cloudflare · maxvp · Jul 24, 2025 · Jun 23, 2025 · Jun 23, 2025 · Jun 25, 2025
@@ -11,6 +11,7 @@ import {
 	Render,
 	TabItem,
 	Tabs,
+	Badge,
 } from "~/components";
 
 Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/learning/security/what-is-https-inspection/) in order to inspect HTTPS traffic for malware and other security risks.
@@ -41,6 +42,12 @@ Gateway does not support TLS decryption for applications which use:
 - [ESNI and ECH handshake encryption](#esni-and-ech)
 - [Automatic HTTPS upgrades](#google-chrome-automatic-https-upgrades)
 
+### Inspect on all ports <Badge text="Beta" variant="caution" size="small" />
+
+By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you turn on TLS decryption, Gateway will inspect HTTPS traffic through port `443`.
+
+To detect and inspect HTTP and HTTPS traffic on ports other than `80` and `443`, you can turn on [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports).
+
 ### Incompatible certificates
 
 Applications that use certificate pinning and mTLS authentication do not trust Cloudflare certificates. For example, most mobile applications use <GlossaryTooltip term="certificate pinning" link="/ssl/reference/certificate-pinning/">certificate pinning</GlossaryTooltip>. Cloudflare does not trust applications that use self-signed certificates instead of certificates signed by a public CA.
@@ -87,6 +94,10 @@ Chrome Enterprise users can turn off automatic HTTPS upgrades for all URLs with
 
 </TabItem> </Tabs>
 
+### Mutual TLS (mTLS)
+
+When decrypting TLS to inspect traffic, connections that use mutual TLS (mTLS) will fail because Gateway cannot return the necessary client certificate. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this traffic.
+
 ### ESNI and ECH
 
 Websites that adhere to [ESNI or Encrypted Client Hello (ECH) standards](https://blog.cloudflare.com/encrypted-client-hello/) encrypt the Server Name Indicator (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. This is because Gateway relies on the SNI to match an HTTP request to a policy. If the ECH fails, browsers will retry the TLS handshake using the unencrypted SNI from the initial request. To avoid this behavior, you can disable ECH in your users' browsers.

@@ -5,17 +5,27 @@ sidebar:
   order: 2
 ---
 
+import { Badge } from "~/components";
+
 Gateway supports the detection, logging, and filtering of network protocols using packet attributes.
 
 Protocol detection only applies to devices connected to Zero Trust via the WARP client in [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default) mode.
 
 ## Turn on protocol detection
 
+To turn on protocol detection:
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network** > **Firewall**.
 2. Turn on **Protocol Detection**.
 
 You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudflare-one/policies/gateway/network-policies/#detected-protocol).
 
+### Inspect on all ports <Badge text="Beta" variant="caution" size="small" />
+
+By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), Gateway will inspect HTTPS traffic through port `443`.
+
+To detect and inspect HTTP and HTTPS traffic on ports other than `80` and `443`, under **HTTP inspection ports**, choose _Inspect on all ports_.
+
 ## Supported protocols
 
 Gateway supports detection and filtering of the following protocols: