From fd96d7955054e98ec76026ba924c560ee37359f4 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 20 Feb 2025 17:19:09 -0600 Subject: [PATCH 01/12] Add quarantined users policy --- .../recommended-network-policies.mdx | 51 ++++++++++++++++++- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index 547f210fbc45046..ee1560e164b903b 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { GlossaryTooltip, Render } from "~/components"; +import { GlossaryTooltip, Render, Tabs, TabItem } from "~/components"; We recommend you add the following network policies to build an Internet and SaaS app security strategy for your organization. @@ -15,13 +15,60 @@ For more information on building network policies, refer to [Network policies](/ + + + + | Selector | Operator | Value | Logic | Action | | ---------------- | ----------- | ----------------------------------- | ----- | ------ | | Destination IP | not in list | _Quarantined-Users-IPAllowlist_ | Or | Block | | SNI | not in list | _Quarantined-Users-HostAllowlist_ | Or | | -| Domain SNI | not in list | _Quarantined-Users-DomainAllowlist_ | And | | +| SNI Domain | not in list | _Quarantined-Users-DomainAllowlist_ | And | | | User Group Names | in | _Quarantined Users_ | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "Quarantined-Users-NET-Restricted-Access", + "description": "Restrict access for users included in an IdP user group for risky users", + "precedence": 0, + "enabled": true, + "action": "allow", + "filters": [ + "l4" + ], + "traffic": "not(net.dst.ip in $) or not(net.sni.host in $) or not(any(net.sni.domains[*] in $))", + "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})" +}' +``` + + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "quarantined_users_net_restricted_access" { + account_id = var.account_id + name = "Quarantined-Users-NET-Restricted-Access" + description = "Restrict access for users included in an IdP user group for risky users" + precedence = 0 + enabled = true + action = "allow" + filters = ["l4"] + traffic = "not(net.dst.ip in ${"$"}${cloudflare_zero_trust_list.quarantined_users_ip_list.id}) or not(net.sni.host in ${"$"}${cloudflare_zero_trust_list.quarantined_users_host_list.id}) or not(any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.quarantined_users_domain_list.id}))" + identity = "any(identity.groups.name[*] in {\"Quarantined Users\"})" +} +``` + + + + ## Posture-Fail-NET-Restricted-Access Restrict access for devices where baseline posture checks have not passed. If posture checks are integrated with service providers such as Crowdstrike or Intune via the API, this policy dynamically blocks access for devices that do not meet predetermined security requirements. From ac437974999392e0a34d1f889dcd5dbb2ec2bea3 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 20 Feb 2025 18:01:15 -0600 Subject: [PATCH 02/12] Add posture fail policy --- .../recommended-network-policies.mdx | 61 +++++++++++++++++-- 1 file changed, 55 insertions(+), 6 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index ee1560e164b903b..b7977a220b85222 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -39,11 +39,11 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ "description": "Restrict access for users included in an IdP user group for risky users", "precedence": 0, "enabled": true, - "action": "allow", + "action": "block", "filters": [ "l4" ], - "traffic": "not(net.dst.ip in $) or not(net.sni.host in $) or not(any(net.sni.domains[*] in $))", + "traffic": "not(net.dst.ip in $) or not(net.sni.host in $) or not(any(net.sni.domains[*] in $))", "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})" }' ``` @@ -59,9 +59,9 @@ resource "cloudflare_zero_trust_gateway_policy" "quarantined_users_net_restricte description = "Restrict access for users included in an IdP user group for risky users" precedence = 0 enabled = true - action = "allow" + action = "block" filters = ["l4"] - traffic = "not(net.dst.ip in ${"$"}${cloudflare_zero_trust_list.quarantined_users_ip_list.id}) or not(net.sni.host in ${"$"}${cloudflare_zero_trust_list.quarantined_users_host_list.id}) or not(any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.quarantined_users_domain_list.id}))" + traffic = "not(net.dst.ip in ${"$"}${cloudflare_zero_trust_list.ip_allowlist.id}) or not(net.sni.host in ${"$"}${cloudflare_zero_trust_list.host_allowlist.id}) or not(any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_allowlist.id}))" identity = "any(identity.groups.name[*] in {\"Quarantined Users\"})" } ``` @@ -73,13 +73,62 @@ resource "cloudflare_zero_trust_gateway_policy" "quarantined_users_net_restricte Restrict access for devices where baseline posture checks have not passed. If posture checks are integrated with service providers such as Crowdstrike or Intune via the API, this policy dynamically blocks access for devices that do not meet