From ef8c8edf99e00ba356512a1fa9e776674a6d987f Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Tue, 27 May 2025 12:21:32 +0100 Subject: [PATCH 1/8] [CF1] WARP managed networks requirements update --- .../warp/configure-warp/managed-networks.mdx | 66 +++++++++++-------- 1 file changed, 39 insertions(+), 27 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx index 25be888b6c08815..e21d633ca7d727d 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx @@ -9,9 +9,22 @@ import { Details, TabItem, Tabs } from "~/components"; Cloudflare WARP allows you to selectively apply WARP client settings if the device is connected to a secure network location such as an office. +On this page, you will learn how to create a TLS endpoint on your trusted network and configure it in Zero Trust to set up a managed network. After the TLS endpoint and managed network are configured, the WARP client on a device will detect when the device is on your managed network and apply the appropriate device profile. + +## Requirements + +- The WARP client scans all managed networks every time it detects a network change event from the operating system. To minimize performance impact, reuse the same TLS endpoint across multiple locations unless you require distinct settings profiles for each location. +- Ensure that the device can only reach one managed network at any given time. If multiple managed networks are configured and reachable, there is no way to determine which settings profile the device will receive. + +:::note + +Starting with WARP version `2025.4.929`, the WARP client may take up to 40 seconds to apply the correct device profile after connecting to a managed network. During this period, the WARP client may display a Connected status, but users might not have access to certain resources until the appropriate device profile is fully applied. + +::: + ## 1. Choose a TLS endpoint -A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, WARP detects the TLS endpoint and validates its certificate against an uploaded SHA-256 fingerprint. +A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against an uploaded SHA-256 fingerprint (for self-signed certificates) or against the local certificate store to check that it is signed by a public certificate authority. The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer. @@ -173,32 +186,36 @@ SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8 3. Name your network location. 4. In **Host and Port**, enter the private IP address and port number of your [TLS endpoint](#create-a-new-tls-endpoint) (for example, `192.168.185.198:3333`). - :::note - We recommend using the private IP of your managed network endpoint and not a hostname to prevent issues related to DNS lookups resolving the incorrect IP. - ::: + :::note + We recommend using the private IP of your managed network endpoint and not a hostname to prevent issues related to DNS lookups resolving the incorrect IP. + ::: + 5. (Optional) In **TLS Cert SHA-256**, enter the [SHA-256 fingerprint](#2-extract-the-sha-256-fingerprint) of the TLS certificate. This field is only needed for self-signed certificates. If a TLS fingerprint is not supplied, WARP validates the certificate against the local certificate store and checks that it is signed by a public certificate authority. -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Zero Trust Write` - -2. Add a managed network using the [`cloudflare_zero_trust_device_managed_network`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_managed_network) resource: - - ```tf - resource "cloudflare_zero_trust_device_managed_networks" "office" { - account_id = var.cloudflare_account_id - name = "Office managed network" - type = "tls" - config = { - tls_sockaddr = "192.168.185.198:3333" - sha256 = "DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662" - } - } - ``` - - +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): + + - `Zero Trust Write` + +2. Add a managed network using the [`cloudflare_zero_trust_device_managed_network`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_managed_network) resource: + + ```tf + resource "cloudflare_zero_trust_device_managed_networks" "office" { + account_id = var.cloudflare_account_id + name = "Office managed network" + type = "tls" + config = { + tls_sockaddr = "192.168.185.198:3333" + sha256 = "DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662" + } + } + ``` + + + + WARP will automatically exclude the TLS endpoint from all device profiles. This prevents remote users from accessing the endpoint through the WARP tunnel on any port. If a device profile uses [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in **Include** mode, make sure that the Split Tunnel entries do not contain the TLS endpoint IP address; otherwise, the entire IP range will be excluded from the WARP tunnel. @@ -250,8 +267,3 @@ To check if the WARP client detects the network location: 1. Turn on WARP. 2. Disconnect and reconnect to the network. 3. Open a terminal and run `warp-cli debug alternate-network`. - -## Best practices - -- The WARP client scans all managed networks every time it detects a network change event from the operating system. To minimize performance impact, we recommend reusing the same TLS endpoint across multiple locations unless you require distinct settings profiles for each location. -- Ensure that the device can only reach one managed network at any given time. If multiple managed networks are configured and reachable, there is no way to determine which settings profile the device will receive. From 903e7b3c4b5ec9d10921e2673f6d3a84c568560e Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 27 Jun 2025 12:02:13 -0700 Subject: [PATCH 2/8] final updates --- .../warp/configure-warp/managed-networks.mdx | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx index e21d633ca7d727d..63c0ceb8cd5a79a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx @@ -7,7 +7,7 @@ sidebar: import { Details, TabItem, Tabs } from "~/components"; -Cloudflare WARP allows you to selectively apply WARP client settings if the device is connected to a secure network location such as an office. +Cloudflare WARP lets you selectively apply specific [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) when a device connects to a trusted network location, such as an office. WARP identifies these managed networks by detecting a TLS endpoint you set up on the network. On this page, you will learn how to create a TLS endpoint on your trusted network and configure