Skip to content

[CAC] Add section to Applications selector #24430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 24, 2025
Merged

[CAC] Add section to Applications selector #24430

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7a023ad
Add CAC section
maxvp Aug 14, 2025
84d54b0
Improve wording and add example
maxvp Aug 18, 2025
112ad56
Add supported AI app tables
maxvp Aug 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 75 additions & 1 deletion src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ sidebar:
order: 9
---

import { GlossaryDefinition, GlossaryTooltip } from "~/components";
import { GlossaryDefinition, GlossaryTooltip, Details } from "~/components";

Gateway allows you to create DNS, Network, and HTTP policies based on applications and app types. You can select individual applications or groups of app types to filter specific traffic on your network.

Expand Down Expand Up @@ -45,6 +45,80 @@ Gateway sorts applications into the following app type groups:
| Video Streaming | Video streaming applications |
| [Do Not Inspect](#do-not-inspect-applications) | Applications incompatible with the TLS certificate required by the [Gateway proxy](/cloudflare-one/policies/gateway/proxy/) |

## Application controls

With [Cloud App Control](/cloudflare-one/policies/gateway/http-policies/#cloud-app-control), you can choose specific actions and operations to match application traffic. Supported applications and operations include:

<Details header="ChatGPT (app ID `1199`)" open = {true}>

| Operations group | Operations group ID | Operation name | Operation ID | Application Controls group | Application control ID | DLP content |
| ---------------- | ------------------- | ------------------ | ------------ | -------------------------- | ---------------------- | ----------- |
| Chat | `1650` | SendPrompt | `8004` | Prompt | `1652` | ✅ |
| Chat | `1650` | UploadFile | `8008` | Upload | `1653` | ❌ |
| Chat | `1650` | UploadFilePayload | `8013` | Upload | `1653` | ✅ |
| Chat | `1650` | ShareResponse | `8006` | Share | `1654` | ❌ |
| Chat | `1650` | ShareCanvas | `8007` | Share | `1654` | ❌ |
| Chat | `1650` | TranscribeVoice | `8011` | Voice | `1655` | ❌ |
| Chat | `1650` | EnableVoiceMode | `8003` | Voice | `1655` | ❌ |
| Settings | `1651` | AllowTraining | `8009` | | | ❌ |
| Settings | `1651` | AllowVoiceTraining | `8010` | | | ❌ |
| Settings | `1651` | AllowVideoTraining | `8016` | | | ❌ |
| Settings | `1651` | ExportData | `8020` | | | ❌ |

</Details>

<Details header="Google Gemini (app ID `1340`)">

| Operations group | Operations group ID | Operation name | Operation ID | Application Controls group | Application control ID | DLP content |
| ---------------- | ------------------- | ----------------- | ------------ | -------------------------- | ---------------------- | ----------- |
| Chat | `1656` | SendPrompt | `8021` | Prompt | `1657` | ✅ |
| Chat | `1656` | UploadFile | `8022` | Upload | `1658` | ❌ |
| Chat | `1656` | UploadFilePayload | `8023` | Upload | `1658` | ✅ |
| Chat | `1656` | TranscribeVoice | `8025` | Voice | `1659` | ❌ |

</Details>

<Details header="Perplexity (app ID `1937`)">

| Operations group | Operations group ID | Operation name | Operation ID | Application Controls group | Application control ID | DLP content |
| ---------------- | ------------------- | ---------------------- | ------------ | -------------------------- | ---------------------- | ----------- |
| Chat | `2596` | SendPrompt | `11947` | Prompt | `2598` | ✅ |
| Chat | `2596` | ClarifyingPrompt | `11951` | Prompt | `2598` | ✅ |
| Chat | `2596` | CreateUploadUrl | `11948` | Upload | `2599` | ❌ |
| Chat | `2596` | UploadFile | `11955` | Upload | `2599` | ✅ |
| Settings | `2597` | UploadOrganizationFile | `11950` | Upload | `2599` | ❌ |
| Chat | `2596` | ShareChat | `11952` | Share | `2600` | ❌ |
| Chat | `2596` | VoiceTranscription | `11953` | Voice | `2601` | ❌ |
| Chat | `2596` | ExportChat | `11949` | | | ❌ |
| Chat | `2596` | DeleteThread | `11954` | | | ❌ |
| Settings | `2597` | DeleteOrganizationFile | `11956` | | | ❌ |

</Details>

<Details header="Claude (app ID `2430`)">

| Operations group | Operations group ID | Operation name | Operation ID | Application Controls group | Application control ID | DLP content |
| ---------------- | ------------------- | --------------------- | ------------ | -------------------------- | ---------------------- | ----------- |
| Chat | `2126` | SendPrompt | `10048` | Prompt | `2127` | ✅ |
| Chat | `2126` | PromptCompletion | `10050` | Prompt | `2127` | ✅ |
| Chat | `2126` | RetryPromptCompletion | `10040` | Prompt | `2127` | ✅ |
| Chat | `2126` | UploadFile | `10039` | Upload | `2128` | ✅ |
| Chat | `2126` | ConvertDocument | `10041` | Upload | `2128` | ✅ |
| Chat | `2126` | ShareConversation | `10043` | Share | `2129` | ❌ |
| Chat | `2126` | GetShares | `10052` | Share | `2129` | ❌ |
| Chat | `2126` | CreateConversation | `10038` | | | ❌ |
| Chat | `2126` | GetConversation | `10046` | | | ❌ |
| Chat | `2126` | UpdateConversation | `10047` | | | ❌ |
| Chat | `2126` | DeleteConversation | `10045` | | | ❌ |
| Settings | `2125` | UpdateAccount | `10036` | | | ❌ |
| Settings | `2125` | InitiateDataExport | `10037` | | | ❌ |
| Chat | `2126` | GiveFeedback | `10042` | | | ❌ |
| Chat | `2126` | SetConversationTitle | `10044` | | | ❌ |
| Settings | `2125` | GetOrganisation | `10049` | | | ❌ |
| Chat | `2126` | GetFilePreview | `10051` | | | ❌ |

</Details>

## Usage

### Overlapping hostnames
Expand Down
10 changes: 10 additions & 0 deletions src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,16 @@ Gateway matches HTTP traffic against the following selectors, or criteria:
When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`.
:::

#### Cloud App Control

When using the _is_ operator with the _Application_ selector, you can use Cloud App Control to choose specific actions and operations to match application traffic. For example, you can block file uploads to ChatGPT without blocking all ChatGPT traffic:

| Selector | Operator | Value | Controls | Action |
| ----------- | -------- | --------- | -------- | ------ |
| Application | is | _ChatGPT_ | _Upload_ | Block |

You can match traffic based on **Application Controls**, which group multiple user actions together, or **Operations**, which allow for granular control of supported API-level actions for an application. For a list of supported granular controls, refer to [Application controls](/cloudflare-one/policies/gateway/application-app-types/#application-controls).

### Content Categories

<Render
Expand Down