predetermined security requirements. + + + + + + | Selector | Operator | Value | Logic | Action | | ---------------------------- | ----------- | ----------------------------------- | ----- | ------ | | Destination IP | not in list | _Posture-Fail-IPAllowlist_ | Or | Block | | SNI | not in list | _Posture-Fail-HostAllowlist_ | Or | | -| Domain SNI | not in list | _Posture-Fail-DomainAllowlist_ | And | | +| SNI Domain | not in list | _Posture-Fail-DomainAllowlist_ | And | | | Passed Device Posture Checks | not in | _Windows 10 or higher (OS version)_ | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "Posture-Fail-NET-Restricted-Access", + "description": "Restrict access for devices where baseline posture checks have not passed", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "not(net.dst.ip in $) or not(net.sni.host in $) or not(any(net.sni.domains[*] in $))", + "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" +}' +``` + + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "posture_fail_net_restricted_access" { + account_id = var.account_id + name = "Posture-Fail-NET-Restricted-Access" + description = "Restrict access for devices where baseline posture checks have not passed" + precedence = 0 + enabled = true + action = "block" + filters = ["l4"] + traffic = "not(net.dst.ip in ${"$"}${cloudflare_zero_trust_list.ip_allowlist.id}) or not(net.sni.host in ${"$"}${cloudflare_zero_trust_list.host_allowlist.id}) or not(any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_allowlist.id}))" + device_posture = "not(any(device_posture.checks.passed[*] in {\"\"}))" +} +``` + + + + You can add a number of WARP client device posture checks as needed, such as [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/) and [Domain joined](/cloudflare-one/identity/devices/warp-client-checks/domain-joined/). For more information on device posture checks, refer to [Enforce device posture](/cloudflare-one/identity/devices/). ## FinanceUsers-NET-HTTPS-FinanceServers (example) @@ -101,7 +150,7 @@ Block traffic to destination IPs, + + + | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | ----------------- | ----- | ------ | | Destination IP | in list | _Finance Servers_ | And | Allow | | User Group Names | in | _Finance Users_ | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "FinanceUsers-NET-HTTPS-FinanceServers", + "description": "Allow HTTPS access for user groups", + "precedence": 0, + "enabled": true, + "action": "allow", + "filters": [ + "l4" + ], + "traffic": "net.dst.ip in $", + "identity": "any(identity.groups.name[*] in {\"Finance Users\"})" +}' +``` + + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance_servers" { + account_id = var.account_id + name = "FinanceUsers-NET-HTTPS-FinanceServers" + description = "Allow HTTPS access for user groups" + precedence = 0 + enabled = true + action = "allow" + filters = ["l4"] + traffic = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.finance_servers_list.id}" + identity = "any(identity.groups.name[*] in {\"Finance Users\"})" +} +``` + + + + ## All-NET-Internet-Blocklist Block traffic to destination IPs, SNIs, and domain SNIs that are malicious or pose a threat to your organization. From 11e6e605e98b6a3fe6a75eb129f47e3d037e4f77 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 13:07:12 -0600 Subject: [PATCH 04/12] Add Internet blocklist policy --- .../recommended-network-policies.mdx | 47 ++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index 798b4fe91a03d1f..dd24978e454e150 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -189,16 +189,61 @@ resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance ## All-NET-Internet-Blocklist -Block traffic to destination IPs, SNIs, and domain SNIs that are malicious or pose a threat to your organization. +Block traffic to destination IPs, SNIs, and SNI domains that are malicious or pose a threat to your organization. + + + + | Selector | Operator | Value | Logic | Action | | -------------- | -------- | ------------------ | ----- | ------ | | Destination IP | in list | _IP Blocklist_ | Or | Block | | SNI | in list | _Host Blocklist_ | Or | | | SNI Domain | in list | _Domain Blocklist_ | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "All-NET-Internet-Blocklist", + "description": "Block traffic to malicious or risky destination IPs, SNIs, and SNI domains", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "net.dst.ip in $ and net.sni.host in $ and any(net.sni.domains[*] in $)" +}' +``` + + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance_servers" { + account_id = var.account_id + name = "All-NET-Internet-Blocklist" + description = "Block traffic to malicious or risky destination IPs, SNIs, and SNI domains" + precedence = 0 + enabled = true + action = "block" + filters = ["l4"] + traffic = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.ip_blocklist.id} and net.sni.host in ${"$"}${cloudflare_zero_trust_list.host_blocklist.id} and any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_blocklist.id})" +} +``` + + + + :::note The **Detected Protocol** selector is only available for Enterprise users. For more information, refer to [Protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/). ::: From 367e3f3224b4baee00c2a9943171c36d2e64daa5 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 13:11:49 -0600 Subject: [PATCH 05/12] Add SSH allowlist policy --- .../recommended-network-policies.mdx | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index dd24978e454e150..b9230263fc5a29c 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -254,6 +254,10 @@ Allow SSH traffic to specific endpoints on the Internet for specific users. You Optionally, you can include a selector to filter by source IP or IdP group. + + + + | Selector | Operator | Value | Logic | Action | | ----------------- | -------- | ------------------- | ----- | ------ | | Destination IP | in list | _SSHAllowList_ | Or | Allow | @@ -261,6 +265,49 @@ Optionally, you can include a selector to filter by source IP or IdP group. | Detected Protocol | is | _SSH_ | And | | | User Group Names | in | _SSH-Allowed-Users_ | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "All-NET-SSH-Internet-Allowlist", + "description": "Allow SSH traffic to specific endpoints on the Internet for specific users", + "precedence": 0, + "enabled": true, + "action": "allow", + "filters": [ + "l4" + ], + "traffic": "net.dst.ip in $ and net.sni.host in $ and net.detected_protocol == \"ssh\"", + "identity": "any(identity.groups.name[*] in {\"SSH-Allowed-Users\"})" +}' +``` + + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "all_net_ssh_internet_allowlist" { + account_id = var.account_id + name = "All-NET-SSH-Internet-Allowlist" + description = "Allow SSH traffic to specific endpoints on the Internet for specific users" + precedence = 0 + enabled = true + action = "allow" + filters = ["l4"] + traffic = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.ssh_ip_allowlist.id} and net.sni.host in ${"$"}${cloudflare_zero_trust_list.ssh_fqdn_allowlist.id} and net.detected_protocol == \"ssh\"" + identity = "any(identity.groups.name[*] in {\"SSH-Allowed-Users\"})" +} +``` + + + + ## All-NET-NO-HTTP-HTTPS-Internet-Deny Block all non-web traffic towards the Internet. By using the **Detected Protocol** selector, you will ensure alternative ports for HTTP and HTTPS are allowed. From f442cc4e9990ce42d947078907ee74311744ecf8 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 13:22:25 -0600 Subject: [PATCH 06/12] Add non-HTTP traffic policy --- .../recommended-network-policies.mdx | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index b9230263fc5a29c..4f128af34a8335b 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -312,11 +312,56 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_ssh_internet_allowlist" Block all non-web traffic towards the Internet. By using the **Detected Protocol** selector, you will ensure alternative ports for HTTP and HTTPS are allowed. + + + + | Selector | Operator | Value | Logic | Action | | ----------------- | ----------- | ----------------- | ----- | ------ | | Destination IP | not in list | _InternalNetwork_ | And | Block | | Detected Protocol | not in | _HTTP_, _HTTP2_ | | | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "All-NET-NO-HTTP-HTTPS-Internet-Deny", + "description": "Block all non-web traffic towards the Internet", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "not(net.dst.ip in $) and not(net.detected_protocol in {\"http\" \"http2\"})" +}' +``` + + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_deny" { + account_id = var.account_id + name = "All-NET-NO-HTTP-HTTPS-Internet-Deny" + description = "Block all non-web traffic towards the Internet" + precedence = 0 + enabled = true + action = "block" + filters = ["l4"] + traffic = "not(net.dst.ip in ${"$"}${cloudflare_zero_trust_list.internal_network_ip_list.id}) and not(net.detected_protocol in {\"http\" \"http2\"})" +} +``` + + + + ## All-NET-InternalNetwork-ImplicitDeny Implicitly deny all of your internal IP ranges included in a list. We recommend you place this policy at the [bottom of your policy list](/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#order-of-precedence) to ensure you explicitly approve traffic defined in the above policies. From 634520a2e644eb5ef8a6f70a4df949b79c757043 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 13:30:05 -0600 Subject: [PATCH 07/12] Add serial number policy --- .../recommended-network-policies.mdx | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index 4f128af34a8335b..f39483e617664db 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -366,15 +366,107 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_ Implicitly deny all of