diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 45ed5510ba4d00..8b4d9565b50a8c 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -58,13 +58,13 @@ /src/content/docs/cloudflare-one/ @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/applications/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/identity/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing -/src/content/docs/cloudflare-one/policies/access/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing +/src/content/docs/cloudflare-one/access-controls/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/team-and-resources/devices/ @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/applications/casb/ @maxvp @cloudflare/pcx-technical-writing -/src/content/docs/cloudflare-one/policies/gateway/ @maxvp @cloudflare/pcx-technical-writing -/src/content/docs/cloudflare-one/policies/browser-isolation/ @maxvp @ranbel @cloudflare/pcx-technical-writing -/src/content/docs/cloudflare-one/policies/data-loss-prevention/ @maxvp @cloudflare/pcx-technical-writing +/src/content/docs/cloudflare-one/traffic-policies/ @maxvp @cloudflare/pcx-technical-writing +/src/content/docs/cloudflare-one/remote-browser-isolation/ @deadlypants1973 @cloudflare/pcx-technical-writing +/src/content/docs/cloudflare-one/data-loss-prevention/ @maxvp @cloudflare/pcx-technical-writing /src/content/docs/cloudflare-one/insights/dex/ @deadlypants1973 @cloudflare/pcx-technical-writing /src/content/docs/email-security/ @Maddy-Cloudflare @cloudflare/pcx-technical-writing diff --git a/public/__redirects b/public/__redirects index 49b2d4bdc7148e..ed428da448a652 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2352,8 +2352,6 @@ /logs/get-started/enable-destinations/* /logs/logpush/logpush-job/enable-destinations/:splat 301 /logs/reference/log-fields/* /logs/logpush/logpush-job/datasets/:splat 301 /speed/optimization/other/* /speed/optimization/ 301 -/cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301 -/cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301 # AI Crawl Control /ai-audit/* /ai-crawl-control/:splat 301 @@ -2362,7 +2360,6 @@ /autorag/* /ai-search/:splat 301 # Cloudflare One / Zero Trust -/cloudflare-one/connections/ /cloudflare-one/ 301 /cloudflare-one/applications/configure-apps/dash-sso-apps/ /fundamentals/account/account-security/dashboard-sso/ 301 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/as-a-service/* /cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/:splat 301 /cloudflare-one/connections/connect-apps/install-and-setup/deployment-guides/* /cloudflare-one/connections/connect-networks/deployment-guides/:splat 301 @@ -2384,6 +2381,13 @@ /cloudflare-one/policies/data-loss-prevention/datasets/* /cloudflare-one/policies/data-loss-prevention/detection-entries/:splat 301 # Cloudflare One nav revamp +/cloudflare-one/connections/ /cloudflare-one/ 301 +/cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301 +/cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301 +/cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301 +/cloudflare-one/policies/browser-isolation/* /cloudflare-one/remote-browser-isolation/:splat 301 +/cloudflare-one/policies/data-loss-prevention/* /cloudflare-one/data-loss-prevention/:splat 301 +/cloudflare-one/policies/access/* /cloudflare-one/access-controls/policies/:splat 301 /cloudflare-one/identity/one-time-pin/ /cloudflare-one/integrations/identity-providers/one-time-pin/ 301 /cloudflare-one/identity/idp-integration/* /cloudflare-one/integrations/identity-providers/:splat 301 diff --git a/src/content/changelog/access/2025-04-21-Access-Bulk-Policy-Tester.mdx b/src/content/changelog/access/2025-04-21-Access-Bulk-Policy-Tester.mdx index c9fd074f6b2637..f9d67b2ea5c1ad 100644 --- a/src/content/changelog/access/2025-04-21-Access-Bulk-Policy-Tester.mdx +++ b/src/content/changelog/access/2025-04-21-Access-Bulk-Policy-Tester.mdx @@ -6,6 +6,6 @@ products: - access --- -The [Access bulk policy tester](/cloudflare-one/policies/access/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable). +The [Access bulk policy tester](/cloudflare-one/access-controls/policies/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable). ![Example policy tester](~/assets/images/changelog/access/example-policy-tester.png) diff --git a/src/content/changelog/access/2025-07-01-browser-based-rdp-open-beta.mdx b/src/content/changelog/access/2025-07-01-browser-based-rdp-open-beta.mdx index 9a15f6363ef8a0..e6f9a2b5a014d5 100644 --- a/src/content/changelog/access/2025-07-01-browser-based-rdp-open-beta.mdx +++ b/src/content/changelog/access/2025-07-01-browser-based-rdp-open-beta.mdx @@ -6,7 +6,7 @@ products: - access --- -[Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](/cloudflare-one/policies/access/) is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. +[Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. With browser-based RDP, you can: diff --git a/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx b/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx index 6bab42d015bc2f..a10bc34bfaa101 100644 --- a/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx +++ b/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx @@ -6,7 +6,7 @@ products: - access --- -You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/policies/access/). +You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/access-controls/policies/). [Self-hosted applications](/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes. diff --git a/src/content/changelog/access/2025-09-22-browser-based-rdp-ga.mdx b/src/content/changelog/access/2025-09-22-browser-based-rdp-ga.mdx index 211cfde01efae5..25af8b3de95564 100644 --- a/src/content/changelog/access/2025-09-22-browser-based-rdp-ga.mdx +++ b/src/content/changelog/access/2025-09-22-browser-based-rdp-ga.mdx @@ -6,9 +6,10 @@ products: - access --- -[Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](/cloudflare-one/policies/access/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. +[Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients. Since we announced our [open beta](/changelog/access/#2025-06-30), we've made a few improvements: + - Support for targets with IPv6. - Support for [Magic WAN](/magic-wan/) and [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) as on-ramps. - More robust error messaging on the login page to help you if you encounter an issue. diff --git a/src/content/changelog/browser-isolation/2025-03-03-user-action-logging.mdx b/src/content/changelog/browser-isolation/2025-03-03-user-action-logging.mdx index 9389fa17d04c4b..418178c617ef67 100644 --- a/src/content/changelog/browser-isolation/2025-03-03-user-action-logging.mdx +++ b/src/content/changelog/browser-isolation/2025-03-03-user-action-logging.mdx @@ -4,7 +4,7 @@ description: User action logs for Remote Browser Isolation date: 2025-03-04 --- -We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](/cloudflare-one/policies/browser-isolation/) through [Logpush](/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today! +We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](/cloudflare-one/remote-browser-isolation/) through [Logpush](/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today! With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session. diff --git a/src/content/changelog/browser-isolation/2025-05-01-browser-isolation-overview-page.mdx b/src/content/changelog/browser-isolation/2025-05-01-browser-isolation-overview-page.mdx index 51bc789cc9c64d..a8d29952014830 100644 --- a/src/content/changelog/browser-isolation/2025-05-01-browser-isolation-overview-page.mdx +++ b/src/content/changelog/browser-isolation/2025-05-01-browser-isolation-overview-page.mdx @@ -4,11 +4,11 @@ description: A new home page experience for deploying and managing browser isola date: 2025-05-01 --- -A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](/cloudflare-one/policies/browser-isolation/) deployments, providing: +A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](/cloudflare-one/remote-browser-isolation/) deployments, providing: - **Streamlined Onboarding:** Easily set up and manage isolation policies from one location. -- **Quick Testing:** Validate [clientless web application isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) with ease. -- **Simplified Configuration:** Configure [isolated access applications](/cloudflare-one/policies/access/isolate-application/) and policies efficiently. +- **Quick Testing:** Validate [clientless web application isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) with ease. +- **Simplified Configuration:** Configure [isolated access applications](/cloudflare-one/access-controls/policies/isolate-application/) and policies efficiently. - **Centralized Monitoring:** Track aggregate usage and blocked actions. This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively. diff --git a/src/content/changelog/browser-isolation/2025-05-13-rbi-saml-post-support.mdx b/src/content/changelog/browser-isolation/2025-05-13-rbi-saml-post-support.mdx index 265f7b7c63bca3..ac3000fb0926a2 100644 --- a/src/content/changelog/browser-isolation/2025-05-13-rbi-saml-post-support.mdx +++ b/src/content/changelog/browser-isolation/2025-05-13-rbi-saml-post-support.mdx @@ -6,4 +6,4 @@ date: 2025-05-13 Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused `405` errors during login and improves compatibility with multi-factor authentication (MFA) flows. -With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/setup/). +With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/setup/). diff --git a/src/content/changelog/casb/2024-11-22-cloud-data-extraction-aws.mdx b/src/content/changelog/casb/2024-11-22-cloud-data-extraction-aws.mdx index d52d6f05c9a2c8..4ee4f9095795ab 100644 --- a/src/content/changelog/casb/2024-11-22-cloud-data-extraction-aws.mdx +++ b/src/content/changelog/casb/2024-11-22-cloud-data-extraction-aws.mdx @@ -6,7 +6,7 @@ date: 2024-11-22 import { Render } from "~/components"; -You can now use CASB to find security misconfigurations in your AWS cloud environment using [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/). +You can now use CASB to find security misconfigurations in your AWS cloud environment using [Data Loss Prevention](/cloudflare-one/data-loss-prevention/). You can also [connect your AWS compute account](/cloudflare-one/applications/casb/casb-integrations/aws-s3/#compute-account) to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration. diff --git a/src/content/changelog/cloudflare-one/new-applications-71825.mdx b/src/content/changelog/cloudflare-one/new-applications-71825.mdx index 2f8792b987ef48..3732caa81147c8 100644 --- a/src/content/changelog/cloudflare-one/new-applications-71825.mdx +++ b/src/content/changelog/cloudflare-one/new-applications-71825.mdx @@ -11,4 +11,4 @@ product: Gateway To view all available applications, log in to your Cloudflare [Zero Trust dashboard](https://one.dash.cloudflare.com/), navigate to the **App Library** under **My Team**. -For more information on creating Gateway policies, see our [Gateway policy documentation](/cloudflare-one/policies/gateway/). +For more information on creating Gateway policies, see our [Gateway policy documentation](/cloudflare-one/traffic-policies/). diff --git a/src/content/changelog/cloudflare-tunnel/2025-09-18-tunnel-hostname-routing.mdx b/src/content/changelog/cloudflare-tunnel/2025-09-18-tunnel-hostname-routing.mdx index 4e34d1466bbe61..55d97e7d397ade 100644 --- a/src/content/changelog/cloudflare-tunnel/2025-09-18-tunnel-hostname-routing.mdx +++ b/src/content/changelog/cloudflare-tunnel/2025-09-18-tunnel-hostname-routing.mdx @@ -18,6 +18,6 @@ Previously, Tunnel routes could only be defined by IP address or [CIDR range](/c - **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services. - **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete. -Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared/) route. +Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route. Learn more in our [blog post](https://blog.cloudflare.com/tunnel-hostname-routing/). \ No newline at end of file diff --git a/src/content/changelog/dlp/2025-01-03-source-code-confidence-level.mdx b/src/content/changelog/dlp/2025-01-03-source-code-confidence-level.mdx index 2325dc880eb02e..2aac0be3f2dca9 100644 --- a/src/content/changelog/dlp/2025-01-03-source-code-confidence-level.mdx +++ b/src/content/changelog/dlp/2025-01-03-source-code-confidence-level.mdx @@ -13,6 +13,6 @@ You can now detect source code leaks with Data Loss Prevention (DLP) with predef product="cloudflare-one" /> -DLP also supports confidence level for [source code profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code). +DLP also supports confidence level for [source code profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code). -For more details, refer to [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). +For more details, refer to [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/). diff --git a/src/content/changelog/dlp/2025-04-14-icd11-support.mdx b/src/content/changelog/dlp/2025-04-14-icd11-support.mdx index 958c6066561126..ff2a82d08229b1 100644 --- a/src/content/changelog/dlp/2025-04-14-icd11-support.mdx +++ b/src/content/changelog/dlp/2025-04-14-icd11-support.mdx @@ -4,6 +4,6 @@ description: ICD-11 is now available for DLP detections. date: 2025-04-14 --- -You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11)](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile. +You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11)](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile. ICD-10 dataset remains available for use. diff --git a/src/content/changelog/dlp/2025-05-07-forensic-copy-update.mdx b/src/content/changelog/dlp/2025-05-07-forensic-copy-update.mdx index 841ddddd4c8745..cea9629060dd8f 100644 --- a/src/content/changelog/dlp/2025-05-07-forensic-copy-update.mdx +++ b/src/content/changelog/dlp/2025-05-07-forensic-copy-update.mdx @@ -4,7 +4,7 @@ description: HTTP policies can now be configured to send forensic copies for all date: 2025-05-07 --- -You can now [send DLP forensic copies](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#send-http-requests-to-logpush-destination/) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases. +You can now [send DLP forensic copies](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-http-requests-to-logpush-destination/) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases. By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs. diff --git a/src/content/changelog/dlp/2025-05-12-case-sensitive-cwl.mdx b/src/content/changelog/dlp/2025-05-12-case-sensitive-cwl.mdx index 1c1160fffe5771..6c3c815d040666 100644 --- a/src/content/changelog/dlp/2025-05-12-case-sensitive-cwl.mdx +++ b/src/content/changelog/dlp/2025-05-12-case-sensitive-cwl.mdx @@ -4,6 +4,6 @@ description: Custom Word Lists can now be configured to enforce case sensitivity date: 2025-05-12 --- -You can now configure [custom word lists](/cloudflare-one/policies/data-loss-prevention/detection-entries/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical. +You can now configure [custom word lists](/cloudflare-one/data-loss-prevention/detection-entries/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical. ![dlp](~/assets/images/changelog/dlp/case-sesitive-cwl.png) diff --git a/src/content/changelog/dlp/2025-07-17-document-matching.mdx b/src/content/changelog/dlp/2025-07-17-document-matching.mdx index ba23f72e2830a6..312077ed570d88 100644 --- a/src/content/changelog/dlp/2025-07-17-document-matching.mdx +++ b/src/content/changelog/dlp/2025-07-17-document-matching.mdx @@ -4,7 +4,7 @@ description: Upload a document as a detection entry type to be identified in tra date: 2025-07-17 --- -You can now create [document-based](/cloudflare-one/policies/data-loss-prevention/detection-entries/#documents) detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files. +You can now create [document-based](/cloudflare-one/data-loss-prevention/detection-entries/#documents) detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files. ![DLP](~/assets/images/changelog/dlp/document-match.png) diff --git a/src/content/changelog/dlp/2025-08-25-ai-prompt-protection.mdx b/src/content/changelog/dlp/2025-08-25-ai-prompt-protection.mdx index 6187ff5e962e43..072bd9362de33b 100644 --- a/src/content/changelog/dlp/2025-08-25-ai-prompt-protection.mdx +++ b/src/content/changelog/dlp/2025-08-25-ai-prompt-protection.mdx @@ -12,7 +12,7 @@ DLP can now natively detect and inspect user prompts submitted to popular AI app 2. **Prompt Analysis and Topic Classification** -Our DLP engine performs deep analysis on each prompt, applying [topic classification](/cloudflare-one/policies/data-loss-prevention/detection-entries/#ai-prompt-topics). These topics are grouped into two evaluation categories: +Our DLP engine performs deep analysis on each prompt, applying [topic classification](/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics). These topics are grouped into two evaluation categories: - **Content:** PII, Source Code, Credentials and Secrets, Financial Information, and Customer Data. @@ -24,14 +24,14 @@ To help you apply these topics quickly, we have also released five new predefine 3. **Granular Guardrails** - You can now build guardrails using Gateway HTTP policies with [application granular controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls). Apply a DLP profile containing an [AI prompt topic detection](/cloudflare-one/policies/data-loss-prevention/detection-entries/#ai-prompt-topics) to individual AI applications (for example, ```ChatGPT```) and specific user actions (for example, ```SendPrompt```) to block sensitive prompts. + You can now build guardrails using Gateway HTTP policies with [application granular controls](/cloudflare-one/traffic-policies/http-policies/#application-granular-controls). Apply a DLP profile containing an [AI prompt topic detection](/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics) to individual AI applications (for example, ```ChatGPT```) and specific user actions (for example, ```SendPrompt```) to block sensitive prompts. ![DLP](~/assets/images/changelog/dlp/ai-prompt-policy.png) 4. **Full Prompt Logging** - To aid in incident investigation, an optional setting in your Gateway policy allows you to [capture prompt logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content) to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by ```conversation_id```, allowing you to reconstruct the full context of an interaction that led to a policy violation. + To aid in incident investigation, an optional setting in your Gateway policy allows you to [capture prompt logs](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content) to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by ```conversation_id```, allowing you to reconstruct the full context of an interaction that led to a policy violation. ![DLP](~/assets/images/changelog/dlp/ai-prompt-log.png) -AI prompt protection is now available in open beta. To learn more about it, read the [blog](https://blog.cloudflare.com/ai-prompt-protection/#closing-the-loop-logging) or refer to [AI prompt topics](/cloudflare-one/policies/data-loss-prevention/detection-entries/#ai-prompt-topics). \ No newline at end of file +AI prompt protection is now available in open beta. To learn more about it, read the [blog](https://blog.cloudflare.com/ai-prompt-protection/#closing-the-loop-logging) or refer to [AI prompt topics](/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics). \ No newline at end of file diff --git a/src/content/changelog/dlp/2025-09-25-body-phase-selector.mdx b/src/content/changelog/dlp/2025-09-25-body-phase-selector.mdx index cd0ee29e3d7037..5ad892beb64d4e 100644 --- a/src/content/changelog/dlp/2025-09-25-body-phase-selector.mdx +++ b/src/content/changelog/dlp/2025-09-25-body-phase-selector.mdx @@ -17,4 +17,4 @@ For example, consider a policy that blocks Social Security Numbers (SSNs). Previ All policies without this selector will continue to scan both request and response bodies to ensure continued protection. -For more information, refer to [Gateway HTTP policy selectors](/cloudflare-one/policies/gateway/http-policies/#body-phase/). +For more information, refer to [Gateway HTTP policy selectors](/cloudflare-one/traffic-policies/http-policies/#body-phase/). diff --git a/src/content/changelog/dlp/2025-10-01-new-file-type-support.mdx b/src/content/changelog/dlp/2025-10-01-new-file-type-support.mdx index 2fd27e03c40c89..d003cbcb6ac614 100644 --- a/src/content/changelog/dlp/2025-10-01-new-file-type-support.mdx +++ b/src/content/changelog/dlp/2025-10-01-new-file-type-support.mdx @@ -12,7 +12,7 @@ We have expanded Gateway's file type controls to include: - Microsoft Software Installer (msix, appx) - Apple Software Package (pkg) -You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows: +You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows: - **System**: _Apple Disk Image (dmg)_ - **Executable**: _Microsoft Software Installer (msix)_, _Microsoft Software Installer (appx)_, _Apple Software Package (pkg)_ @@ -22,4 +22,4 @@ To ensure these file types are blocked effectively, please note the following be - DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file. - MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type _Unscannable_. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection. -To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](/cloudflare-one/policies/gateway/http-policies/#supported-file-types). +To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](/cloudflare-one/traffic-policies/http-policies/#supported-file-types). diff --git a/src/content/changelog/dns/2025-06-16-internal-dns-beta-ui.mdx b/src/content/changelog/dns/2025-06-16-internal-dns-beta-ui.mdx index a00f46a9907171..859fb9a146b8f8 100644 --- a/src/content/changelog/dns/2025-06-16-internal-dns-beta-ui.mdx +++ b/src/content/changelog/dns/2025-06-16-internal-dns-beta-ui.mdx @@ -10,7 +10,7 @@ Participating beta testers can now fully configure [Internal DNS](/dns/internal- - Map internal hostnames to private IPs for services, devices, and applications not exposed to the public Internet -- Resolve internal DNS queries securely through [Cloudflare Gateway](/cloudflare-one/policies/gateway/) +- Resolve internal DNS queries securely through [Cloudflare Gateway](/cloudflare-one/traffic-policies/) - Use split-horizon DNS to return different responses based on network context diff --git a/src/content/changelog/email-security-cf1/2025-05-08-open-attachments-with-browser-isolation.mdx b/src/content/changelog/email-security-cf1/2025-05-08-open-attachments-with-browser-isolation.mdx index a059916b09f588..58d46ed69c5dce 100644 --- a/src/content/changelog/email-security-cf1/2025-05-08-open-attachments-with-browser-isolation.mdx +++ b/src/content/changelog/email-security-cf1/2025-05-08-open-attachments-with-browser-isolation.mdx @@ -15,7 +15,7 @@ To use this feature, you must: - Enable **Clientless Web Isolation** in your Zero Trust settings. - Have **Browser Isolation (BISO)** seats assigned. -For more details, refer to our [setup guide](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/). +For more details, refer to our [setup guide](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact. diff --git a/src/content/changelog/email-security-cf1/2025-05-15-open-links-browser-isolation.mdx b/src/content/changelog/email-security-cf1/2025-05-15-open-links-browser-isolation.mdx index 7756fe3fa2b077..36c97fa357a571 100644 --- a/src/content/changelog/email-security-cf1/2025-05-15-open-links-browser-isolation.mdx +++ b/src/content/changelog/email-security-cf1/2025-05-15-open-links-browser-isolation.mdx @@ -15,7 +15,7 @@ To use this feature, you must: - Enable **Clientless Web Isolation** in your Zero Trust settings. - Have **Browser Isolation (BISO)** seats assigned. -For more details, refer to our [setup guide](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/). +For more details, refer to our [setup guide](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This feature is available across these Email Security packages: diff --git a/src/content/changelog/email-security-cf1/2025-09-01-updated-new-roles.mdx b/src/content/changelog/email-security-cf1/2025-09-01-updated-new-roles.mdx index 9d94b8c354e58f..b63dcbc493044f 100644 --- a/src/content/changelog/email-security-cf1/2025-09-01-updated-new-roles.mdx +++ b/src/content/changelog/email-security-cf1/2025-09-01-updated-new-roles.mdx @@ -17,7 +17,7 @@ All Email Security roles no longer have read or write access to any of the other - **Email Security Reporting** -To configure [Data Loss Prevention (DLP)](/cloudflare-one/email-security/outbound-dlp/) or [Remote Browser Isolation (RBI)](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/#set-up-clientless-web-isolation), you now need to be an admin for the Zero Trust dashboard with the **Cloudflare Zero Trust** role. +To configure [Data Loss Prevention (DLP)](/cloudflare-one/email-security/outbound-dlp/) or [Remote Browser Isolation (RBI)](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#set-up-clientless-web-isolation), you now need to be an admin for the Zero Trust dashboard with the **Cloudflare Zero Trust** role. Also through customer feedback, we have created a new additive role to allow **Email Security Analyst** to create, edit, and delete Email Security policies, without needing to provide access via the **Email Configuration Admin** role. This role is called **Email Security Policy Admin**, which can read all settings, but has write access to [allow policies](/cloudflare-one/email-security/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/detection-settings/blocked-senders/). diff --git a/src/content/changelog/gateway/2025-02-13-improvements-unscannable-files.mdx b/src/content/changelog/gateway/2025-02-13-improvements-unscannable-files.mdx index 616514a4d0276c..02cfc096f8b795 100644 --- a/src/content/changelog/gateway/2025-02-13-improvements-unscannable-files.mdx +++ b/src/content/changelog/gateway/2025-02-13-improvements-unscannable-files.mdx @@ -10,8 +10,8 @@ import { Render } from "~/components"; Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable. -These unscannable files are now matched with the [Download and Upload File Types traffic selectors](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types) for HTTP policies: +These unscannable files are now matched with the [Download and Upload File Types traffic selectors](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) for HTTP policies: -To get started inspecting and modifying behavior based on these and other rules, refer to [HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/). +To get started inspecting and modifying behavior based on these and other rules, refer to [HTTP filtering](/cloudflare-one/traffic-policies/initial-setup/http/). diff --git a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx index bb703f9abab194..ee71b61be933e5 100644 --- a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx +++ b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx @@ -12,4 +12,4 @@ You can now use more flexible redirect capabilities in Cloudflare One with Gatew - A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. - For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. -Learn more in our documentation for [HTTP Redirect](/cloudflare-one/policies/gateway/http-policies/#redirect) and [Block page redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page). +Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page). diff --git a/src/content/changelog/gateway/2025-04-28-FDQN-Filtering-Egress-Policies.mdx b/src/content/changelog/gateway/2025-04-28-FDQN-Filtering-Egress-Policies.mdx index ef98a6b4d09b38..80298e44e40cee 100644 --- a/src/content/changelog/gateway/2025-04-28-FDQN-Filtering-Egress-Policies.mdx +++ b/src/content/changelog/gateway/2025-04-28-FDQN-Filtering-Egress-Policies.mdx @@ -11,7 +11,7 @@ Cloudflare One administrators can now control which egress IP is used based on a - Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta. - During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation. - - For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](/cloudflare-one/policies/gateway/egress-policies/#limitations). + - For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](/cloudflare-one/traffic-policies/egress-policies/#limitations). ![Egress by FQDN and Hostname](~/assets/images/gateway/Gateway-Egress-FQDN-Policy-preview.png) diff --git a/src/content/changelog/gateway/2025-05-13-new-applications-added.mdx b/src/content/changelog/gateway/2025-05-13-new-applications-added.mdx index 0ce7e661831191..1b4a838c144e0f 100644 --- a/src/content/changelog/gateway/2025-05-13-new-applications-added.mdx +++ b/src/content/changelog/gateway/2025-05-13-new-applications-added.mdx @@ -13,4 +13,4 @@ With this update, you can: - Manage outbound traffic more effectively - Improve your organization's security and compliance posture -For more information on creating DNS policies, see our [DNS policy documentation](/cloudflare-one/policies/gateway/dns-policies/). +For more information on creating DNS policies, see our [DNS policy documentation](/cloudflare-one/traffic-policies/dns-policies/). diff --git a/src/content/changelog/gateway/2025-05-14-domain-category-improvements.mdx b/src/content/changelog/gateway/2025-05-14-domain-category-improvements.mdx index 36f9d5aaddcfa7..d9cb405d851c48 100644 --- a/src/content/changelog/gateway/2025-05-14-domain-category-improvements.mdx +++ b/src/content/changelog/gateway/2025-05-14-domain-category-improvements.mdx @@ -24,4 +24,4 @@ date: 2025-05-14 | Government | Government/Legal | | Redirect | URL Alias/Redirect | -Refer to [Gateway domain categories](/cloudflare-one/policies/gateway/domain-categories/) to learn more. +Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/domain-categories/) to learn more. diff --git a/src/content/changelog/gateway/2025-05-27-Protocol-Detection-availability.mdx b/src/content/changelog/gateway/2025-05-27-Protocol-Detection-availability.mdx index 7b21c1b689d1f2..1659650d633b48 100644 --- a/src/content/changelog/gateway/2025-05-27-Protocol-Detection-availability.mdx +++ b/src/content/changelog/gateway/2025-05-27-Protocol-Detection-availability.mdx @@ -11,4 +11,4 @@ All Cloudflare One Gateway users can now use Protocol detection logging and filt With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier. -This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](/cloudflare-one/policies/gateway/network-policies/protocol-detection/). +This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). diff --git a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx index f33f9c25381db6..c10d3482a082f4 100644 --- a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx +++ b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx @@ -7,7 +7,7 @@ hidden: false date: 2025-06-18 --- -[Gateway](/cloudflare-one/policies/gateway/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/policies/gateway/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/policies/gateway/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. +[Gateway](/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. @@ -50,4 +50,4 @@ This update is based on user feedback and aims to: --- -To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/policies/gateway/order-of-enforcement/). +To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/traffic-policies/order-of-enforcement/). diff --git a/src/content/changelog/gateway/2025-07-24-HTTP-Inspection-on-all-ports.mdx b/src/content/changelog/gateway/2025-07-24-HTTP-Inspection-on-all-ports.mdx index fcd35805f5e673..6d777cba0965f6 100644 --- a/src/content/changelog/gateway/2025-07-24-HTTP-Inspection-on-all-ports.mdx +++ b/src/content/changelog/gateway/2025-07-24-HTTP-Inspection-on-all-ports.mdx @@ -7,10 +7,10 @@ hidden: false date: 2025-07-24 --- -[Gateway](/cloudflare-one/policies/gateway/) can now apply [HTTP filtering](/cloudflare-one/policies/gateway/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [file sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/#data-in-transit), and more. +[Gateway](/cloudflare-one/traffic-policies/) can now apply [HTTP filtering](/cloudflare-one/traffic-policies/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [file sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/#data-in-transit), and more. -You can turn this [setting](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** > **Network** > **Firewall** and choosing _Inspect on all ports_. +You can turn this [setting](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** > **Network** > **Firewall** and choosing _Inspect on all ports_. ![HTTP Inspection on all ports setting](~/assets/images/gateway/Gateway-Inspection-all-ports.png) -To learn more, refer to [Inspect on all ports (Beta)](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports). +To learn more, refer to [Inspect on all ports (Beta)](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). diff --git a/src/content/changelog/gateway/2025-07-28-Spam-domain-category-introduced.mdx b/src/content/changelog/gateway/2025-07-28-Spam-domain-category-introduced.mdx index 447689a183e440..99deeee7c9cf01 100644 --- a/src/content/changelog/gateway/2025-07-28-Spam-domain-category-introduced.mdx +++ b/src/content/changelog/gateway/2025-07-28-Spam-domain-category-introduced.mdx @@ -14,4 +14,4 @@ We have introduced a new Security Threat category called **Scam**. Relevant doma | 21 | Security Threats | 191 | Scam | -Refer to [Gateway domain categories](/cloudflare-one/policies/gateway/domain-categories/) to learn more. +Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/domain-categories/) to learn more. diff --git a/src/content/changelog/gateway/2025-08-15-gemini-application-replaces-bard.mdx b/src/content/changelog/gateway/2025-08-15-gemini-application-replaces-bard.mdx index baa9b3b0393190..295f092f251e8c 100644 --- a/src/content/changelog/gateway/2025-08-15-gemini-application-replaces-bard.mdx +++ b/src/content/changelog/gateway/2025-08-15-gemini-application-replaces-bard.mdx @@ -7,4 +7,4 @@ The **Google Bard** application (ID: 1198) has been deprecated and fully removed Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. -For more information about application policies, please see the [Cloudflare Gateway documentation](/cloudflare-one/policies/gateway/application-app-types/). +For more information about application policies, please see the [Cloudflare Gateway documentation](/cloudflare-one/traffic-policies/application-app-types/). diff --git a/src/content/changelog/gateway/2025-08-21-byoip-dedicated-egress-ip.mdx b/src/content/changelog/gateway/2025-08-21-byoip-dedicated-egress-ip.mdx index a6065870d51b1d..af30dc7361ddcd 100644 --- a/src/content/changelog/gateway/2025-08-21-byoip-dedicated-egress-ip.mdx +++ b/src/content/changelog/gateway/2025-08-21-byoip-dedicated-egress-ip.mdx @@ -10,8 +10,8 @@ Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egr Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic. -Get started by following the [BYOIP onboarding process](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** > **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. +Get started by following the [BYOIP onboarding process](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** > **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. ![Screenshot of a dropdown menu adding a BYOIP IPv4 address as a dedicated egress IP in a Gateway egress policy](~/assets/images/gateway/Gateway-byoip-dedicated-egress-ips.png) -For more information, refer to [BYOIP for dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). +For more information, refer to [BYOIP for dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). diff --git a/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx b/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx index 1328b328c1b4ac..bda3f343ce67de 100644 --- a/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx +++ b/src/content/changelog/gateway/2025-09-11-dns-filtering-for-private-network-onramps.mdx @@ -10,7 +10,7 @@ date: "2025-09-11" [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/#dns-filtering) and [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/#configure-dns-resolver-on-devices) users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet. -Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](/cloudflare-one/policies/gateway/resolver-policies/#internal-dns) and [hostname-based policies](/cloudflare-one/policies/gateway/egress-policies/#selector-prerequisites). +Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). -To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) for routing private DNS traffic to your [Internal DNS](/dns/internal-dns/). +To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](/dns/internal-dns/). diff --git a/src/content/changelog/gateway/2025-09-25-new-granular-controls-for-saas-applications.mdx b/src/content/changelog/gateway/2025-09-25-new-granular-controls-for-saas-applications.mdx index 4ed65b895b3c32..e7f169b1f2f380 100644 --- a/src/content/changelog/gateway/2025-09-25-new-granular-controls-for-saas-applications.mdx +++ b/src/content/changelog/gateway/2025-09-25-new-granular-controls-for-saas-applications.mdx @@ -7,11 +7,11 @@ hidden: false date: 2025-09-30 --- -Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](/cloudflare-one/policies/gateway/http-policies). +Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](/cloudflare-one/traffic-policies/http-policies). The new feature offers two methods of controlling SaaS applications: - **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application. - **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function. -Get started using [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/granular-controls) and refer to the list of [supported applications](/cloudflare-one/policies/gateway/http-policies/granular-controls/#compatible-applications). +Get started using [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/granular-controls) and refer to the list of [supported applications](/cloudflare-one/traffic-policies/http-policies/granular-controls/#compatible-applications). diff --git a/src/content/changelog/gateway/2025-10-10-new-domain-categories.mdx b/src/content/changelog/gateway/2025-10-10-new-domain-categories.mdx index 49944f5a5a9a94..0583881ed95d8c 100644 --- a/src/content/changelog/gateway/2025-10-10-new-domain-categories.mdx +++ b/src/content/changelog/gateway/2025-10-10-new-domain-categories.mdx @@ -14,4 +14,4 @@ We have added three new domain categories under the Technology parent category, | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | -Refer to [Gateway domain categories](/cloudflare-one/policies/gateway/domain-categories/) to learn more. +Refer to [Gateway domain categories](/cloudflare-one/traffic-policies/domain-categories/) to learn more. diff --git a/src/content/changelog/gateway/2025-10-20-schedule-dns-policies-from-the-ui.mdx b/src/content/changelog/gateway/2025-10-20-schedule-dns-policies-from-the-ui.mdx index b340fa8639146c..3cc7115a6e6daa 100644 --- a/src/content/changelog/gateway/2025-10-20-schedule-dns-policies-from-the-ui.mdx +++ b/src/content/changelog/gateway/2025-10-20-schedule-dns-policies-from-the-ui.mdx @@ -6,7 +6,7 @@ products: date: "2025-10-20" --- -Admins can now create [scheduled DNS policies](/cloudflare-one/policies/gateway/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. +Admins can now create [scheduled DNS policies](/cloudflare-one/traffic-policies/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. - **Preset Schedules**: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more. - **Custom Schedules**: Define your own schedule with specific days and up to three non-overlapping time ranges per day. diff --git a/src/content/changelog/workers/2025-10-03-one-click-access-for-workers.mdx b/src/content/changelog/workers/2025-10-03-one-click-access-for-workers.mdx index 96d7828733021f..ed8064ce76e6ba 100644 --- a/src/content/changelog/workers/2025-10-03-one-click-access-for-workers.mdx +++ b/src/content/changelog/workers/2025-10-03-one-click-access-for-workers.mdx @@ -8,11 +8,11 @@ date: 2025-10-03 import { DashButton } from "~/components"; -You can now enable [Cloudflare Access](/cloudflare-one/policies/access/) for your [`workers.dev`](/workers/configuration/routing/workers-dev/) and [Preview URLs](/workers/configuration/previews/) in a single click. +You can now enable [Cloudflare Access](/cloudflare-one/access-controls/policies/) for your [`workers.dev`](/workers/configuration/routing/workers-dev/) and [Preview URLs](/workers/configuration/previews/) in a single click. ![Screenshot of the Enable/Disable Cloudflare Access button on the workers.dev route settings page](~/assets/images/workers/changelog/workers-access.png) -Access allows you to limit access to your Workers to specific users or groups. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your [Access policy](/cloudflare-one/policies/access). +Access allows you to limit access to your Workers to specific users or groups. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your [Access policy](/cloudflare-one/access-controls/policies/). To enable Cloudflare Access: @@ -23,7 +23,7 @@ To enable Cloudflare Access: 2. In **Overview**, select your Worker. 3. Go to **Settings** > **Domains & Routes**. 4. For `workers.dev` or Preview URLs, click **Enable Cloudflare Access**. -5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/policies/access/#selectors) to learn about configuring alternate rules. +5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/access-controls/policies/#selectors) to learn about configuring alternate rules. To fully secure your application, it is important that you validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request. @@ -36,9 +36,9 @@ export default { async fetch(request, env, ctx) { // Verify the POLICY_AUD environment variable is set if (!env.POLICY_AUD) { - return new Response('Missing required audience', { + return new Response("Missing required audience", { status: 403, - headers: { 'Content-Type': 'text/plain' } + headers: { "Content-Type": "text/plain" }, }); } @@ -89,4 +89,4 @@ Add these [environment variables](/workers/configuration/environment-variables/) Both of these appear in the modal that appears when you enable Cloudflare Access. -You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**. \ No newline at end of file +You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**. diff --git a/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx b/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx index bfa146c3ba2331..3296edb7254c0c 100644 --- a/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx +++ b/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx @@ -18,9 +18,9 @@ The 1.1.1.1 resolver was designed with a privacy-first approach. Refer to our [d There are multiple ways to use 1.1.1.1 as an operator: -* Including a [DNS over HTTPS](/1.1.1.1/encryption/dns-over-https/) or [DNS over