it in Zero Trust to set up a managed network. After the TLS endpoint and managed network are configured, the WARP client on a device will detect when the device is on your managed network and apply the appropriate device profile. @@ -16,17 +16,19 @@ On this page, you will learn how to create a TLS endpoint on your trusted networ - The WARP client scans all managed networks every time it detects a network change event from the operating system. To minimize performance impact, reuse the same TLS endpoint across multiple locations unless you require distinct settings profiles for each location. - Ensure that the device can only reach one managed network at any given time. If multiple managed networks are configured and reachable, there is no way to determine which settings profile the device will receive. -:::note +## 1. Choose a TLS endpoint -Starting with WARP version `2025.4.929`, the WARP client may take up to 40 seconds to apply the correct device profile after connecting to a managed network. During this period, the WARP client may display a Connected status, but users might not have access to certain resources until the appropriate device profile is fully applied. +A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against the SHA-256 fingerprint (if specified) or against the local certificate store to check that it is signed by a public certificate authority. -::: +The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer. -## 1. Choose a TLS endpoint +## WARP client and managed network detection -A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against an uploaded SHA-256 fingerprint (for self-signed certificates) or against the local certificate store to check that it is signed by a public certificate authority. +When you configure a managed network, the WARP client uses the TLS endpoint to determine whether the device is on that network. -The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer. +The time it takes to apply the correct device profile depends on how quickly the TLS endpoint responds. It can take up to 5 seconds for the WARP client to determine whether the device is on a managed network and which device profile to apply. + +If the TLS endpoint times out after 5 seconds, the WARP client will determine that the device is not on a managed network and will apply the appropriate device profile. ### Create a new TLS endpoint From 721ae65951671c43cb36c5151e04576cd5cc5445 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 27 Jun 2025 12:12:56 -0700 Subject: [PATCH 3/8] note from eng --- .../connect-devices/warp/configure-warp/managed-networks.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx index 63c0ceb8cd5a79a..f33d0a0fea2dade 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx @@ -26,9 +26,9 @@ The TLS certificate can be hosted by any device on your network. However, the en When you configure a managed network, the WARP client uses the TLS endpoint to determine whether the device is on that network. -The time it takes to apply the correct device profile depends on how quickly the TLS endpoint responds. It can take up to 5 seconds for the WARP client to determine whether the device is on a managed network and which device profile to apply. +The time it takes to apply the correct device profile depends on how quickly the TLS endpoint responds. -If the TLS endpoint times out after 5 seconds, the WARP client will determine that the device is not on a managed network and will apply the appropriate device profile. +If the TLS endpoint times out after 5 seconds, the WARP client will determine that the device is not on a managed network and will apply the appropriate device profile. The WARP client only retries detection if a non-timeout error occurs. A timeout triggers fallback to the default device profile without further retries. ### Create a new TLS endpoint From be36db716bddd8bc4eb3a24bebd2be6e0a871bd1 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Fri, 27 Jun 2025 12:19:24 -0700 Subject: [PATCH 4/8] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx Co-authored-by: Shrey Amin --- .../connect-devices/warp/configure-warp/managed-networks.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx index 9cf608ade131fd4..10d8308b27de6d8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx @@ -45,7 +45,7 @@ When you configure a managed network, the WARP client uses the TLS endpoint to d The time it takes to apply the correct device profile depends on how quickly the TLS endpoint responds. -If the TLS endpoint times out after 5 seconds, the WARP client will determine that the device is not on a managed network and will apply the appropriate device profile. The WARP client only retries detection if a non-timeout error occurs. A timeout triggers fallback to the default device profile without further retries. +If the TLS endpoint times out after 5 seconds, the WARP client will determine that the device is not on a managed network and will apply the default device profile. The WARP client only retries detection if a non-timeout error occurs. A timeout triggers fallback to the default device profile without further retries. ### Create a new TLS endpoint From dcbfb28b1640dc0b953377028eab34e4b45b1dd0 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Fri, 27 Jun 2025 12:21:00 -0700 Subject: [PATCH 5/8] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx --- .../connect-devices/warp/configure-warp/managed-networks.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx index 10d8308b27de6d8..a72c065887bf6f8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx @@ -24,7 +24,7 @@ import { Details, TabItem, Tabs } from "~/components"; -Cloudflare WARP lets you selectively apply specific [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) when a device connects to a trusted network location, such as an office. WARP identifies these managed networks by detecting a TLS endpoint you set up on the network. +Cloudflare WARP allows you to selectively apply specific [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) and WARP client settings when a device connects to a secure network location, such as an office. WARP identifies these managed networks by detecting a TLS endpoint you set up on the network. On this page, you will learn how to create a TLS endpoint on your trusted network and configure it in Zero Trust to set up a managed network. After the TLS endpoint and managed network are configured, the WARP client on a device will detect when the device is on your managed network and apply the appropriate device profile. From 7ed6540b8e9c78e1525667df81532247d2153c78 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 27 Jun 2025 14:04:55 -0700 Subject: [PATCH 6/8] shrey notes on exclusion --- .../warp/configure-warp/managed-networks.mdx | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx index a72c065887bf6f8..c27a014b43e7d54 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx @@ -11,7 +11,7 @@ import { Details, TabItem, Tabs } from "~/components"; | [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | | ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -| All modes | All plans | +| All modes | All plans | | System | Availability | Minimum WARP version | | -------- | ------------ | -------------------- | @@ -232,11 +232,12 @@ SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8 } ``` - + + - +WARP will automatically exclude the TLS endpoint from all device profiles if it is specified as a private IP address. This exclusion prevents remote users from accessing the endpoint through the WARP tunnel on any port. If the TLS endpoint is specified as a hostname instead of a private IP, WARP will not automatically exclude it. -WARP will automatically exclude the TLS endpoint from all device profiles. This prevents remote users from accessing the endpoint through the WARP tunnel on any port. If a device profile uses [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in **Include** mode, make sure that the Split Tunnel entries do not contain the TLS endpoint IP address; otherwise, the entire IP range will be excluded from the WARP tunnel. +If a device profile uses [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in **Include** mode, ensure that the Split Tunnel entries do not contain the TLS endpoint IP address; otherwise, the entire IP range will be excluded from the WARP tunnel. ## 4. Configure device profile From 655c347101ec0227126b9108095f8fb009bb9b36 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 27 Jun 2025 14:15:52 -0700 Subject: [PATCH 7/8] final --- .../warp/configure-warp/managed-networks.mdx | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx index c27a014b43e7d54..cf0888c157dd104 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx @@ -33,13 +33,7 @@ On this page, you will learn how to create a TLS endpoint on your trusted networ - The WARP client scans all managed networks every time it detects a network change event from the operating system. To minimize performance impact, reuse the same TLS endpoint across multiple locations unless you require distinct settings profiles for each location. - Ensure that the device can only reach one managed network at any given time. If multiple managed networks are configured and reachable, there is no way to determine which settings profile the device will receive. -## 1. Choose a TLS endpoint - -A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against the SHA-256 fingerprint (if specified) or against the local certificate store to check that it is signed by a public certificate authority. - -The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer. - -## WARP client and managed network detection +## WARP client managed network detection When you configure a managed network, the WARP client uses the TLS endpoint to determine whether the device is on that network. @@ -47,6 +41,12 @@ The time it takes to apply the correct device profile depends on how quickly the If the TLS endpoint times out after 5 seconds, the WARP client will determine that the device is not on a managed network and will apply the default device profile. The WARP client only retries detection if a non-timeout error occurs. A timeout triggers fallback to the default device profile without further retries. +## 1. Choose a TLS endpoint + +A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against the SHA-256 fingerprint (if specified) or against the local certificate store to check that it is signed by a public certificate authority. + +The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer. + ### Create a new TLS endpoint If you do not already have a TLS endpoint on your network, you can set one up as follows: @@ -287,3 +287,8 @@ To check if the WARP client detects the network location: 1. Turn on WARP. 2. Disconnect and reconnect to the network. 3. Open a terminal and run `warp-cli debug alternate-network`. + +## Related resources + +- [Device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) - How to create and manage the device profiles you apply via managed networks. +- [WARP settings](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/) - Defines how WARP behaves and what users can do. From 662e6bfe340e5562d477ed758736b468fa18a86a Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 27 Jun 2025 14:20:36 -0700 Subject: [PATCH 8/8] final final --- .../warp/configure-warp/managed-networks.mdx | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx index cf0888c157dd104..013402200136dd8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx @@ -26,7 +26,11 @@ import { Details, TabItem, Tabs } from "~/components"; Cloudflare WARP allows you to selectively apply specific [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) and WARP client settings when a device connects to a secure network location, such as an office. WARP identifies these managed networks by detecting a TLS endpoint you set up on the network. -On this page, you will learn how to create a TLS endpoint on your trusted network and configure it in Zero Trust to set up a managed network. After the TLS endpoint and managed network are configured, the WARP client on a device will detect when the device is on your managed network and apply the appropriate device profile. +On this page, you will learn how to: + +- Create a TLS endpoint on your trusted network. +- Configure the TLS endpoint in Zero Trust to set up a managed network. +- Apply the appropriate device profile to a device when the WARP client detects it is on your managed network. ## Requirements @@ -291,4 +295,4 @@ To check if the WARP client detects the network location: ## Related resources - [Device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) - How to create and manage the device profiles you apply via managed networks. -- [WARP settings](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/) - Defines how WARP behaves and what users can do. +- [WARP settings](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/) - Defines how WARP behaves and what users can do.