your internal IP ranges included in a list. We recommend you place this policy at the [bottom of your policy list](/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#order-of-precedence) to ensure you explicitly approve traffic defined in the above policies. + + + + | Selector | Operator | Value | Action | | -------------- | -------- | ---------------------- | ------ | | Destination IP | in list | _Internal Network IPs_ | Block | + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "All-NET-NO-HTTP-HTTPS-Internet-Deny", + "description": "Block all non-web traffic towards the Internet", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "net.dst.ip in $" +}' +``` + + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_deny" { + account_id = var.account_id + name = "All-NET-NO-HTTP-HTTPS-Internet-Deny" + description = "Block all non-web traffic towards the Internet" + precedence = 0 + enabled = true + action = "block" + filters = ["l4"] + traffic = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.internal_network_ip_list.id}" +} +``` + + + + ## All-NET-ApplicationAccess-Allow Only allow network traffic from known and approved devices. + + + + + + + + + +```sh +curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ +--header "Content-Type: application/json" \ +--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ +--data '{ + "name": "All-NET-ApplicationAccess-Allow", + "description": "Only allow network traffic from known and approved devices", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", + "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" +}' +``` + + + + + +```tf +resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_deny" { + account_id = var.account_id + name = "All-NET-ApplicationAccess-Allow" + description = "Only allow network traffic from known and approved devices" + precedence = 0 + enabled = true + action = "block" + filters = ["l4"] + traffic = "any(net.sni.domains[*] == \"internalapp.com\")" + device_posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}{cloudflare_zero_trust_list.device_serial_number_list.id}\"}))" +} +``` + + + From 64540fb1ecf5174ad9a7681607f53db16f1ba5b5 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 13:32:04 -0600 Subject: [PATCH 08/12] Remove unnecessary example --- .../recommended-network-policies.mdx | 47 ------------------- .../policies/enforce-device-posture.mdx | 4 +- 2 files changed, 2 insertions(+), 49 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index f39483e617664db..c7da356de882ec5 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -419,54 +419,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_ Only allow network traffic from known and approved devices. - - - - - - - - - -```sh -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "All-NET-ApplicationAccess-Allow", - "description": "Only allow network traffic from known and approved devices", - "precedence": 0, - "enabled": true, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", - "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" -}' -``` - - - - - -```tf -resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_deny" { - account_id = var.account_id - name = "All-NET-ApplicationAccess-Allow" - description = "Only allow network traffic from known and approved devices" - precedence = 0 - enabled = true - action = "block" - filters = ["l4"] - traffic = "any(net.sni.domains[*] == \"internalapp.com\")" - device_posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}{cloudflare_zero_trust_list.device_serial_number_list.id}\"}))" -} -``` - - - diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx index dd827e6d97bc195..2f19be09fa4cad3 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -4,5 +4,5 @@ | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | -| Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block | -| SNI Domain | is | `internalapp.com` | | | +| SNI Domain | is | `internalapp.com` | And | Block | +| Passed Device Posture Checks | not in | _Device serial numbers_ | | | From 5a9c111a565fed80a081015798f347add4f856e4 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 13:33:43 -0600 Subject: [PATCH 09/12] Fix Terraform example title --- .../policies/dash-plus-api/network/enforce-device-posture.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx index ee34601b650aec4..0e10f92f1e5d989 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx @@ -41,7 +41,7 @@ To get the UUIDs of your device posture checks, use the [List device posture rul ```tf -resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { +resource "cloudflare_zero_trust_gateway_policy" "all_net_applicationaccess_allow" { account_id = var.account_id name = "All-NET-ApplicationAccess-Allow" description = "Ensure access to the application comes from authorized WARP clients" From 58a09bca6f8b505ca8ee7cc83c8e503222e02929 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 13:40:54 -0600 Subject: [PATCH 10/12] Update API title and description --- .../recommended-network-policies.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index c7da356de882ec5..060a8eb5092f8c1 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -383,8 +383,8 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ --header "Content-Type: application/json" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --data '{ - "name": "All-NET-NO-HTTP-HTTPS-Internet-Deny", - "description": "Block all non-web traffic towards the Internet", + "name": "All-NET-InternalNetwork-ImplicitDeny", + "description": "Implicitly deny all of your internal IP ranges included in a list", "precedence": 0, "enabled": true, "action": "block", @@ -400,10 +400,10 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf -resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_deny" { +resource "cloudflare_zero_trust_gateway_policy" "all_net_internalnetwork_implicitdeny" { account_id = var.account_id - name = "All-NET-NO-HTTP-HTTPS-Internet-Deny" - description = "Block all non-web traffic towards the Internet" + name = "All-NET-InternalNetwork-ImplicitDeny" + description = "Implicitly deny all of your internal IP ranges included in a list" precedence = 0 enabled = true action = "block" From 18ffdd65d7b4b9aaed672bf92910894625540e28 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 17:00:40 -0600 Subject: [PATCH 11/12] Replace TF Cloudflare account ID variables --- .../build-dns-policies/create-list.mdx | 2 +- .../build-dns-policies/create-policy.mdx | 2 +- .../recommended-dns-policies.mdx | 14 +++++++------- .../recommended-network-policies.mdx | 14 +++++++------- .../dash-plus-api/dns/block-applications.mdx | 2 +- .../dash-plus-api/dns/block-content-categories.mdx | 2 +- .../dns/block-security-categories.mdx | 2 +- .../http/block-content-categories.mdx | 2 +- .../network/enforce-device-posture.mdx | 2 +- 9 files changed, 21 insertions(+), 21 deletions(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index 6643d886d3ca269..eee0f7f65f00e66 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -52,7 +52,7 @@ To create a new DNS policy using **Terraform** to allow access to all approved c ```tf resource "cloudflare_zero_trust_gateway_policy" "allow_corporate_domain_access" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-CorporateDomain-AllowList" description = "Allow access to the corporate domains defined under the Corporate Domains list" precedence = 1 diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 2ddfdf3ece0791b..06e523498c23367 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -65,7 +65,7 @@ To create a new DNS policy using **Terraform**: ```tf resource "cloudflare_zero_trust_gateway_policy" "security_risks_dns_policy" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-SecurityCategories-Blocklist" description = "Block known security risks based on Cloudflare's threat intelligence" precedence = 0 diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx index 2d7395440321ef1..146390c6620b53b 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx @@ -49,7 +49,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-Domain-Allowlist" description = "Allowlist any known domains and hostnames" precedence = 0 @@ -105,7 +105,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "Quarantined-Users-DNS-Restricted-Access" description = "Restrict access for users included in an identity provider (IdP) user group for risky users" precedence = 10 @@ -189,7 +189,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-GeoCountryIP-Blocklist" description = "Block traffic hosted in countries categorized as high security risks" precedence = 50 @@ -242,7 +242,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-DomainTopLevel-Blocklist" description = "Block DNS queries of known risky TLDs" precedence = 60 @@ -296,7 +296,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-DomainPhishing-Blocklist" description = "Block misused domains used in phishing campaigns" precedence = 70 @@ -351,7 +351,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-ResolvedIP-Blocklist" description = "Block specific IP addresses deemed to be a risk to the Organization" precedence = 80 @@ -409,7 +409,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "block_dns_domain_host" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-DomainHost-Blocklist" description = "Block specific domains or hosts that are malicious or pose a threat to your organization." precedence = 90 diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index 060a8eb5092f8c1..ab68cd219b4fba7 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -54,7 +54,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "quarantined_users_net_restricted_access" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "Quarantined-Users-NET-Restricted-Access" description = "Restrict access for users included in an IdP user group for risky users" precedence = 0 @@ -114,7 +114,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "posture_fail_net_restricted_access" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "Posture-Fail-NET-Restricted-Access" description = "Restrict access for devices where baseline posture checks have not passed" precedence = 0 @@ -172,7 +172,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance_servers" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "FinanceUsers-NET-HTTPS-FinanceServers" description = "Allow HTTPS access for user groups" precedence = 0 @@ -230,7 +230,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance_servers" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-NET-Internet-Blocklist" description = "Block traffic to malicious or risky destination IPs, SNIs, and SNI domains" precedence = 0 @@ -293,7 +293,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "all_net_ssh_internet_allowlist" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-NET-SSH-Internet-Allowlist" description = "Allow SSH traffic to specific endpoints on the Internet for specific users" precedence = 0 @@ -348,7 +348,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_deny" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-NET-NO-HTTP-HTTPS-Internet-Deny" description = "Block all non-web traffic towards the Internet" precedence = 0 @@ -401,7 +401,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ ```tf resource "cloudflare_zero_trust_gateway_policy" "all_net_internalnetwork_implicitdeny" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-NET-InternalNetwork-ImplicitDeny" description = "Implicitly deny all of your internal IP ranges included in a list" precedence = 0 diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx index 4ca90e736203a91..c76f53ce2620d45 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx @@ -37,7 +37,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```tf resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-Application-Blocklist" description = "Block access to unauthorized AI applications" enabled = true diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx index 550127c3806d343..4db1f9cc2196f94 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx @@ -36,7 +36,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```tf resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-ContentCategories-Blocklist" description = "Block common content categories that may pose a risk" enabled = true diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx index 0a27fb3feea3822..f5f38f145f27784 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx @@ -37,7 +37,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```tf resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-DNS-SecurityCategories-Blocklist" description = "Block security categories based on Cloudflare's threat intelligence" precedence = 20 diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx index 14a795238d0326a..8a951065ae0235e 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx @@ -36,7 +36,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ```tf resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-HTTP-Application-Blocklist" description = "Block access to unauthorized AI applications" enabled = true diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx index 0e10f92f1e5d989..d779bb244648574 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx @@ -42,7 +42,7 @@ To get the UUIDs of your device posture checks, use the [List device posture rul ```tf resource "cloudflare_zero_trust_gateway_policy" "all_net_applicationaccess_allow" { - account_id = var.account_id + account_id = var.cloudflare_account_id name = "All-NET-ApplicationAccess-Allow" description = "Ensure access to the application comes from authorized WARP clients" precedence = 5000 From 9fd0721ffdfe6b25b787d5487de333a4c9d51377 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 21 Feb 2025 17:06:06 -0600 Subject: [PATCH 12/12] Add device posture check resource --- .../build-network-policies/recommended-network-policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index ab68cd219b4fba7..919b20b08953103 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -122,7 +122,7 @@ resource "cloudflare_zero_trust_gateway_policy" "posture_fail_net_restricted_acc action = "block" filters = ["l4"] traffic = "not(net.dst.ip in ${"$"}${cloudflare_zero_trust_list.ip_allowlist.id}) or not(net.sni.host in ${"$"}${cloudflare_zero_trust_list.host_allowlist.id}) or not(any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_allowlist.id}))" - device_posture = "not(any(device_posture.checks.passed[*] in {\"\"}))" + device_posture = "not(any(device_posture.checks.passed[*] in {\"${cloudflare_device_posture_rule.baseline_check.id}\"}))" } ```