diff --git a/src/content/changelog/gateway/2025-03-21-pdns-user-locations-role.mdx b/src/content/changelog/gateway/2025-03-21-pdns-user-locations-role.mdx index 66c5c914d126ed8..0f88592c7049ad3 100644 --- a/src/content/changelog/gateway/2025-03-21-pdns-user-locations-role.mdx +++ b/src/content/changelog/gateway/2025-03-21-pdns-user-locations-role.mdx @@ -2,20 +2,19 @@ title: Secure DNS Locations Management User Role description: Create secure DNS locations using the new Cloudflare Zero Trust Locations Write role. date: 2025-03-21T13:50:40Z -products: [] +products: + - gateway hidden: false --- -We’re excited to introduce the [**Cloudflare Zero Trust Secure DNS Locations Write role**](/cloudflare-one/connections/connect-devices/agentless/dns/locations/#secure-dns-locations), designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions.​ +We're excited to introduce the [**Cloudflare Zero Trust Secure DNS Locations Write role**](/cloudflare-one/connections/connect-devices/agentless/dns/locations/#secure-dns-locations), designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions. -Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions.​ +Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions. **Secure DNS Location Requirements:** -- Mandate usage of [Bring your own DNS resolver IP addresses](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) if available on the account.​ +- Mandate usage of [Bring your own DNS resolver IP addresses](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) if available on the account. -- Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint.​ +- Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint. You can assign the new role via Cloudflare Dashboard (`Manage Accounts > Members`) or via API. For more information, refer to the [Secure DNS Locations documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/locations/#secure-dns-locations). - - diff --git a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx new file mode 100644 index 000000000000000..be391583db64f20 --- /dev/null +++ b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx @@ -0,0 +1,15 @@ +--- +title: HTTP redirect and custom block page redirect +description: Redirect traffic with a Gateway HTTP Redirect policy, or with the block page in an HTTP or DNS Block policy. +date: 2025-04-11T16:30:00Z +products: + - gateway +hidden: false +--- + +You can now use more flexible redirect capabilities in Cloudflare One with Gateway. + +- A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. +- For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. + +Learn more in our documentation for [HTTP Redirect](/cloudflare-one/policies/gateway/http-policies/#redirect) and [Block page redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx index 7b3f599e084c18b..421ea08592a3a64 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx @@ -269,7 +269,7 @@ curl --silent "https://.cloudflare-gateway.com/dns-query?name=exampl --header "CF-Authorization: " | jq ``` -If the site is blocked and you have enabled [**Display block page**](/cloudflare-one/policies/gateway/block-page/#turn-on-the-block-page) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`. +If the site is blocked and you have turned on the [block page](/cloudflare-one/policies/gateway/block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
diff --git a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx index a690a854af50cc9..5fb066d0d5499a5 100644 --- a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx @@ -36,10 +36,10 @@ After changing your team name, you will need to check your Block page, Login pag To verify that your team name change is successfully rendering on the Block page, Login page and App Launcher: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**. -2. Find the **Block page** and **Login page** > select **Customize** next to the page you would like to review first. +2. Find the **Account Gateway block page** and **Login page** sections, then select **Customize** next to the page you would like to review first. 3. Review that the value in **Your Organization's name** matches your new team name. 4. If the desired name is not already displayed, change the value to your desired team name and select **Save**. -5. Check both pages (**Block page** and **Login page**) to set **Your Organization's name** as your desired team name. +5. Check both pages (**Account Gateway block page** and **Login page**) to set **Your Organization's name** as your desired team name. The App Launcher will display the same team name set on the Login page, so you do not need to update the **Your Organization's name** field in the App Launcher page. diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 56e44df0b2510f7..ff6a7e0bee096ee 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -5,47 +5,67 @@ sidebar: order: 14 --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; -Gateway responds to any domain blocked at the DNS level with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, and does not return that blocked domain's IP address. As a result, the browser will show a browser default error page, and users will not be able to reach that website. This may cause confusion and lead some users to think that their Internet connection is not working. +When Gateway blocks traffic with a [DNS](/cloudflare-one/policies/gateway/dns-policies/#block) or [HTTP Block policy](/cloudflare-one/policies/gateway/http-policies/#block), you can configure