[Gateway] Tiered policies

public/__redirects

@@ -830,6 +830,7 @@
 /gateway/getting-started-new/onboarding-gateway/ /cloudflare-one/policies/gateway/ 301
 /gateway/locations/setup-instructions/android/ /cloudflare-one/connections/connect-devices/agentless/dns/locations/ 301
 /gateway/locations/setup-instructions/router/ /cloudflare-one/policies/gateway/dns-policies/ 301
+/cloudflare-one/policies/gateway/managed-service-providers/ /cloudflare-one/policies/gateway/tiered-policies/managed-service-providers/ 301
 
 # google tag
 /google-tag-first-party-mode/ /google-tag-gateway/ 301

src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx

@@ -0,0 +1,163 @@
+---
+pcx_content_type: get-started
+title: Tiered policies
+sidebar:
+  order: 15
+---
+
+:::note
+Only available on Enterprise plans. For more information, contact your account team.
+:::
+
+Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an Organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies.
+
+Managed service providers (MSPs) that are Cloudflare Partners can use tiered or siloed Gateway accounts with the Tenant API. For more information, refer to [Managed service providers (MSPs)](/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers/).
+
+## Get started
+
+To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your Organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/).
+
+## Account types
+
+Zero Trust accounts in Cloudflare Organizations include source accounts and recipient accounts.
+
+In a tiered policy configuration, a top-level source account can share Gateway policies with its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure other settings for recipient accounts independently from the source account, including:
+
+- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/)
+- Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/)
+- Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/)
+- Creating [lists](/cloudflare-one/policies/gateway/lists/)
+
+Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an Organization. Each recipient account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/).
+
+Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass or modify source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. When using DLP policies with [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules), each recipient account must configure its own [encryption public key](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key).
+
+```mermaid
+flowchart TD
+%% Accessibility
+ accTitle: How Gateway policies work in a tiered account configuration
+ accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration using Cloudflare Organizations.
+
+%% Flowchart
+ subgraph s1["Source account"]
+        n1["Block malware"]
+        n2["Block spyware"]
+        n3["Block DNS tunnel"]
+  end
+ subgraph s2["Recipient account A"]
+        n5["Block malware"]
+        n6["Block spyware"]
+        n4["Block social media"]
+  end
+ subgraph s3["Recipient account B"]
+        n8["Block malware"]
+        n9["Block spyware"]
+        n10["Block DNS tunnel"]
+        n7["Block instant messaging"]
+  end
+    n1 ~~~ n2
+    n2 ~~~ n3
+    s1 -- Share policies with --> s2 & s3
+
+    n1@{ shape: rect}
+    n2@{ shape: rect}
+    n3@{ shape: rect}
+    n4@{ shape: rect}
+    n5@{ shape: rect}
+     n1:::Sky
+     n2:::Sky
+     n3:::Peach
+     n5:::Sky
+     n6:::Sky
+     n8:::Sky
+     n9:::Sky
+     n10:::Peach
+    classDef Sky stroke-width:1px, stroke-dasharray:none, stroke:#374D7C, fill:#E2EBFF, color:#374D7C
+    classDef Peach stroke-width:1px, stroke-dasharray:none, stroke:#FBB35A, fill:#FFEFDB, color:#8F632D
+```
+
+### Limitations
+
+Tiered policies do not support [egress policies](/cloudflare-one/policies/gateway/egress-policies/). Source accounts cannot share policies with selectors that target [device posture checks](/cloudflare-one/identity/devices/), [Access private apps](/cloudflare-one/applications/non-http/self-hosted-private-app/), or [virtual networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/). Source and recipient accounts can still create and apply policies with these selectors separately from the Organization share.
+
+## Manage policies
+
+You can create, configure, and share your tiered policies in the source account for your Cloudflare Organization.
+
+### Share policy
+
+To share a Gateway policy from a source account to a recipient account:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. Choose the policy type you want to share. If you want to share a resolver policy, go to **Gateway** > **Resolver policies**.
+3. Find the policy you want to share from the list. In the three-dot menu, select **Share**. Alternatively, to bulk share multiple policies, you can select each policy you want to share, then select **Actions** > **Share**.
+4. In **Select account**, choose the accounts you want to share the policy with. To share the policy with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_.
+5. Select **Continue**, then select **Share**.
+
+A sharing icon will appear next to the policy's name. When sharing is complete, the policy will appear in and apply the recipient accounts. Shared policies will appear grayed out in the recipient account's list of Gateway policies.
+
+If a policy fails to share to recipient accounts, Gateway will retry deploying the policy automatically unless the error is unrecoverable.
+
+### Edit share recipients
+
+To change or remove recipients for a Gateway policy:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. Choose the policy type you want to edit. If you want to edit a resolver policy, go to **Gateway** > **Resolver policies**.
+3. Find the policy you want to edit from the list.
+4. In the three-dot menu, select **Edit shared configuration recipients**.
+5. In **Select account**, choose the accounts you want to share the policy with. To remove a recipient, select **Remove** next to the recipient account's name.
+6. Select **Continue**, then select **Save**.
+
+When sharing is complete, the policy sharing will update across the configured recipient accounts.
+
+:::note
+If you selected _Select all accounts in org_ when sharing the policy, you will need to [unshare the policy](#unshare-policy) before you can edit its recipient accounts.
+:::
+
+### Unshare policy
+
+To stop sharing a policy with all recipient accounts:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. Choose the policy type you want to remove. If you want to remove a resolver policy, go to **Gateway** > **Resolver policies**.
+3. Find the policy you want to remove from the list. In the three-dot menu, select **Unshare**. Alternatively, to bulk remove multiple policies, you can select each policy you want to remove, then select **Actions** > **Unshare**.
+4. Select **Unshare**.
+
+When sharing is complete, Gateway will stop sharing the policy with all recipient accounts and only apply the policy to the source account.
+
+### Edit shared policy
+
+When you edit or delete a shared policy in a source account, Gateway will require confirmation before making any changes. Changes made to shared policies will apply to all recipient accounts. Deleting a shared policy will delete the policy from both the source account and all recipient accounts.
+
+## Manage settings
+
+You can share Zero Trust settings from your source account to recipient accounts in your Cloudflare Organization, including the Gateway block page and extended email address matching. Other Gateway settings configured in a source account, such as [AV scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [file sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/), will not affect recipient account configurations.
+
+{/* TODO: Turn these sections into a flexible partial or tabs. */}
+
+### Share Gateway block page
+
+To share your [Gateway block page](/cloudflare-one/policies/gateway/block-page/) settings from a source account to a recipient account:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom pages**.
+2. In **Account Gateway block page**, select the three-dot menu and choose **Share**.
+3. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_.
+4. Select **Continue**, then select **Share**.
+
+A sharing icon will appear next to the setting. When sharing is complete, the setting will appear in and apply to the recipient accounts.
+
+To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**.
+
+### Share extended email address matching
+
+To share your [extended email address matching](/cloudflare-one/policies/gateway/identity-selectors/#extended-email-addresses) settings from a source account to a recipient account:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network**.
+2. In **Firewall** > **Matched extended email address**, select the three-dot menu and choose **Share**.
+3. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_.
+4. Select **Continue**, then select **Share**.
+
+A sharing icon will appear next to the setting. When sharing is complete, the setting will appear in and apply to the recipient accounts.
+
+To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**.

src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx → src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx

@@ -1,12 +1,14 @@
 ---
-pcx_content_type: how-to
+pcx_content_type: get-started
 title: Managed service providers (MSPs)
 sidebar:
-  order: 15
+  order: 2
 ---
 
-:::note
-Only available on Enterprise plans. For more information, contact your account team.
+:::caution[Tiered account availability]
+Only available for [Cloudflare Partners](https://www.cloudflare.com/partners/) on Enterprise plans. Cloudflare recommends users on Enterprise plans configure a [Cloudflare Organization](/fundamentals/organizations/) for use with [tiered policies](/cloudflare-one/policies/gateway/tiered-policies/). Tiered policies allows for additional configurations, logging options, and policy types.
+
+For more information, contact your account team.
 :::
 
 Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level.
@@ -15,8 +17,6 @@ The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gatewa
 
 ## Get started
 
-{/* Don't need to surface much of the policy creation flow here */}
-
 To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
 
 ## Account types
@@ -28,7 +28,9 @@ The Gateway Tenant platform supports tiered and siloed account configurations.
 In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including:
 
 - Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/)
+  - Child accounts will use the block page setting used by the parent account unless you configure separate block settings for the child account. This applies to both [redirects](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page) and [custom block pages](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page). The block page uses the account certificate for each child account.
 - Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/)
+  - If Gateway cannot attribute an incoming DNS query to a child account, it will use the parent account's certificate. This happens when the source IP address of the DNS query does not match a child account or if a custom DNS resolver endpoint is not configured.
 - Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/)
 - Creating [lists](/cloudflare-one/policies/gateway/lists/)
 
@@ -81,7 +83,7 @@ flowchart TD
         n1["Block social media"]
   end
  subgraph s2["Siloed account C"]
-        n2["Block instant messaing"]
+        n2["Block instant messaging"]
   end
  subgraph s3["Siloed account B"]
         n3["Block news"]

src/content/docs/fundamentals/organizations.mdx

@@ -54,7 +54,7 @@ You can also view specific data associated with your HTTP traffic by adding opti
 
 ## Shared Configurations
 
-Create and enforce global policies across your organization or sub-organization with [WAF Custom Rulesets](/waf/custom-rules/) and [Gateway policies](/cloudflare-one/policies/gateway/).
+Create and enforce global policies across your organization or sub-organization with [WAF Custom Rulesets](/waf/custom-rules/) and [Gateway tiered policies](/cloudflare-one/policies/gateway/tiered-policies/).
 
 By utilizing shared configurations, you can define a WAF custom ruleset that can apply to one or more accounts to be managed in a single place.
 
@@ -71,5 +71,5 @@ Rename your organization and add or edit customer identification data related to
 ### Edit customer identification data
 
 1. Select **Organizations** > **Manage Organization**.
-2. From **Customer identification data**, select **Edit**. 
-3. Enter the information in the text fields and select **Save**.
+2. From **Customer identification data**, select **Edit**.
+3. Enter the information in the text fields and select **Save**.