From 549283d83c31f6fea85a9355859826bf00753392 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 16 Apr 2025 14:58:00 -0500 Subject: [PATCH 1/8] Add new selectors --- .../policies/gateway/dns-policies/index.mdx | 2 +- .../policies/gateway/egress-policies/index.mdx | 15 +++++++++++++++ .../policies/gateway/http-policies/index.mdx | 2 +- .../policies/gateway/network-policies/index.mdx | 5 ++++- .../gateway/selectors/application.mdx | 8 +++----- .../cloudflare-one/gateway/selectors/domain.mdx | 1 - .../cloudflare-one/gateway/selectors/host.mdx | 1 - 7 files changed, 24 insertions(+), 10 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index ecf8c3cceeb562..08f0a52ad86031 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -284,7 +284,7 @@ Gateway matches DNS queries against the following selectors, or criteria: ### Application - + ### Authoritative Nameserver IP diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 8ba05e86baf793..25d9468cbbd901 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -55,6 +55,13 @@ Choose one of the following options for your egress policy: Gateway matches egress traffic against the following selectors, or criteria: +### Application + + + ### Destination Continent +### Domain + + + +### Host + + + ### Protocol diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index 5e30a831aa3b64..efcd34b4a6982b 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -395,7 +395,7 @@ Gateway matches HTTP traffic against the following selectors, or criteria: ### Application - + :::caution[Multiple API selectors required for Terraform] When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`. diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx index 69d927a71542b1..18b74eaff08d08 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx @@ -248,7 +248,10 @@ Gateway matches network traffic against the following selectors, or criteria. ### Application - + ### Content Categories diff --git a/src/content/partials/cloudflare-one/gateway/selectors/application.mdx b/src/content/partials/cloudflare-one/gateway/selectors/application.mdx index cecfa4e63acee1..062901c43f3eda 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/application.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/application.mdx @@ -1,11 +1,9 @@ --- -inputParameters: param1 - +params: + - policyType --- -import { Markdown } from "~/components" - -You can apply {props.one} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information. +You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information. | UI name | API example | Evaluation phase | | ----------- | -------------------------- | --------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx index b5ced6587d812c..8c6120987d580b 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx @@ -1,6 +1,5 @@ --- {} - --- Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. diff --git a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx index 861f616dc91db4..202698975f677b 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx @@ -1,6 +1,5 @@ --- {} - --- Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. From fbdb37a017f2ed33d9a30f9fc6191925ac661c7e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 17 Apr 2025 15:20:59 -0500 Subject: [PATCH 2/8] Add category selector --- .../policies/gateway/egress-policies/index.mdx | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 25d9468cbbd901..1a28b429b1d6df 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -27,6 +27,10 @@ Gateway traffic that does not match an egress policy will egress from the closes To control whether only IPv4 or IPv6 is used to egress, ensure you are [filtering DNS traffic](/cloudflare-one/policies/gateway/initial-setup/dns/), then create a DNS policy to [block AAAA or A records](/cloudflare-one/policies/gateway/dns-policies/common-policies/#control-ip-version). +## User selectors + +To use the Application, Content Categories, + ## Example policies The following egress policy configures all traffic destined for a third-party network to use a static source IP: @@ -62,6 +66,13 @@ Gateway matches egress traffic against the following selectors, or criteria: params={{ policyType: "egress" }} /> +### Content Categories + + + ### Destination Continent Date: Thu, 17 Apr 2025 16:31:05 -0500 Subject: [PATCH 3/8] Add WARP config --- .../policies/gateway/egress-policies/index.mdx | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 1a28b429b1d6df..94d60445dc655f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -27,9 +27,17 @@ Gateway traffic that does not match an egress policy will egress from the closes To control whether only IPv4 or IPv6 is used to egress, ensure you are [filtering DNS traffic](/cloudflare-one/policies/gateway/initial-setup/dns/), then create a DNS policy to [block AAAA or A records](/cloudflare-one/policies/gateway/dns-policies/common-policies/#control-ip-version). -## User selectors +## Limited selectors -To use the Application, Content Categories, +The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/) or [proxy endpoints](/cloudflare-one/connections/connect-devices/agentless/pac-files/). To use these selectors with WARP traffic, you need to: + +1. [Add a Split Tunnel route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to the IP address `100.60.0.0/12`. +2. Ensure you do not have a Split Tunnel route to `100.60.0.0/10`. +3. Add the following key-value pair to your WARP configuration file (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): + ```xml + doh_in_tunnel + + ``` ## Example policies From a6a5e58f95e51f78efc676788792741120155f9f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 18 Apr 2025 13:46:49 -0500 Subject: [PATCH 4/8] Add WARP MDM link --- .../cloudflare-one/policies/gateway/egress-policies/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 94d60445dc655f..df1861e6de8599 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -29,11 +29,11 @@ To control whether only IPv4 or IPv6 is used to egress, ensure you are [filterin ## Limited selectors -The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/) or [proxy endpoints](/cloudflare-one/connections/connect-devices/agentless/pac-files/). To use these selectors with WARP traffic, you need to: +The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to: 1. [Add a Split Tunnel route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to the IP address `100.60.0.0/12`. 2. Ensure you do not have a Split Tunnel route to `100.60.0.0/10`. -3. Add the following key-value pair to your WARP configuration file (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): +3. Add the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): ```xml doh_in_tunnel From 5aa13bebb89085bd6ac01e3009cd19f34370e06e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 18 Apr 2025 13:55:14 -0500 Subject: [PATCH 5/8] Add limitations section --- .../gateway/egress-policies/index.mdx | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index df1861e6de8599..a7087757314ba1 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -27,18 +27,6 @@ Gateway traffic that does not match an egress policy will egress from the closes To control whether only IPv4 or IPv6 is used to egress, ensure you are [filtering DNS traffic](/cloudflare-one/policies/gateway/initial-setup/dns/), then create a DNS policy to [block AAAA or A records](/cloudflare-one/policies/gateway/dns-policies/common-policies/#control-ip-version). -## Limited selectors - -The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to: - -1. [Add a Split Tunnel route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to the IP address `100.60.0.0/12`. -2. Ensure you do not have a Split Tunnel route to `100.60.0.0/10`. -3. Add the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): - ```xml - doh_in_tunnel - - ``` - ## Example policies The following egress policy configures all traffic destined for a third-party network to use a static source IP: @@ -173,3 +161,15 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl file="gateway/logical-operators" params={{ one: "**Identity** or **Device Posture**" }} /> + +## Limitations + +The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to: + +1. [Add a Split Tunnel route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to the IP address `100.60.0.0/12`. +2. Ensure you do not have a Split Tunnel route to `100.60.0.0/10`. +3. Add the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): + ```xml + doh_in_tunnel + + ``` From cce41702c92999135a45af0bcd3a16025df8bbd6 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 18 Apr 2025 14:14:52 -0500 Subject: [PATCH 6/8] Add selector limitations partial --- .../policies/gateway/egress-policies/index.mdx | 14 +++++++++++--- .../selectors/egress-selector-limitation.mdx | 5 +++++ 2 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index a7087757314ba1..bdd71316a14198 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -62,6 +62,8 @@ Gateway matches egress traffic against the following selectors, or criteria: params={{ policyType: "egress" }} /> + + ### Content Categories + + ### Destination Continent + + ### Host + + ### Protocol @@ -166,9 +174,9 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to: -1. [Add a Split Tunnel route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to the IP address `100.60.0.0/12`. -2. Ensure you do not have a Split Tunnel route to `100.60.0.0/10`. -3. Add the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): +1. [Add a Split Tunnel route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the IP address `100.60.0.0/12`. +2. Ensure you do not have a Split Tunnel route to exclude `100.60.0.0/10`. +3. Add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): ```xml doh_in_tunnel diff --git a/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx b/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx new file mode 100644 index 00000000000000..ccb0863185c0d5 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to [Limitations](#limitations). From b50c70b05306692246426519a885c1e7bebcce33 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 18 Apr 2025 14:17:04 -0500 Subject: [PATCH 7/8] Add Beta pills --- .../policies/gateway/egress-policies/index.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index bdd71316a14198..fd551224ba9c51 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 5 --- -import { Render } from "~/components"; +import { Render, Badge } from "~/components"; :::note Only available on Enterprise plans. @@ -55,7 +55,7 @@ Choose one of the following options for your egress policy: Gateway matches egress traffic against the following selectors, or criteria: -### Application +### Application -### Content Categories +### Content Categories -### Domain +### Domain -### Host +### Host From da35baf27f7633609ab3c0135ea884ea1c3c0d2b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 18 Apr 2025 16:22:16 -0500 Subject: [PATCH 8/8] Improve Split Tunnel config --- .../policies/gateway/egress-policies/index.mdx | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index fd551224ba9c51..19de0a07450d1b 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -174,9 +174,16 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to: -1. [Add a Split Tunnel route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the IP address `100.60.0.0/12`. -2. Ensure you do not have a Split Tunnel route to exclude `100.60.0.0/10`. -3. Add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): +1. In your WARP Connector device profile, ensure Split Tunnel is set to [**Exclude IPs and domains**](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode). +2. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel list. +3. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: + - `100.64.0.0/12` + - `100.81.0.0/16` + - `100.82.0.0/15` + - `100.84.0.0/14` + - `100.88.0.0/13` + - `100.96.0.0/11` +4. Add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): ```xml doh_in_tunnel