a block page to display in your users' browsers. You can provide a descriptive reason for blocking traffic and contact information, or you can redirect your users' browsers to another page. You can apply these customizations globally for every Block policy, or override the settings on a per-policy basis. -Configuring a custom block page in Zero Trust helps avoid this confusion. Your block page will display information such as the rule ID of the policy blocking the website, a policy-specific block message, your organization's name, and a global message you may want to show — for example, a message explaining that the website has been blocked by Gateway and providing any points of contact for support within the organization. +## Prerequisites -Gateway supports custom block pages for DNS and HTTP policies. +In order to display the block page as the URL of the blocked domain, your organization's devices must have a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). If you do not install a certificate, the block page [will not display correctly](#certificate-error). -:::caution[Default Cloudflare certificate expiring] -The default Cloudflare root certificate expires on 2025-02-02. +## Configure the block page -If your organization is still using the default Cloudflare certificate, you will need to use a new certificate to display the block page. For more information, refer to [User-side certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) or [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning). -::: +Gateway will display a global block page in the browser of any user whose traffic is blocked. By default, Gateway will display the block page for any DNS Block policies you turn it on for and all HTTP Block policies. You can [turn on or override the global setting](#configure-policy-block-behavior) on a per-policy basis. -## Prerequisites +To configure the global block page: -In order to display the block page as the URL of the blocked domain, your devices must have a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). If you do not install a certificate, the block page [will not display correctly](#certificate-error). +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages**. +2. Under **Account Gateway block page**, Gateway will display the current block page setting. Select **Customize**. +3. Choose whether to use the [default Gateway block page](#use-the-default-block-page), a [URL redirect](#redirect-to-a-block-page), or a [custom Gateway block page](#customize-the-block-page). +4. Select **Save**. -## Turn on the block page +### Use the default block page -For all HTTP Block policies, Gateway automatically displays a generic Cloudflare block page. For DNS Block policies, you will need to turn on the block page on a per-policy basis. +When you choose **Default Gateway block page**, Gateway will display a [block page hosted by Cloudflare](https://blocked.teams.cloudflare.com/). This is the default option for all traffic blocked by Gateway. -To turn on the block page and specify a custom block message: +### Redirect to a block page - **Firewall policies** > **DNS** or **Gateway** > **Firewall policies** > **HTTP**", - }} -/> +Instead of displaying the Cloudflare block page, you can configure Gateway to return a `307` (Temporary Redirect) HTTP response code and redirect to a custom URL. + +To redirect users to a non-Cloudflare block page: + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages**. +2. Under **Account Gateway block page**, select **Customize**. +3. Choose **URL redirect** +4. Enter the URL you want to redirect blocked traffic to. +5. (Optional) Turn on **Send policy context** to send [additional policy context](#policy-context) to the redirected URL. +6. Select **Save**. -## Customize the block page +Gateway will now redirect users to a custom page when user traffic matches a Block policy with the block page configured. + +To create an HTTP policy to redirect URLs, refer to the [Redirect action](/cloudflare-one/policies/gateway/http-policies/#redirect). + +#### Policy context + + + +#### Redirect precedence + +Paths and queries in the redirect URL take precedence over the original URL. When you turn on **Send policy context**, Gateway will append context to the end of the redirected URL. For example, if the original URL is `example.com/path/to/page?querystring=X&k=1` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to: + +```txt ins="&user_email=user@example.com" +cloudflare.com/redirect-path?querystring=Y&user_email=user@example.com +``` + +### Customize the block page -### Add a logo image +#### Add a logo image -### Allow users to email an administrator +#### Allow users to email an administrator You can add a Mailto link to your custom block page, which allows users to directly email you about the blocked site. When users select **Contact your Administrator** on your block page, an email template opens with the email address and subject line you configure, as well as the following diagnostic information: @@ -59,6 +79,39 @@ You can add a Mailto link to your custom block page, which allows users to direc | Device ID | The ID of the device that visited the page. This is generated by the WARP client. | | Block Reason | Your policy-specific block message. | +## Configure policy block behavior + +For DNS Block policies, you will need to turn on the block page for each policy you want to display it. For HTTP Block policies, Gateway automatically displays your global block page setting by default. You can override your global block page setting for both policy types within each policy's settings. + +To turn on the block page or override your global block page setting for an individual policy: + + + + + + **Firewall policies** > **DNS**", + blockBehaviorAction: "turn on", + }} +/> + + + + + **Firewall policies** > **HTTP**", + blockBehaviorAction: "go to", + }} +/> + + + + + ## Limitations ### Certificate error diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index 07cef2adcbd1af0..b782ba821afed33 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -82,8 +82,8 @@ With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-polic -| Selector | Operator | Value | Action | -| ------------------------ | -------- | ------- | ------ | +| Selector | Operator | Value | Action | +| ------------------------ | -------- | --------- | ------ | | Request Context Category | is | _Present_ | Block | @@ -485,7 +485,7 @@ Enterprise users can pair these policies with an [egress policy](/cloudflare-one Optionally, you can use the Domain selector to control the IP version for specific sites. :::note -To ensure traffic routes through your preferred IP version, disable **Display block page**. +To ensure traffic routes through your preferred IP version, turn off **Modify Gateway block behavior**. ::: ### Force IPv4 diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index add8e649db2f16f..ecf8c3cceeb562c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -140,11 +140,17 @@ Policies with Block actions block DNS queries to reach destinations you specify #### Custom block page -When choosing the Block action, turn on **Display custom block page** to respond to queries with a block page and to specify the message you want to display to users who go to blocked websites. If the block page is disabled, Gateway will respond to blocked queries with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. For more information, refer to the dedicated documentation on [customizing the block page](/cloudflare-one/policies/gateway/block-page/). +When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/policies/gateway/block-page/). + +If the block page is turned off for a policy, Gateway will respond to queries blocked at the DNS level with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. The browser will display its default connection error page. #### WARP client block notifications - + ### Override diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx index 4bcad30dbe5a2d3..11a904d0de8034c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx @@ -23,7 +23,7 @@ For example, if you created a policy to block `example.com`, you can do the foll 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**. -3. If the [block page](/cloudflare-one/policies/gateway/block-page/) is disabled for the policy, you should see `REFUSED` in the answer section: +3. If the [block page](/cloudflare-one/policies/gateway/block-page/) is turned off for the policy, you should see `REFUSED` in the answer section: ```sh dig example.com diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx index 20afe76eae36396..cddbe01a88d9a07 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx @@ -18,9 +18,18 @@ To turn on AV scanning: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. 2. In **Firewall**, turn on **AV inspection**. 3. Choose whether to scan files for malicious payloads during uploads, downloads, or both. You can also block requests containing [non-scannable files](#non-scannable-files). +4. (Optional) Turn on **Display AV block notification for WARP Client** to send [block notifications](#warp-client-block-notifications) to users connected to Gateway with the WARP Client when AV inspection blocks a file. When a request is blocked due to the presence of malware, Gateway will log the match as a Block decision in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs). +### WARP client block notifications + + + ## File scan criteria If AV scanning is turned on, Gateway will use the following criteria to determine whether a file is present in a request or response, and whether to scan that file. The first match will result in the file being scanned. diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index 38adf05b92023a4..5e30a831aa3b644 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -38,48 +38,7 @@ API value: `allow`
-**Traffic** - -- [Access Infrastructure Target](#access-infrastructure-target) -- [Access Private App](#access-private-app) -- [Application](#application) -- [Content Categories](#content-categories) -- [Destination Continent IP Geolocation](#destination-continent) -- [Destination Country IP Geolocation](#destination-country) -- [Destination IP](#destination-ip) -- [DLP Profile](#dlp-profile) -- [Domain](#domain) -- [Download File Types](#download-and-upload-file-types) -- [Download Mime Type](#download-and-upload-mime-type) -- [Host](#host) -- [HTTP Method](#http-method) -- [HTTP Response](#http-response) -- [Proxy Endpoint](#proxy-endpoint) -- [Security Risks](#security-risks) -- [Source Continent IP Geolocation](#source-continent) -- [Source Country IP Geolocation](#source-country) -- [Source Internal IP](#source-internal-ip) -- [Source IP](#source-ip) -- [Upload File Types](#download-and-upload-file-types) -- [Upload Mime Type](#download-and-upload-mime-type) -- [URL](#url) -- [URL Path](#url-path) -- [URL Path & Query](#url-path-and-query) -- [URL Query](#url-query) -- [Virtual Network](#virtual-network) - -**Identity** - -- [SAML Attributes](#users) -- [User Email](#users) -- [User Group Emails](#users) -- [User Group IDs](#users) -- [User Group Names](#users) -- [User Name](#users) - -**Device Posture** - -- [Passed Device Posture Checks](#device-posture) +
@@ -105,30 +64,48 @@ API value: `block`
+ + +
+ +The Block action blocks outbound traffic from reaching destinations you specify within the [Selectors](#selectors) and [Value](#value) fields. For example, the following configuration blocks users from being able to upload any file type to Google Drive: + +| Selector | Operator | Value | Logic | Action | +| ---------------- | ------------- | -------------- | ----- | ------ | +| Application | in | `Google Drive` | And | Block | +| Upload Mime Type | matches regex | `.*` | | | + +#### WARP client block notifications + + + +### Redirect + +API value: `redirect` + +
+ **Traffic** - [Access Infrastructure Target](#access-infrastructure-target) -- [Access Private App](#access-private-app) - [Application](#application) - [Content Categories](#content-categories) - [Destination Continent IP Geolocation](#destination-continent) - [Destination Country IP Geolocation](#destination-country) - [Destination IP](#destination-ip) -- [DLP Profile](#dlp-profile) - [Domain](#domain) -- [Download File Types](#download-and-upload-file-types) -- [Download Mime Type](#download-and-upload-mime-type) - [Host](#host) - [HTTP Method](#http-method) -- [HTTP Response](#http-response) - [Proxy Endpoint](#proxy-endpoint) - [Security Risks](#security-risks) - [Source Continent IP Geolocation](#source-continent) - [Source Country IP Geolocation](#source-country) - [Source Internal IP](#source-internal-ip) - [Source IP](#source-ip) -- [Upload File Types](#download-and-upload-file-types) -- [Upload Mime Type](#download-and-upload-mime-type) - [URL](#url) - [URL Path](#url-path) - [URL Path & Query](#url-path-and-query) @@ -150,16 +127,27 @@ API value: `block`
-The Block action blocks outbound traffic from reaching destinations you specify within the [Selectors](#selectors) and [Value](#value) fields. For example, the following configuration blocks users from being able to upload any file type to Google Drive: +The Redirect action allows you to redirect matched HTTP requests to a different URL you specify. For example, if your users browse to the public web page of a SaaS app, you can redirect them to your own self-hosted instance, a single sign-on page, or an internal policy page. -| Selector | Operator | Value | Logic | Action | -| ---------------- | ------------- | -------------- | ----- | ------ | -| Application | in | `Google Drive` | And | Block | -| Upload Mime Type | matches regex | `.*` | | | +To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page). -#### WARP client block notifications +#### Policy settings + +In **Policy URL redirect**, you can define what URL to redirect matched requests to. The redirect URL can contain paths and queries. For example, you can redirect `example.com` to `cloudflare.com/path/to/page?querystring=x`. - + + +When you turn on **Preserve original path and query string**, Gateway will append the original path and query string to the redirected URL. Paths and queries in the redirect URL take precedence over the original URL. For example, if the original URL is `example.com/path/to/page?querystring=X` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to: + +```txt "cloudflare.com/redirect-path" "?querystring=Y" +cloudflare.com/redirect-path/path/to/page?querystring=Y +``` + +When you turn on both options, Gateway will preserve the original path and query string, then append context policy to the end of the redirect URL. For example, if the original URL is `example.com/path/to/page?querystring=X&k=1` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to: + +```txt "cloudflare.com/redirect-path" "?querystring=Y" ins="&user_email=user@example.com" +cloudflare.com/redirect-path/path/to/page?querystring=Y&k=1&user_email=user@example.com +``` ### Isolate @@ -199,9 +187,9 @@ API value: `isolate` The Isolate action serves matched traffic to users via [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/). For more information on this action, refer to [Isolation policies](/cloudflare-one/policies/browser-isolation/isolation-policies/#isolate). -### Do Not Isolate +### Do Not Inspect -API value: `noisolate` +API value: `off`
@@ -209,16 +197,18 @@ API value: `noisolate` - [Application](#application) - [Content Categories](#content-categories) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) - [Domain](#domain) - [Host](#host) -- [HTTP Method](#http-method) +- [Proxy Endpoint](#proxy-endpoint) - [Security Risks](#security-risks) - [Source Continent IP Geolocation](#source-continent) - [Source Country IP Geolocation](#source-country) -- [URL](#url) -- [URL Path](#url-path) -- [URL Path & Query](#url-path-and-query) -- [URL Query](#url-query) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Virtual Network](#virtual-network) **Identity** @@ -235,11 +225,21 @@ API value: `noisolate`
-The Do Not Isolate action turns off browser isolation for matched traffic. For more information on this action, refer to [Isolation policies](/cloudflare-one/policies/browser-isolation/isolation-policies/#do-not-isolate). +:::caution[Visibility limitation] -### Do Not Inspect +When you create a Do Not Inspect policy for a given hostname, application, or app type, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. -API value: `off` +Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/policies/gateway/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). + +::: + +Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indicator (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). + +All Do Not Inspect rules are evaluated first, before any Allow or Block rules, to determine if inspection should occur. For more information, refer to [Order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/#http-policies). + +### Do Not Isolate + +API value: `noisolate`
@@ -247,18 +247,16 @@ API value: `off` - [Application](#application) - [Content Categories](#content-categories) -- [Destination Continent IP Geolocation](#destination-continent) -- [Destination Country IP Geolocation](#destination-country) -- [Destination IP](#destination-ip) - [Domain](#domain) - [Host](#host) -- [Proxy Endpoint](#proxy-endpoint) +- [HTTP Method](#http-method) - [Security Risks](#security-risks) - [Source Continent IP Geolocation](#source-continent) - [Source Country IP Geolocation](#source-country) -- [Source Internal IP](#source-internal-ip) -- [Source IP](#source-ip) -- [Virtual Network](#virtual-network) +- [URL](#url) +- [URL Path](#url-path) +- [URL Path & Query](#url-path-and-query) +- [URL Query](#url-query) **Identity** @@ -275,17 +273,7 @@ API value: `off`
-:::caution[Visibility limitation] - -When you create a Do Not Inspect policy for a given hostname, application, or app type, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. - -Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/policies/gateway/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). - -::: - -Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indicator (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). - -All Do Not Inspect rules are evaluated first, before any Allow or Block rules, to determine if inspection should occur. For more information, refer to [Order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/#http-policies). +The Do Not Isolate action turns off browser isolation for matched traffic. For more information on this action, refer to [Isolation policies](/cloudflare-one/policies/browser-isolation/isolation-policies/#do-not-isolate). ### Do Not Scan @@ -637,9 +625,9 @@ The country of the user making the request. + ### Network Override diff --git a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx index 8c3cdb9229956f6..711fc9fe2dd67ff 100644 --- a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx +++ b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx @@ -16,6 +16,7 @@ For DNS policies, you will need to enable the block page on a per-policy basis. product="cloudflare-one" params={{ firewallPolicyPath: "**Gateway** > **Firewall policies** > **DNS**", + blockBehaviorAction: "turn on", }} /> diff --git a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/index.mdx b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/index.mdx index 3e5a7fa984c61a1..414d513ecbd6aea 100644 --- a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/index.mdx +++ b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/index.mdx @@ -3,7 +3,6 @@ title: Onboarding Cloudflare Gateway pcx_content_type: overview sidebar: order: 4 - --- Now that your Cloudflare environment is ready and you have established a foundation of the technical concepts behind Project Cybersafe Schools, you are ready to test and onboard your DNS traffic. @@ -12,9 +11,9 @@ Now that your Cloudflare environment is ready and you have established a foundat By the end of this module, you will be able to: -* Explain the different methods to proxy your traffic to Gateway. -* Create a Gateway location and understand its purpose. -* Verify your Gateway environment by proxing local DNS traffic. -* Create a test policy to validate functionality. -* Deploy Cloudflare’s recommended CIPA rule. -* Customize the block page to ensure a seamless look and feel. +- Explain the different methods to proxy your traffic to Gateway. +- Create a Gateway location and understand its purpose. +- Verify your Gateway environment by proxing local DNS traffic. +- Create a test policy to validate functionality. +- Deploy Cloudflare's recommended CIPA rule. +- Customize the block page to ensure a seamless look and feel. diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx index fd32374b97a2a6b..6105768e0e1005b 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx @@ -21,7 +21,6 @@ You can display a custom block page in the browser when users are blocked by a G The custom block page has a few drawbacks: - To display the block page, you must install a [user-side certificate](/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption/#configure-user-side-certificates) on the end user device. -- You cannot customize the block message for individual DNS policies. - The block page does not appear when users are blocked by a Gateway network policy. - The custom block page only displays when the user loads a site in a browser. If, for instance, the user is allowed to visit a site but not allowed to upload a file, the file upload would fail silently and the user would not get a block page. @@ -41,7 +40,9 @@ For DNS policies, you will need to enable the block page on a per-policy basis. product="cloudflare-one" params={{ firewallPolicyPath: "**Gateway** > **Firewall policies** > **DNS**", - }} + blockBehaviorAction: "turn on", + }} + /> ### Customize the block page diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx index 5e64456d4d0f620..eee0790bba71cb3 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx @@ -33,7 +33,7 @@ To distinguish queries originating from the service provider from those coming f If stable and defined source IPv4 addresses cannot be assigned to the on-premises DNS servers, service providers can instead use unique destination location endpoints. Each location is assigned a distinct [DoT](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-over-tls-dot) and [DoH](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-over-https-doh) hostname, as well as a unique [destination IPv6 address](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#ipv4ipv6-address). Additionally, Cloudflare can provide unique [destination IPv4 addresses upon request](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip). ::: -DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an `[Override](/cloudflare-one/policies/gateway/dns-policies/#override)` action can redirect the DNS query to a block page hosted by the service provider. +DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an `[Override](/cloudflare-one/policies/gateway/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. ![Figure 2: A DNS policy to prevent users from navigating to malicious domains. The action is to override and redirect the DNS query to a block page hosted by the service provider.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg) diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx index 6346f398a1dce5c..4ee574b8cbff709 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx @@ -29,7 +29,7 @@ IT administrators forward public DNS requests to Cloudflare where they are filte To distinguish queries originating from the government departments and agencies they are responsible for, admins configure a location in the Cloudflare dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DNS over TLS/HTTPS (DoT/DoH) hostnames for that location. These IP addresses and hostnames are then used by the admins to send DNS queries for resolution. In turn, the administrator configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location. -DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an [Override](/cloudflare-one/policies/gateway/dns-policies/#override) action can redirect the DNS query to a block page hosted by the government agency. +DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an [Override](/cloudflare-one/policies/gateway/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. Cloudflare's own threat intelligence can be seamlessly integrated with threat intelligence data provided by the agency or third-party sources. In this setup, the agency or the third-party entity acts as a [threat feed provider](/security-center/indicator-feeds/) to Cloudflare. This enables IT admins to create DNS policies that combine Cloudflare's security risk categories with the data sourced by the agency, for a unified and enhanced security posture (see diagram below). Additionally, [publicly available custom indicator feeds](/security-center/indicator-feeds/#publicly-available-feeds) can be accessed by eligible public and private sector organizations without the need to establish a provider relationship, further expanding security capabilities. @@ -78,6 +78,7 @@ When inspecting HTTP traffic, Cloudflare prevents interference by decrypting, in ### Threat protection When Cloudflare Gateway is performing HTTP inspection, it extends protection beyond DNS security by enabling additional capabilities to safeguard users as they browse the Internet: + - **Anti-virus scanning (AV):** Users are protected when downloading or uploading files to or from the Internet. [Files are scanned](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) in real time to detect malicious content. - **Sandboxing:** For files not previously seen, Cloudflare Gateway can [quarantine them in a secure sandbox environment for analysis](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/). In this sandbox, Cloudflare monitors the file's actions and compares them against known malware patterns. Files are only released to users if no malicious content is detected. - **Remote Browser Isolation (RBI):** [Isolation policies](/cloudflare-one/policies/browser-isolation/) can be configured to safeguard users when accessing potentially risky websites. For example, [if a user attempts to visit a newly seen domain that triggers an isolation policy](/cloudflare-one/policies/browser-isolation/isolation-policies/), the website's active content is executed in a secure, isolated browser hosted in the nearest Cloudflare data center. This ensures that zero-day attacks and malware are mitigated before they can impact the user. This remote browsing experience is seamless and transparent, allowing users to continue using their preferred browsers and workflows. Every browser tab and window is automatically isolated, and sessions are deleted when closed. @@ -85,6 +86,7 @@ When Cloudflare Gateway is performing HTTP inspection, it extends protection bey ### Data protection In addition to threat protection, Cloudflare Gateway enables the implementation of robust data protection policies during HTTP inspection, including: + - **File upload controls:** Administrators can enforce policies that monitor and [restrict file uploads](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types) to the Internet, preventing the inadvertent sharing of sensitive data. - **Data Loss Prevention (DLP):** [DLP policies](/cloudflare-one/policies/data-loss-prevention/) can be deployed to identify and block unauthorized sharing of confidential or classified information. For more details, see [securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/). - **Remote Browser Isolation (RBI):** Beyond threat protection, [isolation policies](/cloudflare-one/policies/browser-isolation/) can enforce [user action restrictions](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings), such as disabling copy/paste functionality or keyboard inputs, to safeguard sensitive information. For additional information, refer to [securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/). diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index d2b3387108f4ef7..d9328788b76109a 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -59,7 +59,7 @@ The following diagram shows a common flow for how Cloudflare inspects a request 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/connections/connect-devices/warp/download-warp/)). [Clientless](/cloudflare-one/connections/connect-devices/agentless/) options are supported as well. 2. Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/policies/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The SWG policy is configured with a ['block' action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user's web browser. +4. The Gateway policy is configured with a [Block action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user's web browser. ## Related resources diff --git a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx index d79eed131196332..a07640b5deb11f0 100644 --- a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx @@ -1,14 +1,18 @@ --- params: - firewallPolicyPath + - blockBehaviorAction --- import { Markdown } from "~/components"; 1. In [Zero Trust](https://one.dash.cloudflare.com), go to . -2. Find the policy you want to customize and select **Edit**. You can only edit the block page for policies with a Block action. -3. Under **Configure policy settings**, go to **Display block page**. Choose _Show a custom message_. -4. In **Custom message**, enter a block message to show users. -5. Select **Save policy**. +2. Select **Add a policy** to create a new policy, or choose the policy you want to customize and select **Edit**. You can only edit the block page for policies with a Block action. +3. Under **Configure policy settings**, {props.blockBehaviorAction} **Modify Gateway block behavior**. +4. Choose your block behavior: + - **Use account-level block setting**: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an [HTTP redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page), or a [custom Gateway block page](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page). + - **Override account setting with URL redirect**: Redirect users with a `307` HTTP redirect to a URL you specify on a policy level. +5. (Optional) If your account-level block page setting uses a custom Gateway block page, you can turn on **Add an additional message to your custom block page when traffic matches this policy** to add a custom message to your custom block page when traffic is blocked by this policy. This option will replace the **Message** field. +6. Select **Save policy**. -Gateway will display a custom message in your users' browsers when they are blocked by this policy. +Depending on your settings, Gateway will display a block page in your users' browsers or redirect them to a specified URL when they are blocked by this policy. diff --git a/src/content/partials/cloudflare-one/gateway/client-notifications.mdx b/src/content/partials/cloudflare-one/gateway/client-notifications.mdx index 045fa2dcf190588..97de6d2b4972b13 100644 --- a/src/content/partials/cloudflare-one/gateway/client-notifications.mdx +++ b/src/content/partials/cloudflare-one/gateway/client-notifications.mdx @@ -1,8 +1,9 @@ --- -{} +params: + - toggleName --- -import { Details, Render } from "~/components"; +import { Details, Render, Markdown } from "~/components";
@@ -21,8 +22,10 @@ import { Details, Render } from "~/components";
-Turn on **Display block notification for WARP client** to display notifications for Gateway block events. Blocked users will receive an operating system notification from the WARP client with a custom message you set. If you do not set a custom message, the WARP client will display a default message. Custom messages must be 100 characters or less. WARP will only display one notification per minute. +Turn on to display notifications for Gateway block events. Blocked users will receive an operating system notification from the WARP client with a custom message you set. If you do not set a custom message, the WARP client will display a default message. Custom messages must be 100 characters or less. WARP will only display one notification per minute. -Upon selecting the notification, WARP will direct your users to a block page. Optionally, you can direct users to a custom URL, such as an internal support form. +Upon selecting the notification, WARP will direct your users to the [Gateway block page](/cloudflare-one/policies/gateway/block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. + + diff --git a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx index 19b16fd1b0c7cfb..902431b8c30818d 100644 --- a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx @@ -2,23 +2,19 @@ {} --- -You can customize the block page by