diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
index b0b023ef999ef77..77a9af726fd5eca 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
@@ -11,6 +11,7 @@ import {
Render,
TabItem,
Tabs,
+ Badge,
} from "~/components";
Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/learning/security/what-is-https-inspection/) in order to inspect HTTPS traffic for malware and other security risks.
@@ -41,6 +42,17 @@ Gateway does not support TLS decryption for applications which use:
- [ESNI and ECH handshake encryption](#esni-and-ech)
- [Automatic HTTPS upgrades](#google-chrome-automatic-https-upgrades)
+### Inspect on all ports
+
+
+
### Incompatible certificates
Applications that use certificate pinning and mTLS authentication do not trust Cloudflare certificates. For example, most mobile applications use certificate pinning. Cloudflare does not trust applications that use self-signed certificates instead of certificates signed by a public CA.
@@ -87,6 +99,10 @@ Chrome Enterprise users can turn off automatic HTTPS upgrades for all URLs with
+### Mutual TLS (mTLS)
+
+When decrypting TLS to inspect traffic, connections that use mutual TLS (mTLS) will fail because Gateway cannot return the necessary client certificate. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this traffic.
+
### ESNI and ECH
Websites that adhere to [ESNI or Encrypted Client Hello (ECH) standards](https://blog.cloudflare.com/encrypted-client-hello/) encrypt the Server Name Indicator (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. This is because Gateway relies on the SNI to match an HTTP request to a policy. If the ECH fails, browsers will retry the TLS handshake using the unencrypted SNI from the initial request. To avoid this behavior, you can disable ECH in your users' browsers.
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
index 02282b56b97824f..f83d1dc49419b54 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
@@ -165,6 +165,41 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+## Filter HTTP traffic when inspecting on all ports
+
+If your organization blocks traffic by default with a network policy and you want to [inspect HTTP traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it.
+
+
+
+| Selector | Operator | Value | Logic | Action |
+| ----------------- | -------- | ------ | ----- | ------ |
+| Detected Protocol | is | _TLS_ | Or | Allow |
+| Detected Protocol | is | _HTTP_ | | |
+
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "Allow on inspect all ports",
+ "description": "Filter TLS traffic when using inspect all ports",
+ "enabled": true,
+ "action": "allow",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "net.detected_protocol == \"tls\" or net.detected_protocol == \"http\"",
+ "identity": "",
+ "device_posture": ""
+}'
+```
+
+
+
## Restrict access to private networks
Restrict access to resources which you have connected through [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/).
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx
index 36b14ae64d91da9..ece03325d5709eb 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx
@@ -5,17 +5,32 @@ sidebar:
order: 2
---
+import { Badge, Render } from "~/components";
+
Gateway supports the detection, logging, and filtering of network protocols using packet attributes.
Protocol detection only applies to devices connected to Zero Trust via the WARP client in [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default) mode.
## Turn on protocol detection
+To turn on protocol detection:
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network** > **Firewall**.
2. Turn on **Protocol Detection**.
You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudflare-one/policies/gateway/network-policies/#detected-protocol).
+### Inspect on all ports
+
+
+
## Supported protocols
Gateway supports detection and filtering of the following protocols:
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx
index 94fe8e71434ba55..835f1199ca3a8eb 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 1
---
-import { GlossaryTooltip, Render, TabItem, Tabs } from "~/components";
+import { GlossaryTooltip, Render, TabItem, Tabs, Badge } from "~/components";
TLS inspection (also known as TLS decryption or HTTPS inspection) allows Cloudflare Gateway to perform deeper traffic analysis and take actions like scanning request bodies for sensitive data, upgrading to a remote browser isolation session, and redirecting based on the complete URL and path of requests.
@@ -36,6 +36,17 @@ To turn on TLS inspection for your Zero Trust organization:
+#### Inspect on all ports
+
+
+
### 3. Determine the certificate used for inspection
TLS inspection requires a trusted private root certificate to be able to inspect and filter encrypted traffic. A [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) is a simple and common solution that is usually appropriate for testing or proof-of-concept conditions when deployed to your devices. You can [generate a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) in Zero Trust.
diff --git a/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx b/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx
new file mode 100644
index 000000000000000..dd079135eede197
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx
@@ -0,0 +1,12 @@
+---
+params:
+ - turnOnProcedure
+---
+
+import { Markdown } from "~/components";
+
+By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`.
+
+To detect and inspect HTTP and HTTPS traffic on ports in addition to `80` and `443`, .
+
+Inspecting traffic on all ports works best if you allow all traffic by default. If your organization uses a Network policy to block all traffic by default, Gateway will allow all non-HTTPS TLS traffic, and you will not be able to filter this traffic. To use HTTP policies to filter all TLS traffic on all ports when using a default Block Network policy, [create a Network policy to explicitly allow HTTP and TLS traffic](/cloudflare-one/policies/gateway/network-policies/common-policies/#filter-http-traffic-when-inspecting-on-all-ports).