[CF1] WARP managed networks requirements update #22680
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
Howdy and thanks for contributing to our repo. The Cloudflare team reviews new, external PRs within two (2) weeks. If it's been two weeks or longer without any movement, please tag the PR Assignees in a comment. We review internal PRs within 1 week. If it's something urgent or has been sitting without a comment, start a thread in the Developer Docs space internally. PR Change SummaryUpdated the requirements and configuration details for WARP managed networks, enhancing clarity on TLS endpoint usage and device profile application.
Modified Files
How can I customize these reviews?Check out the Hyperlint AI Reviewer docs for more information on how to customize the review. If you just want to ignore it on this PR, you can add the Note specifically for link checks, we only check the first 30 links in a file and we cache the results for several hours (for instance, if you just added a page, you might experience this). Our recommendation is to add |
Contributor
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
aw-cf
reviewed
May 27, 2025
| ## 1. Choose a TLS endpoint | ||
|
|
||
| A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, WARP detects the TLS endpoint and validates its certificate against an uploaded SHA-256 fingerprint. | ||
| A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against an uploaded SHA-256 fingerprint (for self-signed certificates) or against the local certificate store to check that it is signed by a public certificate authority. |
Contributor
There was a problem hiding this comment.
Suggested change
| A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against an uploaded SHA-256 fingerprint (for self-signed certificates) or against the local certificate store to check that it is signed by a public certificate authority. | |
| A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against the SHA-256 fingerprint (if specified) or against the local certificate store to check that it is signed by a public certificate authority. |
samin-cf
reviewed
Jun 27, 2025
...ent/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx
Outdated
Show resolved
Hide resolved
…rp/configure-warp/managed-networks.mdx Co-authored-by: Shrey Amin <[email protected]>
samin-cf
reviewed
Jun 27, 2025
|
|
||
| </Tabs> | ||
|
|
||
| WARP will automatically exclude the TLS endpoint from all device profiles. This prevents remote users from accessing the endpoint through the WARP tunnel on any port. If a device profile uses [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in **Include** mode, make sure that the Split Tunnel entries do not contain the TLS endpoint IP address; otherwise, the entire IP range will be excluded from the WARP tunnel. |
Contributor
There was a problem hiding this comment.
This is something we need to update as well at some point. WARP only automatically excludes the TLS endpoint when specified as a private IP. When specified as a hostname, WARP will NOT automatically exclude.
deadlypants1973
commented
Jun 27, 2025
...ent/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx
Outdated
Show resolved
Hide resolved
…rp/configure-warp/managed-networks.mdx
deadlypants1973
commented
Jun 27, 2025
Comment on lines
+238
to
+240
| WARP will automatically exclude the TLS endpoint from all device profiles if it is specified as a private IP address. This exclusion prevents remote users from accessing the endpoint through the WARP tunnel on any port. If the TLS endpoint is specified as a hostname instead of a private IP, WARP will not automatically exclude it. | ||
|
|
||
| If a device profile uses [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in **Include** mode, ensure that the Split Tunnel entries do not contain the TLS endpoint IP address; otherwise, the entire IP range will be excluded from the WARP tunnel. |
Contributor
Oxyjun
approved these changes
Jun 30, 2025
Maddy-Cloudflare
approved these changes
Jun 30, 2025
sdnts
pushed a commit
to sdnts/cloudflare-docs
that referenced
this pull request
Jul 24, 2025
* [CF1] WARP managed networks requirements update * final updates * note from eng * Update src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx Co-authored-by: Shrey Amin <[email protected]> * Update src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx * shrey notes on exclusion * final * final final --------- Co-authored-by: Shrey Amin <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
PCX-17492
Screenshots (optional)
Documentation checklist