd5b73141533f7c7d065a052b6b1b52772d9 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Thu, 20 Feb 2025 12:55:47 +0000 Subject: [PATCH 2/2] edits to scenarios --- .../configure-warp/warp-settings/index.mdx | 27 +++++-------------- .../cloudflare-one/faq/troubleshooting.mdx | 26 ++++++++++++++++++ 2 files changed, 32 insertions(+), 21 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx index 16628a249b404db..916e17101426a31 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx @@ -27,32 +27,24 @@ WARP settings define the WARP client modes and permissions available to end user :::note -To enable **Admin override**, you must have first enabled the [**Lock WARP switch**](#lock-warp-switch). +To use **Admin override**, you must first have enabled the [**Lock WARP switch**](#lock-warp-switch). ::: -When **Admin override** is turned on, end users can turn off the WARP client using an override code provided by an admin. - -To enable **Admin override**: - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. -2. Toggle **Admin override** on. -3. (Optional) Set the **Timeout** to your desired time. **Timeout** is set to 1 hour by default. +When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot turn the WARP client off on their device. Enabling **Admin override** gives users the ability to turn off the WARP client using an override code provided by an admin. **Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection). -As admin, you can set a **Timeout** to define how long a user can toggle on or off the WARP switch after entering the override code. Cloudflare generates a new override code every hour that the admin can access and send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user. For example, if admin generates a code with a **Timeout** of one hour at 9:00 AM and the end user inputs the override code in their device at 9:59AM, the user will be able to toggle WARP on and off until 10:59AM (a one hour duration.) +As admin, you can set a **Timeout** to define how long a user can toggle the WARP switch on or off after entering the override code. Cloudflare generates a new override code every hour that an admin can send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user. -However, if admin generates an override code at 9:00 AM that has a one hour Timeout and the user attempts to enter it at 10:00 AM, the override code will not work. +:::caution[Troubleshooting] -If an admin generated an override code at 9:00 AM and set a **Timeout** to three hours, a user who enters the override code at 9:59 AM would be able to toggle WARP off for three hours (until 12:59 PM). A user who enters the same override code at 10AM would only be able to toggle WARP off for two hours (until 12 PM) because the 9:00 AM hour block would be counted as used. +To learn more about override code timeouts and how Cloudflare calculates an override code's valid duration, refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#i-entered-an-override-code-for-warp-that-was-supposed-to-be-valid-for-3-hours-but-the-override-code-expired-faster-than-i-expected). -To learn more about override code timeouts and how Cloudflare calculates an override code's validity, refer to Troubleshooting. +If [**Auto connect**](#auto-connect) is enabled, WARP will turn on even when using a **Admin override**. Refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#i-disabled-warp-using-an-override-code-but-warp-turned-on-by-itself-before-my-override-code-expired) for more details. ::: -Be aware that if [**Auto connect**](#auto-connect) is enabled, WARP will turn on according to the value set by **Auto connect** even when an override code has been entered by the user. To prevent WARP from auto connecting, temporarily disable **Auto connect** or temporarily set a longer **Timeout** for **Auto connect**. - #### Retrieve the override code To retrieve the one-time code for a user: @@ -181,13 +173,6 @@ For more details on WireGuard versus MASQUE, refer to our [blog post](https://bl Allows the user to turn off the WARP switch and disconnect the client. -To enable the Lock WARP switch: - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. -2. Find the profile you would like to enable the Lock WARP switch for and select the three dot icon next to the profile. -3. Select **Configure**. -4. Under **Configure settings**, toggle the **Lock WARP switch** on. - **Value:** - `Disabled`: (default) The user is able to turn the WARP switch on or off at their discretion. When the WARP switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks. diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index fb1aef331f7a81a..71e00693592289b 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -270,4 +270,30 @@ Turning off TLS decryption should be a temporary measure. TLS decryption should ## I entered an override code for WARP that was supposed to be valid for 3 hours but the override code expired faster than I expected. +[Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) codes are time-sensitive and adhere to fixed-hour time blocks. An override code's validity is attached to the hour it was generated in. Override codes cannot be reused after their timeout has expired. When an override code timeout has expired, the user must receive a new override code from the admin. Refer to the following scenarios. + +### Scenario one: Admin generates an override code at 9:00 AM with a timeout of one hour. + +If admin generates an override code with a timeout of one hour at **9:00 AM** and the user inputs the override code in their device at **9:59 AM**, the user will be able to toggle WARP on and off until **10:59 AM** (a one hour duration.) + +However, if the user attempts to enter the override code at **10:00 AM**, the override code will not work. The override code will not work because the override code was generated at **9:00 AM** and its one hour validity was counted as used in the 9:00 AM to 10:00 AM hour. + +### Scenario two: Admin generates an override code at 9:30 AM with timeout of three hours. + +If admin generates an override code with a timeout of three hours at **9:30 AM** and the user inputs the override code in their device at **9:59 AM**, the user will be able to toggle WARP on and off until **12:59 PM** (a three hour duration.) + +However, if the user attempts to enter the override code at **10:00 AM**, the override code will only be valid until **12:00 PM** (a two hour duration). The override code was generated at **9:30 AM** and one hour of its total three hour validity was counted as used in the 9:00 AM to 10:00 AM hour. + +### Scenariot three: Admin generates an override code at 12:30 PM with a timeout of 24 hours. + +If admin generates an override code with a timeout of 24 hours at **12:00 PM** and the user inputs the override code in their device at **12:59 PM** the same day, the user will be able to toggle WARP on and off until **12:59 PM** the next day (a 24 hour duration.) + +However, if the user attempts to enter the override code at **1:00 PM** the same day, the override code will only be valid until **11:00 AM** the next day (a 23 hour duration). The override code was generated at **12:00 PM** and one hour of its total 24 hour validity was counted as used in the 12:00 PM to 1:00 PM hour. + +If the user attempts to enter the override code at **12:59 PM** the next day, the override code will only be valid until **1:59 PM** (a one hour duration). The override code was generated at **12:00 PM** and 23 hours of its total 24 hour validity were counted as used from 12:00 PM to 11:00 AM the next day (a 23 hour duration). + ## I disabled WARP using an override code but WARP turned on by itself before my override code expired. + +If you are using an [Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) code with [Auto connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) enabled, WARP will turn on automatically according to the Timeout set for **Auto connect** even when an override code has been entered by the user. + +To prevent WARP from auto connecting while using an admin override code, temporarily disable **Auto connect** or temporarily set a longer **Timeout** for **Auto connect**.