cloudflare · maxvp · Jul 2, 2025 · Jun 25, 2025 · Jun 25, 2025 · Jun 26, 2025
@@ -135,6 +135,27 @@ flowchart TB
     egress1-- "Egress with dedicated IP" -->internet
 ```
 
+## Connection establishment
+
+When a user connects to a server with Gateway, Gateway first establishes a TCP connection with the destination server on the port the user requested. If the connection is successful, Gateway will apply policies. If Gateway policies allow the connection, Gateway will connect the user to the destination server. If Gateway policies block the connection, Gateway will end the connection and will not send any data between the user and the destination server. If the TCP connection to the destination server is unsuccessful, Gateway will not run any policies nor accept further TCP connections from the user to the server.
+
+```mermaid
+flowchart TB
+    A(["User"]) -- Initiates connection --> B["Gateway TCP connection to destination server"]
+    B -- Connection success --> C["Gateway applies policies"]
+    B -- Connection failure --> E["Gateway rejects user TCP connections"]
+    C -- Allow policies --> D["Gateway connects user to destination server"]
+    C -- Block policies --> F["Gateway ends connection and sends no data"]
+
+    B@{ shape: hex}
+    C@{ shape: hex}
+    style E stroke:#D50000
+    style D stroke:#00C853
+    style F stroke:#D50000
+```
+
+Connections to Zero Trust will always appear in your [Zero Trust network session logs](/logs/reference/log-fields/account/zero_trust_network_sessions/) regardless of connection success. Because Gateway does not inspect failed connections, they will not appear in your [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/).
+
 ## Priority between policy builders
 
 Gateway applies your policies in the following order: