diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx
index 41b2bda8c94882..5936da9faa5e69 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx
@@ -52,7 +52,9 @@ WARP connects to the following IP addresses, depending on which [tunnel protocol
 | IPv4 address   | `162.159.197.0/24`                                                                             |
 | IPv6 address   | `2606:4700:102::/48`                                                                           |
 | Default port   | `UDP 443`                                                                                      |
-| Fallback ports | `UDP 500` <br/> `UDP 1701` <br/> `UDP 4500` <br/> `UDP 4443` <br/> `UDP 8443` <br/> `UDP 8095` |
+| Fallback ports | `UDP 500` <br/> `UDP 1701` <br/> `UDP 4500` <br/> `UDP 4443` <br/> `UDP 8443` <br/> `UDP 8095` <br/> `TCP 443` [^1] |
+
+[^1]: Required for HTTP/2 fallback
 
 :::note
 
@@ -67,13 +69,25 @@ The following domains are used as part of our captive portal check:
 - `cloudflareok.com`
 - `cloudflarecp.com`
 
-## Connectivity check
+## Connectivity checks
+
+As part of establishing the WARP connection, the client runs connectivity checks inside and outside of the WARP tunnel.
+
+### Outside tunnel
+
+The client connects to the following destinations to verify general Internet connectivity outside of the WARP tunnel. Make sure that these IPs and domains are on your firewall allowlist.
+
+- `engage.cloudflareclient.com`: The client will always send requests directly to an IP in the [WARP ingress IPv4 or IPv6 range](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) (or to your [`override_warp_endpoint`](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#override_warp_endpoint) if set). Requests will not use a proxy server, even if one is configured for the system.
+- `162.159.197.3`
+- `2606:4700:102::3`
 
-As part of establishing the WARP connection, the client will check the following HTTPS URLs to validate a successful connection:
+### Inside tunnel
 
-- `engage.cloudflareclient.com` verifies general Internet connectivity outside of the WARP tunnel. These requests are always sent directly to an IP in the [WARP ingress IPv4 or IPv6 range](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) (or to your [`override_warp_endpoint`](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#override_warp_endpoint) if set). Requests will not use a proxy server, even if one is configured for the system.
+The client connects to the following destinations to verify connectivity inside of the WARP tunnel. Because this check happens inside of the tunnel, you do not need to add these IPs and domains to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy.
 
-- `connectivity.cloudflareclient.com` verifies connectivity inside of the WARP tunnel. Because this check happens inside of the tunnel, you do not need to add `connectivity.cloudflareclient.com` to your firewall allowlist.
+- `connectivity.cloudflareclient.com`
+- `162.159.197.4`
+- `2606:4700:102::4`
 
 ## NEL reporting (optional)
 
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/client-errors.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/client-errors.mdx
index 8eb9e04e1773bd..1276f8821ecbe9 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/client-errors.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/client-errors.mdx
@@ -45,7 +45,7 @@ This page lists the error codes that can appear in the WARP client GUI. If you d
 
 ### Cause
 
-The initial [connectivity check](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check) failed for an unknown reason. Refer to [Unable to connect WARP](/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues/#unable-to-connect-warp) for the most common reasons why this error occurs.
+The initial [connectivity check](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks) failed for an unknown reason. Refer to [Unable to connect WARP](/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues/#unable-to-connect-warp) for the most common reasons why this error occurs.
 
 ### Resolution
 
@@ -164,7 +164,7 @@ A router, firewall, antivirus software, or other third-party security product is
 
 ### Cause
 
-The [connectivity check](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check) inside of the WARP tunnel has failed.
+The [connectivity check](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks) inside of the WARP tunnel has failed.
 
 ### Resolution
 
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs.mdx
index 7cbeefdc6cb66d..b25e512878a948 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/warp-logs.mdx
@@ -64,7 +64,7 @@ The `warp-debugging-info-<date>-<time>.zip` archive contains the following files
 | `boringtun.log`                                                                                     | Log for the WARP tunnel that serves traffic from the device to Cloudflare's global network.                                                                                                                                                                                                                                                 |
 | `bound-dns-ports.txt`                                                                               | Active processes on port `53`.                                                                                                                                                                                                                                                                                                              |
 | `captive-portal-hotspot-detect.txt`                                                                 | HTTP response of `captive.apple.com`                                                                                                                                                                                                                                                                                                        |
-| `connectivity.txt`                                                                                  | DNS resolution and HTTP trace requests to [validate a successful connection](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check). Can be used to determine whether traffic is routing through the WARP tunnel.                                                                                        |
+| `connectivity.txt`                                                                                  | DNS resolution and HTTP trace requests to [validate a successful connection](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks). Can be used to determine whether traffic is routing through the WARP tunnel.                                                                                        |
 | `daemon_dns.log`                                                                                    | Contains detailed DNS logs if **Log DNS queries** is enabled in the WARP client.                                                                                                                                                                                                                                                            |
 | `daemon.log`                                                                                        | Detailed log of all actions performed by the WARP client, including all communication between the device and Cloudflare's global network. **Note:** This is the most useful debug log.                                                                                                                                                      |
 | `date.txt`                                                                                          | Date and time (UTC) when you ran the `warp-diag` command.                                                                                                                                                                                                                                                                                   |
diff --git a/src/content/warp-releases/linux/beta/2025.4.589.1.yaml b/src/content/warp-releases/linux/beta/2025.4.589.1.yaml
index 3d154bd54c1a69..5ac455bf6abac2 100644
--- a/src/content/warp-releases/linux/beta/2025.4.589.1.yaml
+++ b/src/content/warp-releases/linux/beta/2025.4.589.1.yaml
@@ -4,7 +4,7 @@ releaseNotes: |-
   - Improved DEX test error reporting.
   - Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
   - Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.
-  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check). If your organization uses a firewall or other policies you will need to exempt these IPs.
+  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.
   - Fixed an issue where frequent network changes could cause WARP to become unresponsive.
   - DNS over HTTPS traffic is now included in the WARP tunnel by default.
 version: 2025.4.589.1
diff --git a/src/content/warp-releases/macos/beta/2025.4.589.1.yaml b/src/content/warp-releases/macos/beta/2025.4.589.1.yaml
index 54fafac23ea84b..b132ffa6732cd0 100644
--- a/src/content/warp-releases/macos/beta/2025.4.589.1.yaml
+++ b/src/content/warp-releases/macos/beta/2025.4.589.1.yaml
@@ -5,7 +5,7 @@ releaseNotes: |-
   - Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
   - Improved captive portal detection.
   - Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.
-  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check). If your organization uses a firewall or other policies you will need to exempt these IPs.
+  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.
   - DNS over HTTPS traffic is now included in the WARP tunnel by default.
   - Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
   - Added a [Collect Captive Portal Diag](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics.
diff --git a/src/content/warp-releases/windows/beta/2025.4.589.1.yaml b/src/content/warp-releases/windows/beta/2025.4.589.1.yaml
index 97b0d999e2ccc3..9e252e974dc479 100644
--- a/src/content/warp-releases/windows/beta/2025.4.589.1.yaml
+++ b/src/content/warp-releases/windows/beta/2025.4.589.1.yaml
@@ -7,7 +7,7 @@ releaseNotes: |-
   - Improved WARP client UI high contrast mode.
   - Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
   - Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.
-  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check). If your organization uses a firewall or other policies you will need to exempt these IPs.
+  - Added new IP addresses for [tunnel connectivity checks](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.
   - DNS over HTTPS traffic is now included in the WARP tunnel by default.
   - Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
   - Added a [Collect Captive Portal Diag](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics.