diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx index 67588bda576420c..465e622f769c53d 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/pac-files.mdx @@ -5,7 +5,13 @@ sidebar: order: 1 --- -import { Details, GlossaryDefinition, TabItem, Tabs } from "~/components"; +import { + Details, + GlossaryDefinition, + TabItem, + Tabs, + APIRequest, +} from "~/components"; :::note Only available on Enterprise plans. @@ -40,7 +46,6 @@ All devices you add to the proxy endpoint will be able to access your Cloudflare 3. Give your endpoint any name. 4. Enter the public source IP address of your device(s) in CIDR notation. For example: - - **IPv4**: `192.0.2.0/8` - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/109` @@ -62,15 +67,16 @@ https://.proxy.cloudflare-gateway.com 1. [Create a proxy endpoint](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/create/) with the following call: - ```bash - curl https://api.cloudflare.com/client/v4/accounts//gateway/proxy_endpoints \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --header "Content-Type: application/json" \ - --data '{"name": "any_name", "ips": ["", "", ""]}' - ``` + ", "", ""], + }} + /> Replace `` with the source IP address of your device in CIDR notation. For example: - - **IPv4**: `192.0.2.0/8` - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/32` @@ -210,10 +216,10 @@ To get the domain of a proxy endpoint: 1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) operation to get a list of your proxy endpoints and their details. For example: - ```bash - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` + ```json {8} output { diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx index 7a6db8c9994f212..c4a4a391671d07a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx @@ -8,7 +8,7 @@ description: Configure WARP to use a custom root certificate instead of the Cloudflare certificate. --- -import { Render, Tabs, TabItem } from "~/components"; +import { Render, Tabs, TabItem, APIRequest } from "~/components"; :::note Only available on Enterprise plans. @@ -82,11 +82,10 @@ openssl x509 -in .pem -text 2. Set the certificate as available for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/). This will deploy the certificate across the Cloudflare global network. - ```sh - curl --request POST \ - "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` + The response will return the certificate and a `pending_deployment` binding status. For example: @@ -114,10 +113,10 @@ openssl x509 -in .pem -text 3. Use the [Get Zero Trust certificate details endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/get/) to verify the certificate's binding status is set to `available`. - ```sh - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" - ``` + ```json {12} { @@ -145,20 +144,18 @@ openssl x509 -in .pem -text 5. Use the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/) to turn on the certificate for use in inspection. For example: - ```sh {9} - curl --request PATCH \ - "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --header "Content-Type: application/json" \ - --data '{ - "settings": { - "certificate": { - "id": "$CERTIFICATE_ID", - "in_use": true - } - } - }' - ``` + Once `in-use` is set to `true`, Gateway will sign your traffic using the custom root certificate and private key. If you turn off or deactivate the custom certificate, Gateway will revert to the next available Cloudflare certificate generated for your Zero Trust account. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 22f07462eb1d870..8479f1fd253fc03 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { Tabs, TabItem } from "~/components"; +import { Tabs, TabItem, APIRequest } from "~/components"; Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. @@ -46,11 +46,7 @@ To generate a new Cloudflare root certificate for your Zero Trust organization: Send a `POST` request to the [Create Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/create/) endpoint. -```sh -curl --request POST \ -https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -``` + The API will respond with the ID and contents of the new certificate. @@ -83,11 +79,10 @@ To activate your root certificate: Send a `POST` request to the [Activate a Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/) endpoint. -```sh -curl --request POST \ -https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -``` + @@ -108,20 +103,18 @@ Once you deploy and install your certificate, you can turn it on for use in insp Send a `PUT` request to the [Update Zero Trust account configuration](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/update/) endpoint. For example: -```sh -curl --request PUT \ -"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---header "Content-Type: application/json" \ ---data '{ - "settings": { - "certificate": { - "id": "$CERTIFICATE_ID", - "in_use": true - } - } -}' -``` + diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx b/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx index a21afc4b4a6bd6d..fd776b92de02962 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { Render, Badge, Tabs, TabItem } from "~/components"; +import { Render, Badge, Tabs, TabItem, APIRequest } from "~/components"; With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content. @@ -148,23 +148,21 @@ Isolate security threats such as malware and phishing. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Isolate all security threats", - "description": "Isolate security threats such as malware and phishing", - "enabled": true, - "action": "isolate", - "filters": [ - "http" - ], - "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", - "identity": "", - "device_posture": "" -}' -``` + @@ -182,23 +180,21 @@ Isolate high risk content categories such as newly registered domains. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Isolate high risk content", - "description": "Isolate high risk content categories such as newly registered domains", - "enabled": true, - "action": "isolate", - "filters": [ - "http" - ], - "traffic": "any(http.request.uri.content_category[*] in {32 169 177 128})", - "identity": "", - "device_posture": "" -}' -``` + @@ -216,23 +212,21 @@ Isolate news and media sites, which are targets for malvertising attacks. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Isolate news and media", - "description": "Isolate news and media sites, which are targets for malvertising attacks", - "enabled": true, - "action": "isolate", - "filters": [ - "http" - ], - "traffic": "any(http.request.uri.content_category[*] in {122})", - "identity": "", - "device_posture": "" -}' -``` + @@ -250,23 +244,21 @@ Isolate content that has not been categorized by [Cloudflare Radar](/radar/). -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Isolate uncategorized content", - "description": "Isolate content not categorized by Cloudflare Radar", - "enabled": true, - "action": "isolate", - "filters": [ - "http" - ], - "traffic": "not(any(http.request.uri.content_category[*] in {2 67 125 133 3 75 183 89 182 6 90 91 144 150 7 70 74 76 79 92 96 100 106 107 116 120 121 122 127 139 156 164 99 9 101 137 10 103 146 11 12 77 98 108 110 111 118 126 129 172 168 113 33 179 166 15 115 119 124 141 161 17 85 87 102 157 135 138 180 162 140 142 32 169 177 128 22 73 82 88 148 23 24 181 71 72 173 78 84 86 94 97 104 105 114 174 93 130 132 136 147 149 154 158 152 26 69 184 81 95 109 123 145 155 159 160 163 165 167}))", - "identity": "", - "device_posture": "" -}' -``` + @@ -286,22 +278,19 @@ In **Configure policy settings**, you can customize restrictions for ChatGPT. Fo -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Isolate ChatGPT", - "description": "Isolate the use of ChatGPT", - "enabled": true, - "action": "isolate", - "filters": [ - "http" - ], - "traffic": "any(app.ids[*] in {1199})", - "identity": "", - "device_posture": "" -}' -``` + diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx index b782ba821afed33..773712b2d815b72 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx @@ -28,23 +28,20 @@ This policy allows users to access official corporate domains. By deploying the -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Allow corporate domains", - "description": "Allow any internal corporate domains added to a list", - "precedence": 0, - "enabled": true, - "action": "allow", - "filters": [ - "dns" - ], - "traffic": "any(dns.domains[*] in $)", - "identity": "" -}' -``` +)", + identity: "", + }} +/> To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. @@ -89,22 +86,19 @@ With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-polic -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "All-DNS-Bock-Category-Matches-In-Request", - "description": "Block all category matches in the request EDNS context", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "dns.categories_in_request_context_matches", - "identity": "" -}' -``` + @@ -147,22 +141,20 @@ You can implement policies to block websites hosted in countries categorized as -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block banned countries", - "description": "Block access to banned countries", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", - "identity": "" -}' -``` + @@ -182,22 +174,21 @@ Blocking [frequently misused](https://www.spamhaus.org/statistics/tlds/) top-lev -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block top-level domains", - "description": "Block top-level domains that are frequently used for malicious practices", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$\") or any(dns.domains[*] matches \"[.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$\") or any(dns.domains[*] matches \"[.](zip|mobi)$\")", - "identity": "" -}' -``` + @@ -216,22 +207,21 @@ To protect against [sophisticated phishing attacks](https://blog.cloudflare.com/ -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block phishing attacks", - "description": "Block attempts to phish specific domains targeting your organization", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "not(any(dns.domains[*] in $)) and any(dns.domains[*] matches \".*okta.*\\|.*cloudflare.*\\|.*mfa.*\\|.sso.*\")", - "identity": "" -}' -``` +)) and any(dns.domains[*] matches ".*okta.*\\|.*cloudflare.*\\|.*mfa.*\\|.sso.*")', + identity: "", + }} +/> To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. @@ -251,22 +241,19 @@ To safeguard user privacy, some organizations will block tracking domains such a -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block online tracking", - "description": "Block domains used for tracking at an OS level", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.domains[*] in $)", - "identity": "" -}' -``` +)", + identity: "", + }} +/> To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. @@ -286,22 +273,20 @@ Block specific IP addresses that are known to be malicious or pose a threat to y -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block malicious IPs", - "description": "Block specific IP addresses that are known to be malicious or pose a threat to your organization", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.resolved_ips[*] in $)", - "identity": "" -}' -``` +)", + identity: "", + }} +/> To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint. @@ -321,22 +306,20 @@ The CIPA (Children's Internet Protection Act) Filter is a collection of subcateg -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Turn on CIPA filter", - "description": "Block access to unwanted or harmful online content for children", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.content_category[*] in {182})", - "identity": "" -}' -``` + @@ -354,22 +337,20 @@ SafeSearch is a feature of search engines that helps you filter explicit or offe -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Hide explicit search results", - "description": "Force SafeSearch on search engines to filter explicit or offensive content", - "enabled": true, - "action": "safesearch", - "filters": [ - "dns" - ], - "traffic": "any(dns.content_category[*] in {145})", - "identity": "" -}' -``` + @@ -388,22 +369,19 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Check user identity", - "description": "Filter traffic based on a user identity group name", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(app.ids[*] in {606})", - "identity": "any(identity.groups.name[*] in {\"Contractors\"})", -}' -``` + @@ -426,23 +404,21 @@ The following example includes two policies. The first policy allows the specifi -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Allow social media for Marketing", - "description": "Allow access to social media sites for users in the Marketing group", - "precedence": 1, - "enabled": true, - "action": "allow", - "filters": [ - "dns" - ], - "traffic": "any(dns.content_category[*] in {149})", - "identity": "any(identity.groups.name[*] in {\"Marketing\"})", -}' -``` + @@ -458,23 +434,20 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block social media", - "description": "Block social media for all other users", - "precedence": 2, - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.content_category[*] in {149})", - "identity": "" -}' -``` + @@ -502,22 +475,19 @@ Force users to connect with IPv4 by blocking IPv6 resolution. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Force IPv4", - "description": "Force users to connect with IPv4 by blocking IPv6 resolution", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "dns.query_rtype == \"AAAA\"", - "identity": "" -}' -``` + @@ -535,21 +505,18 @@ Force users to connect with IPv6 by blocking IPv4 resolution. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Force IPv6", - "description": "Force users to connect with IPv6 by blocking IPv4 resolution", - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "dns.query_rtype == \"A\"", - "identity": "" -}' -``` + diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx index c3028eec98b0f81..d3d4d1ce913c9a3 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx @@ -5,6 +5,8 @@ sidebar: order: 3 --- +import { APIRequest } from "~/components"; + By default, Cloudflare Gateway policies apply at all times when turned on. Gateway allows you to configure any DNS policy to activate for a specific amount of time, until an end time, or on a regular time interval. ## Time-based policy duration @@ -49,25 +51,24 @@ If you [do not specify a time zone](#example-users-time-zone), Gateway will enab The following command creates a DNS policy to block `facebook.com` only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone. -```bash -curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---header "Content-Type: application/json" \ ---data '{ - "name": "office-no-facebook-policy", - "action": "block", - "traffic": "dns.fqdn == \"facebook.com\"", - "enabled": true, - "schedule": { - "time_zone": "America/Chicago", - "mon": "08:00-12:30,13:30-17:00", - "tue": "08:00-12:30,13:30-17:00", - "wed": "08:00-12:30,13:30-17:00", - "thu": "08:00-12:30,13:30-17:00", - "fri": "08:00-12:30,13:30-17:00" - } -}' -``` + Refer to [this table](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) for a list of all time zone identifiers. @@ -75,21 +76,20 @@ Refer to [this table](https://en.wikipedia.org/wiki/List_of_tz_database_time_zon The following command creates a DNS policy to block `clockin.com` only on weekends in the time zone where the user is currently located. -```bash -curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---header "Content-Type: application/json" \ ---data '{ - "name": "clock-in-policy", - "action": "block", - "traffic": "dns.fqdn == \"clockin.com\"", - "enabled": true, - "schedule": { - "sat": "00:00-24:00", - "sun": "00:00-24:00" - } -}' -``` + :::note Gateway will not change the policy's `enabled` status when inside or outside of the time period specified. When enabled, Gateway activates or deactivates the policy according to its schedule. When disabled, the policy is always deactivated. diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 39fea1ea785c429..5ce830d8d3b2d5c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -5,7 +5,14 @@ sidebar: order: 5 --- -import { Render, Badge, Tabs, TabItem, Details } from "~/components"; +import { + Render, + Badge, + Tabs, + TabItem, + Details, + APIRequest, +} from "~/components"; :::note Only available on Enterprise plans. @@ -228,56 +235,53 @@ To turn on the selectors for your account: Use the [Patch Zero Trust account configuration](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/) endpoint to update your Zero Trust configuration. For example: -```sh title="Turn on selectors for egress policies" -curl --request PATCH \ -"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---header "Content-Type: application/json" \ ---data '{ - "settings": { - "host_selector": { - "enabled": true - } - } -}' -``` + Additionally, to use these selectors to filter traffic onboarded with WARP, you need to: -1. Ensure you have deployed [WARP version 2025.4.929.0](/cloudflare-one/connections/connect-devices/warp/download-warp/) or later on your users' desktop devices. If you need to apply your policies to mobile devices or devices running a version of WARP prior to 2025.4.929.0, add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): - - ```diff lang="xml" - - - + doh_in_tunnel - + - - - ``` +1. Ensure you have deployed [WARP version 2025.4.929.0](/cloudflare-one/connections/connect-devices/warp/download-warp/) or later on your users' desktop devices. If you need to apply your policies to mobile devices or devices running a version of WARP prior to 2025.4.929.0, add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): -2. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode: + ```diff lang="xml" + + + + doh_in_tunnel + + + + + ``` - +{/* prettier-ignore-start */} - - 1. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list. - 2. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: - `100.64.0.0/12` - - `100.81.0.0/16` - - `100.82.0.0/15` - - `100.84.0.0/14` - - `100.88.0.0/13` - - `100.96.0.0/11` +2. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode: - + + 1. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list. + 2. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: + - `100.64.0.0/12` + - `100.81.0.0/16` + - `100.82.0.0/15` + - `100.84.0.0/14` + - `100.88.0.0/13` + - `100.96.0.0/11` - - 1. Add the required [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list. - 2. [Add a route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include the IP address `100.80.0.0/16`. + + 1. Add the required [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/connections/connect-devices/warp/ configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list. + 2. [Add a route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include the IP address `100.80.0.0/16`. - - - + The WARP client must be set to _Gateway with WARP_ mode for traffic affected by these selectors to route correctly. + +{/* prettier-ignore-end */} diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index fcf459cd038ad25..48cfa482abff7a6 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -8,7 +8,7 @@ head: content: Common HTTP policies --- -import { Render, Tabs, TabItem } from "~/components"; +import { Render, Tabs, TabItem, APIRequest } from "~/components"; The following policies are commonly used to secure HTTP traffic. @@ -32,23 +32,20 @@ Block all subdomains that use a host. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block sites by hostname", - "description": "Block all subdomains that use a specific hostname", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "http.request.host matches \".*example\\.com\"", - "identity": "", - "device_posture": "" -}' -``` + @@ -66,23 +63,20 @@ Block a section of a site without blocking the entire site. For example, you can -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block sites by URL", - "description": "Block specific parts of a site without blocking the hostname", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "http.request.uri matches \"/r/gaming\"", - "identity": "", - "device_posture": "" -}' -``` + @@ -119,23 +113,21 @@ Block content categories which go against your organization's acceptable use pol -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Check user identity", - "description": "Block access to Salesforce by temporary employees and contractors", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(app.ids[*] in {606})", - "identity": "any(identity.groups.name[*] in {\"Contractors\"})", - "device_posture": "" -}' -``` + @@ -155,23 +147,21 @@ Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/policies/gatew -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Bypass incompatible applications", - "description": "Skip TLS decryption for applications that are incompatible with Gateway", - "enabled": true, - "action": "off", - "filters": [ - "http" - ], - "traffic": "any(app.type.ids[*] in {16})", - "identity": "", - "device_posture": "" -}' -``` + @@ -197,23 +187,21 @@ Perform an [OS version check](/cloudflare-one/identity/devices/warp-client-check -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Require OS version", - "description": "Perform an OS version check for minimum version", - "enabled": true, - "action": "allow", - "filters": [ - "http" - ], - "traffic": "", - "identity": "", - "device_posture": "any(device_posture.checks.passed[*] in {\"\"})" -}' -``` +"})', + }} +/> To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint. @@ -236,23 +224,22 @@ Since the file path will be different for each operating system, you can configu -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Check for specific file", - "description": "Ensure users have a specific file on their device regardless of operating system", - "enabled": true, - "action": "allow", - "filters": [ - "http" - ], - "traffic": "", - "identity": "", - "device_posture": "any(device_posture.checks.passed[*] in {\"\"}) or any(device_posture.checks.passed[*] in {\"\"})" -}' -``` +"}) or any(device_posture.checks.passed[] in {""})', + }} +/> To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint. @@ -280,23 +267,21 @@ When accessing origin servers with certificates not signed by a public certifica -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Bypass internal site inspection", - "description": "Bypass TLS decryption for internal sites with self-signed certificates", - "enabled": true, - "action": "off", - "filters": [ - "http" - ], - "traffic": "any(http.conn.domains[*] in {\"internal.example.com\"})", - "identity": "", - "device_posture": "" -}' -``` + @@ -325,23 +310,21 @@ Block file downloads from Google Drive. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block Google Drive downloads", - "description": "Block file downloads from Google Drive", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(app.ids[*] in {554}) and http.request.uri.path_and_query matches \".*(e=download\\|export).*\"", - "identity": "", - "device_posture": "" -}' -``` + @@ -361,23 +344,21 @@ Block file uploads from Google Drive. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block Google Drive uploads", - "description": "Block file uploads to Google Drive", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(app.ids[*] in {554}) and http.upload.mime matches \".*\" and not(http.request.host == \"drivefrontend-pa.clients6.google.com\")", - "identity": "", - "device_posture": "" -}' -``` + @@ -396,23 +377,21 @@ Block file downloads from Gmail. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block Gmail downloads", - "description": "Block file downloads from Gmail", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "http.request.host == \"mail-attachment.googleusercontent.com\" and http.request.uri.path_and_query matches \"/attachment/u/0\"", - "identity": "", - "device_posture": "" -}' -``` + @@ -430,22 +409,19 @@ Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/htm -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Filter WebSocket", - "description": "Filter WebSocket traffic with HTTP response code 101", - "enabled": true, - "action": "allow", - "filters": [ - "http" - ], - "traffic": "http.response.status_code == 101", - "identity": "", - "device_posture": "" -}' -``` + diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx index 52c7ef2f609785d..1e70801f92bdf6c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx @@ -11,7 +11,13 @@ learning_center: link: https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/ --- -import { GlossaryTooltip, Render, Tabs, TabItem } from "~/components"; +import { + GlossaryTooltip, + Render, + Tabs, + TabItem, + APIRequest, +} from "~/components"; Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit. @@ -83,23 +89,21 @@ To create a new DNS policy: 2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): - ```sh title="curl API DNS policy example" - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Block security threats", - "description": "Block all default Cloudflare DNS security categories", - "precedence": 0, - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", - "identity": "" - }' - ``` + ```sh output { diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx index f83d1dc49419b54..e68c7e00112ac9c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx @@ -8,7 +8,7 @@ head: content: Common network policies --- -import { Render, Tabs, TabItem } from "~/components"; +import { Render, Tabs, TabItem, APIRequest } from "~/components"; The following policies are commonly used to secure network traffic. @@ -28,23 +28,20 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block unauthorized applications", - "description": "Block access to unauthorized AI applications", - "enabled": true, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "any(app.type.ids[*] in {25})", - "identity": "", - "device_posture": "" -}' -``` + @@ -63,23 +60,21 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Check user identity", - "description": "Block access to Salesforce by temporary employees and contractors", - "enabled": true, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "any(app.ids[*] in {606})", - "identity": "any(identity.groups.name[*] in {\"Contractors\"})", - "device_posture": "" -}' -``` + @@ -113,23 +108,20 @@ Restrict user access to only the specific sites or applications configured in yo -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Allow HTTP and HTTPS traffic", - "description": "Restrict traffic to HTTP and HTTPS traffic", - "enabled": true, - "action": "allow", - "filters": [ - "l4" - ], - "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}", - "identity": "", - "device_posture": "" -}' -``` + @@ -145,27 +137,24 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block all other traffic", - "description": "Block all other traffic that is not HTTP or HTTPS", - "enabled": true, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "net.protocol in {\"tcp\" \"udp\"}", - "identity": "", - "device_posture": "" -}' -``` + -## Filter HTTP traffic when inspecting on all ports +## Filter HTTPS traffic when inspecting on all ports If your organization blocks traffic by default with a network policy and you want to [inspect HTTP traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it. @@ -180,23 +169,21 @@ If your organization blocks traffic by default with a network policy and you wan -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Allow on inspect all ports", - "description": "Filter TLS traffic when using inspect all ports", - "enabled": true, - "action": "allow", - "filters": [ - "l4" - ], - "traffic": "net.detected_protocol == \"tls\" or net.detected_protocol == \"http\"", - "identity": "", - "device_posture": "" -}' -``` + @@ -219,23 +206,21 @@ The following example consists of two policies: the first allows specific users -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Allow company employees", - "description": "Allow any users with an organization email to reach the application", - "enabled": true, - "action": "allow", - "filters": [ - "l4" - ], - "traffic": "net.dst.ip in {10.0.0.0/8}", - "identity": "identity.email matches \".*@example.com\"", - "device_posture": "" -}' -``` + @@ -251,23 +236,20 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block everyone else", - "description": "Block any other users from accessing the application", - "enabled": true, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "net.dst.ip in {10.0.0.0/8}", - "identity": "", - "device_posture": "" -}' -``` + @@ -290,30 +272,27 @@ Override traffic directed toward a specific IP address with a different IP addre -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Override example.com with 1.1.1.1", - "description": "Override a site'\''s IP address with another IP", - "enabled": true, - "action": "l4_override", - "filters": [ - "l4" - ], - "traffic": "net.dst.ip in {203.0.113.17} and net.dst.port == 80", - "identity": "", - "device_posture": "", - "rule_settings": { - "l4override": { - "ip": "1.1.1.1", - "port": 80 - }, - "override_host": "", - "override_ips": null - } -}' -``` + diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx index 76e5b3ae1970d23..1bceb4bf023d70e 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -2,7 +2,7 @@ {} --- -import { Render, Tabs, TabItem } from "~/components"; +import { Render, Tabs, TabItem, APIRequest } from "~/components"; To create a new HTTP policy: @@ -41,24 +41,21 @@ To create a new HTTP policy: 2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: - ```sh title="curl API HTTP policy example" - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Do not inspect applications", - "description": "Bypass TLS decryption for unsupported applications", - "precedence": 0, - "enabled": true, - "action": "off", - "filters": [ - "http" - ], - "traffic": "any(app.type.ids[*] in {16})", - "identity": "", - "device_posture": "" - }' - ``` + ```sh output { @@ -72,24 +69,22 @@ To create a new HTTP policy: Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: - ```bash title="Block known risks HTTP policy" - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Block known risks", - "description": "Block all default Cloudflare HTTP security categories", - "precedence": 0, - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", - "identity": "", - "device_posture": "" - }' - ``` + diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx index b7c9186594275da..76e64de8f521d85 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx @@ -2,7 +2,7 @@ {} --- -import { Render, Tabs, TabItem } from "~/components"; +import { Render, Tabs, TabItem, APIRequest } from "~/components"; To create a new network policy: @@ -34,34 +34,33 @@ To create a new network policy: 2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/account/find-account-and-zone-ids/) and API token. 3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: - ```sh title="curl API network policy example" - curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "Enforce device posture", - "description": "Ensure only devices in Zero Trust organization can connect to application", - "precedence": 0, - "enabled": true, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", - "identity": "", - "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" - }' - ``` - - ```sh output - { - "success": true, - "errors": [], - "messages": [] - } - ``` - - The API will respond with a summary of the policy and the result of your request. + + +```sh output +{ + "success": true, + "errors": [], + "messages": [] +} +``` + +The API will respond with a summary of the policy and the result of your request. diff --git a/src/content/partials/cloudflare-one/gateway/lists.mdx b/src/content/partials/cloudflare-one/gateway/lists.mdx index 308ca26f469a8c7..0860509ca2ff22f 100644 --- a/src/content/partials/cloudflare-one/gateway/lists.mdx +++ b/src/content/partials/cloudflare-one/gateway/lists.mdx @@ -2,7 +2,7 @@ {} --- -import { TabItem, Tabs } from "~/components"; +import { TabItem, Tabs, APIRequest } from "~/components"; ## Create a list from a CSV file @@ -37,26 +37,27 @@ To upload the list to Zero Trust: 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Zero Trust Write` + - `Zero Trust Write` 2. Decode the contents of the CSV file and store it as a local value: - ```tf - locals { - ip_list = csvdecode(file("${path.module}/list-test.csv")) - } - ``` + ```tf + locals { + ip_list = csvdecode(file("${path.module}/list-test.csv")) + } + ``` + 3. Create a list using the [`cloudflare_zero_trust_list`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_list) resource: - ```tf - resource "cloudflare_zero_trust_list" "ips_from_csv" { - account_id = var.cloudflare_account_id - name = "IPs imported from CSV" - description = "Managed by Terraform" - type = "IP" - items = local.ip_list - } - ``` + ```tf + resource "cloudflare_zero_trust_list" "ips_from_csv" { + account_id = var.cloudflare_account_id + name = "IPs imported from CSV" + description = "Managed by Terraform" + type = "IP" + items = local.ip_list + } + ``` @@ -77,61 +78,69 @@ You can now use this list in the policy builder by choosing the _in list_ operat -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "description": "Private application IPs", - "items": [{"value": "10.226.0.177/32"},{"value": "10.226.1.177/32"}], - "name": "Corporate IP list", - "type": "IP" -}' -``` + 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Zero Trust Write` + - `Zero Trust Write` 2. Create a list using the [`cloudflare_zero_trust_list`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_list) resource. - Example list of IPs: - ```tf - resource "cloudflare_zero_trust_list" "wiki_IPs" { - account_id = var.cloudflare_account_id - name = "Company Wiki IP addresses" - description = "Managed by Terraform" - type = "IP" - items = [ - { - description = "Example IP address range" - value = "192.0.2.0/24", - }, - { - value = "198.51.100.0/24" - } - ] - } - ``` - - Example list of domains: - ```tf - resource "cloudflare_zero_trust_list" "wiki_domains" { - account_id = var.cloudflare_account_id - name = "Company Wiki Domains" - description = "Managed by Terraform" - type = "DOMAIN" - items = [ - { - value = "wiki.example.com" - }, - { - value = "wiki2.example.com" - }] - } - ``` + Example list of IPs: + + ```tf + resource "cloudflare_zero_trust_list" "wiki_IPs" { + account_id = var.cloudflare_account_id + name = "Company Wiki IP addresses" + description = "Managed by Terraform" + type = "IP" + items = [ + { + description = "Example IP address range" + value = "192.0.2.0/24", + }, + { + value = "198.51.100.0/24" + } + ] + } + ``` + + Example list of domains: + + ```tf + resource "cloudflare_zero_trust_list" "wiki_domains" { + account_id = var.cloudflare_account_id + name = "Company Wiki Domains" + description = "Managed by Terraform" + type = "DOMAIN" + items = [ + { + value = "wiki.example.com" + }, + { + value = "wiki2.example.com" + }] + } + ``` diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx index 872da260edc6f86..d217acfb3a263c2 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx @@ -2,7 +2,7 @@ {} --- -import { Tabs, TabItem } from "~/components"; +import { Tabs, TabItem, APIRequest } from "~/components"; Block the upload or download of files based on their type. @@ -17,22 +17,20 @@ Block the upload or download of files based on their type. -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "Block file types", - "description": "Block the upload or download of files based on their type", - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(http.upload.file.types[*] in {\"docx\"}) and any(http.download.file.types[*] in {\"pdf\"})", - "identity": "", - "device_posture": "" -}' -``` + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx index c76f53ce2620d45..cac2a02d596ad86 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx @@ -2,7 +2,7 @@ {} --- -import { Tabs, TabItem } from "~/components"; +import { Tabs, TabItem, APIRequest } from "~/components"; @@ -13,23 +13,20 @@ import { Tabs, TabItem } from "~/components"; -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \ ---data '{ - "name": "All-DNS-Application-Blocklist", - "description": "Block access to unauthorized AI applications", - "precedence": 40, - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(app.type.ids[*] in {25})", - "identity": "" -}' -``` + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx index 4db1f9cc2196f94..4304735ba65343b 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx @@ -2,7 +2,7 @@ {} --- -import { Tabs, TabItem } from "~/components"; +import { Tabs, TabItem, APIRequest } from "~/components"; @@ -13,23 +13,21 @@ import { Tabs, TabItem } from "~/components"; -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "All-DNS-ContentCategories-Blocklist", - "description": "Block common content categories that may pose a risk", - "precedence": 30, - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", - "identity": "" -}' -``` + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx index f5f38f145f27784..fca26daeab8e348 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx @@ -2,7 +2,7 @@ {} --- -import { Tabs, TabItem, Render } from "~/components"; +import { Tabs, TabItem, Render, APIRequest } from "~/components"; @@ -14,23 +14,22 @@ import { Tabs, TabItem, Render } from "~/components"; -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "All-DNS-SecurityCategories-Blocklist", - "description": "Block security categories based on Cloudflare's threat intelligence", - "precedence": 20, - "enabled": true, - "action": "block", - "filters": [ - "dns" - ], - "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", - "identity": "" -}' -``` + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx index 3a9982155ea4156..3ea18ca43f51685 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx @@ -2,7 +2,7 @@ {} --- -import { Tabs, TabItem } from "~/components"; +import { Tabs, TabItem, APIRequest } from "~/components"; @@ -13,24 +13,22 @@ import { Tabs, TabItem } from "~/components"; -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "All-HTTP-Application-Blocklist", - "description": "Limit access to shadow IT by blocking web-based tools and applications", - "precedence": 60, - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(app.type.ids[*] in {25})", - "identity": "", - "device_posture": "" -}' -``` + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx index e0940e106cbc463..4b02fcc8cf48235 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx @@ -2,7 +2,7 @@ {} --- -import { Tabs, TabItem } from "~/components"; +import { Tabs, TabItem, APIRequest } from "~/components"; @@ -13,24 +13,23 @@ import { Tabs, TabItem } from "~/components"; -```bash -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \ ---header "Content-Type: application/json" \ ---header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ ---data '{ - "name": "All-HTTP-ContentCategories-Blocklist", - "description": "Block access to questionable content and potential security risks", - "precedence": 40, - "enabled": true, - "action": "block", - "filters": [ - "http" - ], - "traffic": "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})", - "identity": "", - "device_posture": "" -}' -``` + diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx index dc469e6d53329b9..2bdca8b173ea3d3 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx @@ -2,7 +2,7 @@ {} --- -import { Tabs, TabItem, Render } from "~/components"; +import { Tabs, TabItem, Render, APIRequest } from "~/components"; In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: @@ -17,23 +17,22 @@ In the following example, you can use a list of [device serial numbers](/cloudfl -```sh -curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ - --header "Content-Type: application/json" \ - --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ - --data '{ - "name": "All-NET-ApplicationAccess-Allow", - "description": "Ensure access to the application comes from authorized WARP clients", - "precedence": 70, - "enabled": false, - "action": "block", - "filters": [ - "l4" - ], - "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", - "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" -}' -``` +"}))', + }} +/> To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint.