Skip to content

[ZT] Remove single use partials #24274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 11, 2025
+127 −192
Merged

[ZT] Remove single use partials #24274

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
afc5897
Remove Gateway partials
maxvp Aug 8, 2025
c682ae5
Remove learning path partial
maxvp Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 13 additions & 13 deletions src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,19 +195,19 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th

#### Basic information

| Field | Description |
| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Host** | Hostname in the HTTP header for the HTTP request. Gateway will log the SNI in this field if it responded to the request with a Do Not Inspect action. If Gateway does not receive the SNI, this field will be empty. |
| **Email** | Email address of the user who made the HTTP request. This is generated by the WARP client. |
| **Action** | The Gateway [Action](/cloudflare-one/policies/gateway/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). |
| **Request ID** | Unique ID of the request. |
| **Time** | Date and time of the HTTP request. |
| **Source internal IP** | Private IP address assigned by the user's local network. |
| **User agent** | User agent header sent in the request by the originating device. |
| **Policy details** | Policy corresponding to the decision Gateway made based on the traffic criteria of the request. |
| **DLP profiles** | Name of the matched [DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). |
| **DLP profile entries** | Name of the matched entry within the DLP profile. |
| **Uploaded/downloaded file** | <Render file="gateway/uploaded-downloaded-file" /> |
| Field | Description |
| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Host** | Hostname in the HTTP header for the HTTP request. Gateway will log the SNI in this field if it responded to the request with a Do Not Inspect action. If Gateway does not receive the SNI, this field will be empty. |
| **Email** | Email address of the user who made the HTTP request. This is generated by the WARP client. |
| **Action** | The Gateway [Action](/cloudflare-one/policies/gateway/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). |
| **Request ID** | Unique ID of the request. |
| **Time** | Date and time of the HTTP request. |
| **Source internal IP** | Private IP address assigned by the user's local network. |
| **User agent** | User agent header sent in the request by the originating device. |
| **Policy details** | Policy corresponding to the decision Gateway made based on the traffic criteria of the request. |
| **DLP profiles** | Name of the matched [DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). |
| **DLP profile entries** | Name of the matched entry within the DLP profile. |
| **Uploaded/downloaded file** | Information about the file transferred in the request found by [enhanced file detection](#enhanced-file-detection). Details include: <ul><li>File name</li><li>File type</li><li>File size</li><li>File hash (for Allowed requests only)</li><li>Content type</li><li>Direction (Upload/Download)</li><li>Action (Block/Allow)</li></ul> |

#### Matched policies

Expand Down
8 changes: 7 additions & 1 deletion src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,7 +360,13 @@ Use this selector to filter DNS responses by their `TXT` records.

### Indicator Feeds

<Render file="gateway/selectors/indicator-feeds" params={{ one: "dns" }} />
Use this selector to match against custom indicator feeds.

You can use a [publicly available indicator feed](/security-center/indicator-feeds/#publicly-available-feeds) or a custom indicator feed assigned to your account by a designated third-party vendor. For more information on indicator feeds, refer to [Custom Indicator Feeds](/security-center/indicator-feeds/).

| UI name | API example | Evaluation phase |
| --------------- | -------------------- | --------------------- |
| Indicator Feeds | `dns.indicator_feed` | Before DNS resolution |

<Render file="gateway/selectors/category-options" />

Expand Down
9 changes: 5 additions & 4 deletions src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,13 @@ sidebar:
order: 10
---

import { Render } from "~/components";

Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by [Cloudflare Radar](/radar/glossary/#content-categories).

<Render file="gateway/domain-categories" />
Cloudflare categorizes domains into content categories and security categories, which cover security risks and security threats:

- **Content categories**: An upstream vendor supplies content categories for domains. These categories help us organize domains into broad topic areas. However, the specific criteria and methods used by our vendor may not be disclosed.
- **Security risks**: Cloudflare determines security risks for domains using internal models. These models analyze various factors, including the age of a domain and its reputation. This allows us to identify potentially risky domains.
- **Security threats**: To identify malicious domains that pose security threats, Cloudflare employs a mix of internal data sources, machine learning models, commercial feeds, and open-source threat intelligence.

You can block security and content categories by creating DNS or HTTP policies. Once you have configured your policies, you will be able to inspect network activity and the associated categories in your Gateway logs.

Expand Down Expand Up @@ -71,7 +73,6 @@ Subdomains that have not been assigned a category will inherit the category of t
| Violence | Sites hosting and/or promoting violent content. |
| Weather | Sites related to weather. |


### Miscellaneous subcategories

| Category | Definition |
Expand Down
62 changes: 60 additions & 2 deletions src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ learning_center:
link: https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/
---

import { GlossaryTooltip, Render } from "~/components";
import { GlossaryTooltip, Render, Tabs, TabItem } from "~/components";

Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.

Expand Down Expand Up @@ -55,7 +55,65 @@ To verify your device is connected to Zero Trust:

## 3. Create your first DNS policy

<Render file="gateway/get-started/create-dns-policy" />
To create a new DNS policy:

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **DNS** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
<Render
file="gateway/policies/block-security-categories"
product="cloudflare-one"
/>
6. Select **Create policy**.

</TabItem>

<TabItem label="API">

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ---------- | ---------- |
| Account | Zero Trust | Edit |

2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/account/find-account-and-zone-ids/) and API token.
3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):

```sh title="curl API DNS policy example"
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--data '{
"name": "Block security threats",
"description": "Block all default Cloudflare DNS security categories",
"precedence": 0,
"enabled": true,
"action": "block",
"filters": [
"dns"
],
"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
"identity": ""
}'
```

```sh output
{
"success": true,
"errors": [],
"messages": []
}
```

The API will respond with a summary of the policy and the result of your request.

</TabItem> </Tabs>

For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).

## 4. Add optional policies

Expand Down
22 changes: 19 additions & 3 deletions src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,11 @@ Gateway matches network traffic against the following selectors, or criteria.

### Detected Protocol

<Render file="gateway/selectors/protocol-detection" />
The inferred network protocol based on Cloudflare's [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/).

| UI name | API example |
| ----------------- | --------------------------------- |
| Detected Protocol | `net.protocol.detection == "ssh"` |

### Device Posture

Expand Down Expand Up @@ -315,11 +319,23 @@ To enable Gateway filtering on TCP and UDP, go to **Settings** > **Network** > *

### SNI

<Render file="gateway/selectors/sni" />
The host whose Server Name Indication (SNI) header Gateway will filter traffic against. This will allow for an exact match.

This selector only applies to traffic on port `443`.

| UI name | API example |
| ------- | ----------------------------------- |
| SNI | `net.sni.host == "www.example.com"` |

### SNI Domain

<Render file="gateway/selectors/sni-domain" />
The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for `example.com` will match `example.com`, `www.example.com`, and `my.test.example.com`.

This selector only applies to traffic on port `443`.

| UI name | API example |
| ---------- | ---------------------------------- |
| SNI Domain | `net.sni.domains == "example.com"` |

### Source Continent

Expand Down
7 changes: 6 additions & 1 deletion ...docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-cipa-policy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,12 @@ import { Render } from "~/components";
## Create CIPA policy

1. Go to **Gateway** > **Firewall policies**.
2. Create a policy to block using the CIPA filter: <Render file="gateway/policies/block-cipa" product="cloudflare-one" />
2. Create a policy to block using the CIPA filter:

| Selector | Operator | Value | Action |
| ------------------ | -------- | ------------- | ------ |
| Content Categories | in | _CIPA Filter_ | Block |

3. In **Logs** > **Gateway** > **DNS**, verify that you see the blocked domain.

Your environment is now protected against all of the subcategories listed in [Configuration](/fundamentals/reference/policies-compliances/cybersafe/#configuration).
9 changes: 0 additions & 9 deletions src/content/partials/cloudflare-one/gateway/domain-categories.mdx
View file
Open in desktop

This file was deleted.

65 changes: 0 additions & 65 deletions src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
View file
Open in desktop

This file was deleted.

Loading