diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx
index f65a3a28c83984..bc4e38ab406492 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 5
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
We recommend you add the following HTTP policies to build an Internet and SaaS app security strategy for your organization.
@@ -13,36 +13,202 @@ We recommend you add the following HTTP policies to build an Internet and SaaS a
Bypass HTTP inspection for applications that use embedded certificates. This will help avoid any certificate pinning errors that may arise from an initial rollout.
+
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-HTTP-Application-InspectBypass",
+ "description": "Bypass HTTP inspection for applications that use embedded certificates",
+ "precedence": 0,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(app.type.ids[*] in {16})"
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "all_http_application_inspect_bypass" {
+ account_id = var.cloudflare_account_id
+ name = "All-HTTP-Application-InspectBypass"
+ description = "Bypass HTTP inspection for applications that use embedded certificates"
+ precedence = 0
+ enabled = true
+ action = "block"
+ filters = ["http"]
+ traffic = "any(app.type.ids[*] in {16})"
+}
+```
+
+
+
+
## Android-HTTP-Application-InspectionBypass
Bypass HTTPS inspection for Android applications (such as Google Drive) that use certificate pinning, which is incompatible with Gateway inspection.
+
+
| Selector | Operator | Value | Logic | Action |
| ---------------------------- | -------- | --------------------------------- | ----- | -------------- |
| Application | in | _Google Drive_ | And | Do Not Inspect |
| Passed Device Posture Checks | in | _OS Version Android (OS version)_ | | |
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "Android-HTTP-Application-InspectionBypass",
+ "description": "Bypass HTTPS inspection for Android applications with certificate pinning",
+ "precedence": 10,
+ "enabled": true,
+ "action": "off",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(app.ids[*] in {554})",
+ "device_posture": "any(device_posture.checks.passed[*] in {\"\"})"
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "android_http_application_inspection_bypass" {
+ account_id = var.cloudflare_account_id
+ name = "Android-HTTP-Application-InspectionBypass"
+ description = "Bypass HTTPS inspection for Android applications with certificate pinning"
+ precedence = 10
+ enabled = true
+ action = "off"
+ filters = ["http"]
+ traffic = "any(app.ids[*] in {554})"
+ device_posture = "any(device_posture.checks.passed[*] in {\"${"$"}{cloudflare_zero_trust_list.android_version_posture_check.id}\"})"
+}
+```
+
+
+
+
## All-HTTP-Domain-Inspection-Bypass
Bypass HTTP inspection for a custom list of domains identified as incompatible with TLS inspection.
+
+
| Selector | Operator | Value | Logic | Action |
| -------- | -------- | ------------------------ | ----- | -------------- |
| Domain | in list | _DomainInspectionBypass_ | Or | Do Not Inspect |
| Domain | in list | _Known Domains_ | | |
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-HTTP-Domain-Inspection-Bypass",
+ "description": "Bypass HTTP inspection for a custom list of domains identified as incompatible with TLS inspection",
+ "precedence": 20,
+ "enabled": true,
+ "action": "off",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(http.conn.domains[*] in $) or any(http.conn.domains[*] in $)"
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "android_http_application_inspection_bypass" {
+ account_id = var.cloudflare_account_id
+ name = "All-HTTP-Domain-Inspection-Bypass"
+ description = "Bypass HTTP inspection for a custom list of domains identified as incompatible with TLS inspection"
+ precedence = 20
+ enabled = true
+ action = "off"
+ filters = ["http"]
+ traffic = "any(http.conn.domains[*] in ${"$"}{cloudflare_zero_trust_list.domain_inspection_bypass_list.id}) or any(http.conn.domains[*] in ${"$"}{cloudflare_zero_trust_list.known_domains_list.id})"
+}
+```
+
+
+
+
## All-HTTP-SecurityRisks-Blocklist
-| Selector | Operator | Value | Action |
-| -------------- | -------- | -------------------- | ------ |
-| Security Risks | in | _All security risks_ | Block |
+
+
+| Selector | Operator | Value | Action |
+| ------------------- | -------- | -------------------- | ------ |
+| Security Categories | in | _All security risks_ | Block |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-HTTP-SecurityRisks-Blocklist",
+ "description": "Block security categories based on Cloudflare's threat intelligence",
+ "precedence": 30,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "all_http_security_risks_blocklist" {
+ account_id = var.cloudflare_account_id
+ name = "All-HTTP-SecurityRisks-Blocklist"
+ description = "Block security categories based on Cloudflare's threat intelligence"
+ precedence = 30
+ enabled = true
+ action = "block"
+ filters = ["http"]
+ traffic = "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+}
+```
+
+
+
## All-HTTP-ContentCategories-Blocklist
@@ -58,7 +224,12 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w
## All-HTTP-DomainHost-Blocklist
-
+
+
+
| Selector | Operator | Value | Logic | Action |
| -------- | ------------- | ------------------ | ----- | ------ |
@@ -66,6 +237,45 @@ Bypass HTTP inspection for a custom list of domains identified as incompatible w
| Host | in list | _Host Blocklist_ | Or | |
| Host | matches regex | `.*example\.com` | | |
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-HTTP-DomainHost-Blocklist",
+ "description": "Block specific domains or hosts that are malicious or pose a threat to your organization",
+ "precedence": 50,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(http.request.domains[*] in $) or http.request.host in $ or http.request.host matches \".*example\\.com\""
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "all_http_domainhost_blocklist" {
+ account_id = var.cloudflare_account_id
+ name = "All-HTTP-DomainHost-Blocklist"
+ description = "Block specific domains or hosts that are malicious or pose a threat to your organization"
+ precedence = 50
+ enabled = true
+ action = "block"
+ filters = ["http"]
+ traffic = "any(http.request.domains[*] in ${"$"}{cloudflare_zero_trust_list.domain_blocklist.id}) or http.request.host in ${"$"}{cloudflare_zero_trust_list.host_blocklist.id} or http.request.host matches \".*example\\.com\""
+}
+```
+
+
+
+
## All-HTTP-Application-Blocklist
@@ -81,24 +291,149 @@ Isolate traffic for privileged users who regularly access critical systems or ex
Security teams often need to perform threat analysis or malware testing that could trigger malware detection. Likewise, privileged users could be the target of attackers trying to gain access to critical systems.
+
+
| Selector | Operator | Value | Action |
| ---------------- | -------- | ------------------ | ------- |
| User Group Names | in | _Privileged Users_ | Isolate |
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "PrivilegedUsers-HTTP-Any-Isolate",
+ "description": "Isolate traffic for privileged users who regularly access critical or testing systems",
+ "precedence": 70,
+ "enabled": true,
+ "action": "isolate",
+ "filters": [
+ "http"
+ ],
+ "identity": "any(identity.groups.name[*] in {\"Privileged Users\"})"
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "privileged_users_http_any_isolate" {
+ account_id = var.cloudflare_account_id
+ name = "PrivilegedUsers-HTTP-Any-Isolate"
+ description = "Isolate traffic for privileged users who regularly access critical or testing systems"
+ precedence = 70
+ enabled = true
+ action = "isolate"
+ filters = ["http"]
+ identity = "any(identity.groups.name[*] in {\"Privileged Users\"})"
+}
+```
+
+
+
+
## Quarantined-Users-HTTP-Restricted-Access
+
+
| Selector | Operator | Value | Logic | Action |
| ---------------- | ----------- | ------------------------------- | ----- | ------ |
| Destination IP | not in list | _Quarantined-Users-IPAllowlist_ | And | Block |
| User Group Names | in | _Quarantined Users_ | | |
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "Quarantined-Users-HTTP-Restricted-Access",
+ "description": "Restrict access for users included in an identity provider (IdP) user group for risky users",
+ "precedence": 80,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "http"
+ ],
+ "traffic": "not(any(http.conn.dst_ip[*] in $))",
+ "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})"
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "quarantined_users_http_restricted_access" {
+ account_id = var.cloudflare_account_id
+ name = "Quarantined-Users-HTTP-Restricted-Access"
+ description = "Restrict access for users included in an identity provider (IdP) user group for risky users"
+ precedence = 80
+ enabled = true
+ action = "block"
+ filters = ["http"]
+ traffic = "not(any(http.conn.dst_ip[*] in ${"$"}{cloudflare_zero_trust_list.quarantined_users_ip_allowlist.id}))"
+ identity = "any(identity.groups.name[*] in {\"Quarantined Users\"})"
+}
+```
+
+
+
+
## All-HTTP-Domain-Isolate
Isolate high risk domains or create a custom list of known risky domains to avoid data exfiltration or malware infection. Ideally, your incident response teams can update the blocklist with an [API automation](/security-center/intel-apis/) to provide real-time threat protection.
-| Selector | Operator | Value | Logic | Action |
-| ------------------ | -------- | ---------------------------------- | ----- | ------- |
-| Content Categories | in | _New Domain_, _Newly Seen Domains_ | Or | Isolate |
-| Domain | in list | _Domain Isolation_ | | |
+
+
+| Selector | Operator | Value | Logic | Action |
+| ------------------ | -------- | ----------------------------------- | ----- | ------- |
+| Content Categories | in | _New Domains_, _Newly Seen Domains_ | Or | Isolate |
+| Domain | in list | _Domain Isolation_ | | |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-HTTP-Domain-Isolate",
+ "description": "Isolate high risk domains or create a custom list of known risky domains to avoid data exfiltration or malware infection",
+ "precedence": 90,
+ "enabled": true,
+ "action": "isolate",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(http.request.uri.content_category[*] in {169 177}) or any(http.request.domains[*] in $)"
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "all_http_domain_isolate" {
+ account_id = var.cloudflare_account_id
+ name = "All-HTTP-Domain-Isolate"
+ description = "Isolate high risk domains or create a custom list of known risky domains to avoid data exfiltration or malware infection"
+ precedence = 90
+ enabled = true
+ action = "isolate"
+ filters = ["http"]
+ traffic = "any(http.request.uri.content_category[*] in {169 177}) or any(http.request.domains[*] in ${"$"}{cloudflare_zero_trust_list.domain_isolate_list.id})"
+}
+```
+
+
+
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx
index 919b20b0895310..26c0583ee4141e 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx
@@ -97,7 +97,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
--data '{
"name": "Posture-Fail-NET-Restricted-Access",
"description": "Restrict access for devices where baseline posture checks have not passed",
- "precedence": 0,
+ "precedence": 10,
"enabled": true,
"action": "block",
"filters": [
@@ -117,7 +117,7 @@ resource "cloudflare_zero_trust_gateway_policy" "posture_fail_net_restricted_acc
account_id = var.cloudflare_account_id
name = "Posture-Fail-NET-Restricted-Access"
description = "Restrict access for devices where baseline posture checks have not passed"
- precedence = 0
+ precedence = 10
enabled = true
action = "block"
filters = ["l4"]
@@ -155,7 +155,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
--data '{
"name": "FinanceUsers-NET-HTTPS-FinanceServers",
"description": "Allow HTTPS access for user groups",
- "precedence": 0,
+ "precedence": 20,
"enabled": true,
"action": "allow",
"filters": [
@@ -175,7 +175,7 @@ resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance
account_id = var.cloudflare_account_id
name = "FinanceUsers-NET-HTTPS-FinanceServers"
description = "Allow HTTPS access for user groups"
- precedence = 0
+ precedence = 20
enabled = true
action = "allow"
filters = ["l4"]
@@ -214,7 +214,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
--data '{
"name": "All-NET-Internet-Blocklist",
"description": "Block traffic to malicious or risky destination IPs, SNIs, and SNI domains",
- "precedence": 0,
+ "precedence": 30,
"enabled": true,
"action": "block",
"filters": [
@@ -233,7 +233,7 @@ resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance
account_id = var.cloudflare_account_id
name = "All-NET-Internet-Blocklist"
description = "Block traffic to malicious or risky destination IPs, SNIs, and SNI domains"
- precedence = 0
+ precedence = 30
enabled = true
action = "block"
filters = ["l4"]
@@ -276,7 +276,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
--data '{
"name": "All-NET-SSH-Internet-Allowlist",
"description": "Allow SSH traffic to specific endpoints on the Internet for specific users",
- "precedence": 0,
+ "precedence": 40,
"enabled": true,
"action": "allow",
"filters": [
@@ -296,7 +296,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_ssh_internet_allowlist"
account_id = var.cloudflare_account_id
name = "All-NET-SSH-Internet-Allowlist"
description = "Allow SSH traffic to specific endpoints on the Internet for specific users"
- precedence = 0
+ precedence = 40
enabled = true
action = "allow"
filters = ["l4"]
@@ -332,7 +332,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
--data '{
"name": "All-NET-NO-HTTP-HTTPS-Internet-Deny",
"description": "Block all non-web traffic towards the Internet",
- "precedence": 0,
+ "precedence": 50,
"enabled": true,
"action": "block",
"filters": [
@@ -351,7 +351,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_no_http_https_internet_
account_id = var.cloudflare_account_id
name = "All-NET-NO-HTTP-HTTPS-Internet-Deny"
description = "Block all non-web traffic towards the Internet"
- precedence = 0
+ precedence = 50
enabled = true
action = "block"
filters = ["l4"]
@@ -385,7 +385,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
--data '{
"name": "All-NET-InternalNetwork-ImplicitDeny",
"description": "Implicitly deny all of your internal IP ranges included in a list",
- "precedence": 0,
+ "precedence": 60,
"enabled": true,
"action": "block",
"filters": [
@@ -404,7 +404,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_internalnetwork_implici
account_id = var.cloudflare_account_id
name = "All-NET-InternalNetwork-ImplicitDeny"
description = "Implicitly deny all of your internal IP ranges included in a list"
- precedence = 0
+ precedence = 60
enabled = true
action = "block"
filters = ["l4"]
diff --git a/src/content/docs/learning-paths/zero-trust-web-access/terraform/publish-apps-with-terraform.mdx b/src/content/docs/learning-paths/zero-trust-web-access/terraform/publish-apps-with-terraform.mdx
index 72d7882cf4ae22..41f15505f0a41f 100644
--- a/src/content/docs/learning-paths/zero-trust-web-access/terraform/publish-apps-with-terraform.mdx
+++ b/src/content/docs/learning-paths/zero-trust-web-access/terraform/publish-apps-with-terraform.mdx
@@ -3,20 +3,19 @@ title: Publish applications with Terraform
pcx_content_type: overview
sidebar:
order: 1
-
---
-import { Details, Render } from "~/components"
+import { Details, Render } from "~/components";
This guide covers how to use the [Cloudflare Terraform provider](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) to quickly publish and secure a private application. In the following example, we will add a new public hostname route to an existing Cloudflare Tunnel, configure how `cloudflared` proxies traffic to the application, and secure the application with Cloudflare Access.
## Prerequisites
-* [Add your domain to Cloudflare](/learning-paths/zero-trust-web-access/initial-setup/add-site/)
-* [Configure an IdP integration](/learning-paths/zero-trust-web-access/initial-setup/configure-idp/)
-* [Create a Cloudflare Tunnel](/learning-paths/zero-trust-web-access/connect-private-applications/create-tunnel/#create-a-tunnel) via the Zero Trust dashboard
-* Install the [Terraform client](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
-* [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) (refer to the [minimum required permissions](/cloudflare-one/connections/connect-networks/deployment-guides/terraform/#3-create-a-cloudflare-api-token))
+- [Add your domain to Cloudflare](/learning-paths/zero-trust-web-access/initial-setup/add-site/)
+- [Configure an IdP integration](/learning-paths/zero-trust-web-access/initial-setup/configure-idp/)
+- [Create a Cloudflare Tunnel](/learning-paths/zero-trust-web-access/connect-private-applications/create-tunnel/#create-a-tunnel) via the Zero Trust dashboard
+- Install the [Terraform client](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+- [Create an API token](/fundamentals/api/get-started/create-token/) (refer to the [minimum required permissions](/cloudflare-one/connections/connect-networks/deployment-guides/terraform/#3-create-a-cloudflare-api-token))
## 1. Create a Terraform configuration directory
@@ -80,7 +79,7 @@ Using the [`cloudflare_tunnel_config`](https://registry.terraform.io/providers/c
```txt
resource "cloudflare_tunnel_config" "example_config" {
- account_id = var.account_id
+ account_id = var.cloudflare_account_id
tunnel_id = var.tunnel_id
config {
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx
index d24e0141de39f3..3a9982155ea415 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx
@@ -18,8 +18,9 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--data '{
- "name": "Block content categories",
- "description": "Block access to unauthorized AI applications",
+ "name": "All-HTTP-Application-Blocklist",
+ "description": "Limit access to shadow IT by blocking web-based tools and applications",
+ "precedence": 60,
"enabled": true,
"action": "block",
"filters": [
@@ -31,5 +32,23 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
}'
```
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "all_http_application_blocklist" {
+ account_id = var.cloudflare_account_id
+ name = "All-HTTP-Application-Blocklist"
+ description = "Limit access to shadow IT by blocking web-based tools and applications"
+ precedence = 60
+ enabled = true
+ action = "block"
+ filters = ["http"]
+ traffic = "any(app.type.ids[*] in {25})"
+ identity = ""
+ device_posture = ""
+}
+```
+
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx
index 8a951065ae0235..e0940e106cbc46 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx
@@ -18,8 +18,9 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--data '{
- "name": "Block content categories",
- "description": "Block access to unauthorized applications",
+ "name": "All-HTTP-ContentCategories-Blocklist",
+ "description": "Block access to questionable content and potential security risks",
+ "precedence": 40,
"enabled": true,
"action": "block",
"filters": [
@@ -36,14 +37,16 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
```tf
resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" {
- account_id = var.cloudflare_account_id
- name = "All-HTTP-Application-Blocklist"
- description = "Block access to unauthorized AI applications"
- enabled = true
- action = "block"
- filters = ["dns"]
- traffic = "any(app.type.ids[*] in {25})"
- identity = ""
+ account_id = var.cloudflare_account_id
+ name = "All-HTTP-ContentCategories-Blocklist"
+ description = "Block access to questionable content and potential security risks"
+ precedence = 40
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})""
+ identity = ""
+ device_posture = ""
}
```
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx
index d779bb24464857..dc469e6d53329b 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx
@@ -24,7 +24,7 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
--data '{
"name": "All-NET-ApplicationAccess-Allow",
"description": "Ensure access to the application comes from authorized WARP clients",
- "precedence": 5000,
+ "precedence": 70,
"enabled": false,
"action": "block",
"filters": [
@@ -45,7 +45,7 @@ resource "cloudflare_zero_trust_gateway_policy" "all_net_applicationaccess_allow
account_id = var.cloudflare_account_id
name = "All-NET-ApplicationAccess-Allow"
description = "Ensure access to the application comes from authorized WARP clients"
- precedence = 5000
+ precedence = 70
enabled = false
action = "block"
filters = ["l4"]