making global changes that will show up every time a user visits a block page, independently of the type of rule (DNS or HTTP) that is blocking the website. +You can customize the Cloudflare-hosted block page by making global changes that Gateway will display every time a user reaches your block page. Customizations will apply regardless of the type of policy (DNS or HTTP) that blocks the traffic. -To apply customizations to your block page: +To customize your block page: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages**. - -2. Under **Block page**, turn on **Use the customized block page over Cloudflare's default**. - -3. Select **Customize**. Available global customizations include: - - - Adding your organization's name - - Adding a [logo](/cloudflare-one/policies/gateway/block-page/#add-a-logo-image) - - Adding a header text - - Adding a global block message, which will be displayed above the policy-specific block message - - Adding a [Mailto link](/cloudflare-one/policies/gateway/block-page/#allow-users-to-email-an-administrator) - - Choosing a background color - +2. Under **Account Gateway block page**, select **Customize**. +3. Choose **Custom Gateway block page**. Gateway will display a preview of your custom block page. Available customizations include: + - Your organization's name + - [Logo](/cloudflare-one/policies/gateway/block-page/#add-a-logo-image) + - Header text + - Global block message, which will be displayed above the policy-specific block message + - [Mailto link](/cloudflare-one/policies/gateway/block-page/#allow-users-to-email-an-administrator) + - Background color 4. Select **Save**. -Users will now get a custom block page when visiting a blocked website. +Gateway will now display a custom Gateway block page when your users visit a blocked website. diff --git a/src/content/partials/cloudflare-one/gateway/http-allow-block-selectors.mdx b/src/content/partials/cloudflare-one/gateway/http-allow-block-selectors.mdx new file mode 100644 index 000000000000000..c6d214491ae79e7 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/http-allow-block-selectors.mdx @@ -0,0 +1,46 @@ +--- +{} +--- + +**Traffic** + +- [Access Infrastructure Target](#access-infrastructure-target) +- [Access Private App](#access-private-app) +- [Application](#application) +- [Content Categories](#content-categories) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [DLP Profile](#dlp-profile) +- [Domain](#domain) +- [Download File Types](#download-and-upload-file-types) +- [Download Mime Type](#download-and-upload-mime-type) +- [Host](#host) +- [HTTP Method](#http-method) +- [HTTP Response](#http-response) +- [Proxy Endpoint](#proxy-endpoint) +- [Security Risks](#security-risks) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Upload File Types](#download-and-upload-file-types) +- [Upload Mime Type](#download-and-upload-mime-type) +- [URL](#url) +- [URL Path](#url-path) +- [URL Path & Query](#url-path-and-query) +- [URL Query](#url-query) +- [Virtual Network](#virtual-network) + +**Identity** + +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) + +**Device Posture** + +- [Passed Device Posture Checks](#device-posture) diff --git a/src/content/partials/cloudflare-one/gateway/policy-context.mdx b/src/content/partials/cloudflare-one/gateway/policy-context.mdx new file mode 100644 index 000000000000000..e3b61f1e2595bb8 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/policy-context.mdx @@ -0,0 +1,27 @@ +--- +{} +--- + +import { Details } from "~/components"; + +When you turn on **Send policy context**, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include: + +
+ +| Field | Definition | Example | +| --------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | +| User email | Email of the user that made the query. | `&user_email=user@example.com` | +| Site URL | Full URL of the original HTTP request or domain name in DNS query. | `&site_uri=https%3A%2F%2Fmalware.testcategory.com%2F` | +| URL category | [Domain categories](/cloudflare-one/policies/gateway/domain-categories/) of the URL to be redirected. | `&request_categories=New%20Domains,Newly%20Seen%20Domains` | +| Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | `&referer=https%3A%2F%2Fexample.com%2F` | +| Rule ID | ID of the Gateway policy that matched the request. | `&rule_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1` | +| Source IP | Source IP address of the device that matched the policy. | `&source_ip=203.0.113.5` | +| Device ID | UUID of the device that matched the policy. | `&device_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1` | +| Application names | Name of the application the redirected domain corresponds to, if any. | `&application_name=Salesforce` | +| Filter | The traffic type filter that triggered the block. | `&cf_filter=http`, `&cf_filter=dns`, `&cf_filter=av`, or `&cf_filter=l4` | +| Account ID | [Cloudflare account ID](/fundamentals/setup/find-account-and-zone-ids/) of the associated Zero Trust account. | `&account_id=d57c3de47a013c03ca7e237dd3e61d7d` | +| Query ID | ID of the DNS query for which the redirect took effect. | `&query_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3` | +| Connection ID | ID of the proxy connection for which the redirect took effect. | `&connection_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3` | +| Request ID | ID of the HTTP request for which the redirect took effect. | `&request_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3` | + +