TLS](/1.1.1.1/encryption/dns-over-tls/) proxy on end-user routers or devices (best for privacy). -* Pushing 1.1.1.1 to devices via DHCP/PPP within an operator network (recommended; most practical). -* Having a DNS proxy on a edge router make requests to 1.1.1.1 on behalf of all connected devices. +- Including a [DNS over HTTPS](/1.1.1.1/encryption/dns-over-https/) or [DNS over TLS](/1.1.1.1/encryption/dns-over-tls/) proxy on end-user routers or devices (best for privacy). +- Pushing 1.1.1.1 to devices via DHCP/PPP within an operator network (recommended; most practical). +- Having a DNS proxy on a edge router make requests to 1.1.1.1 on behalf of all connected devices. Where possible, we recommend using encrypted transports (DNS over HTTPS or TLS) for queries, as this provides the highest degree of privacy for users over last-mile networks. @@ -28,26 +28,20 @@ Where possible, we recommend using encrypted transports (DNS over HTTPS or TLS) :::note - -[Cloudflare Zero Trust](https://www.cloudflare.com/products/zero-trust/) supports customizable [DNS policies](/cloudflare-one/policies/gateway/dns-policies/), analytics, additional built-in filtering categories, and custom rate limiting capabilities. +[Cloudflare Zero Trust](https://www.cloudflare.com/products/zero-trust/) supports customizable [DNS policies](/cloudflare-one/traffic-policies/dns-policies/), analytics, additional built-in filtering categories, and custom rate limiting capabilities. If you require additional controls over our public 1.1.1.1 resolver, [contact us](https://www.cloudflare.com/products/zero-trust/). - ::: The publicly available endpoints for 1.1.1.1 are detailed in the following table: - - | Resolver | IPv4 address | IPv6
address | DNS over
HTTPS endpoint | DNS over
TLS endpoint | | ---------------------------------------- | -------------------------- | ---------------------------------------------------- | ----------------------------------------------- | ----------------------------- | | 1.1.1.1
(unfiltered) | `1.1.1.1`
`1.0.0.1` | `2606:4700:4700::1111`
`2606:4700:4700::1001` | `https://cloudflare-dns.com/dns-query` | `cloudflare-dns.com` | | Families
(Malware) | `1.1.1.2`
`1.0.0.2` | `2606:4700:4700::1112`
`2606:4700:4700::1002` | `https://security.cloudflare-dns.com/dns-query` | `security.cloudflare-dns.com` | | Families
(Adult Content + Malware) | `1.1.1.3`
`1.0.0.3` | `2606:4700:4700::1113`
`2606:4700:4700::1003` | `https://family.cloudflare-dns.com/dns-query` | `family.cloudflare-dns.com` | - - You may wish to provide end users with options to change from the default 1.1.1.1 resolver to one of the [1.1.1.1 for Families](/1.1.1.1/setup/#1111-for-families) endpoints. ## Rate Limiting @@ -56,8 +50,8 @@ Operators using 1.1.1.1 for typical Internet-facing applications and/or users sh Best practices include: -* Avoiding tunneling or proxying all queries from a single IP address at high rates. Distributing queries across multiple public IPs will improve this without impacting cache hit rates (caches are regional). -* A high rate of "uncacheable" responses (such as `SERVFAIL`) against the same domain may be rate limited to protect upstream, authoritative nameservers. Many authoritative nameservers enforce their own rate limits, and we strive to avoid overloading third party infrastructure where possible. +- Avoiding tunneling or proxying all queries from a single IP address at high rates. Distributing queries across multiple public IPs will improve this without impacting cache hit rates (caches are regional). +- A high rate of "uncacheable" responses (such as `SERVFAIL`) against the same domain may be rate limited to protect upstream, authoritative nameservers. Many authoritative nameservers enforce their own rate limits, and we strive to avoid overloading third party infrastructure where possible. ## Help diff --git a/src/content/docs/1.1.1.1/infrastructure/sla-and-support.mdx b/src/content/docs/1.1.1.1/infrastructure/sla-and-support.mdx index cf4d92f4b2a92e..302021551f1f49 100644 --- a/src/content/docs/1.1.1.1/infrastructure/sla-and-support.mdx +++ b/src/content/docs/1.1.1.1/infrastructure/sla-and-support.mdx @@ -11,6 +11,6 @@ As you use 1.1.1.1 in your infrastructure or service, note that dedicated techni You are subject to the [Cloudflare Website and Online Services Terms of Use](https://www.cloudflare.com/website-terms/) and no service level agreements (SLAs) are provided. -If you need SLAs and dedicated support, consider using [Cloudflare Gateway](/cloudflare-one/policies/gateway/) instead. +If you need SLAs and dedicated support, consider using [Cloudflare Gateway](/cloudflare-one/traffic-policies/) instead. -Gateway includes other advanced options such as domain categories, customized filtering, and scheduling capabilities. For example, if you are a device manufacturer or network operator, you can use a multi-tenant environment to allow your customers to configure their own individual filters. \ No newline at end of file +Gateway includes other advanced options such as domain categories, customized filtering, and scheduling capabilities. For example, if you are a device manufacturer or network operator, you can use a multi-tenant environment to allow your customers to configure their own individual filters. diff --git a/src/content/docs/1.1.1.1/setup/google-cloud.mdx b/src/content/docs/1.1.1.1/setup/google-cloud.mdx index 7ee83176e8867f..51d63bed59f956 100644 --- a/src/content/docs/1.1.1.1/setup/google-cloud.mdx +++ b/src/content/docs/1.1.1.1/setup/google-cloud.mdx @@ -7,18 +7,15 @@ head: - tag: title content: Set up 1.1.1.1 on Google Cloud slug: 1.1.1.1/setup/google-cloud - --- -import { Render } from "~/components" +import { Render } from "~/components"; Google Cloud supports configuring [outbound server policy](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-out) within Cloud DNS. Policies are applied per Virtual Private Cloud (VPC) network, and will affect all resources within that VPC network, including any existing virtual machines. :::note - -If you are using [Cloudflare Zero Trust](/cloudflare-one/), you can choose assigned [locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) to apply custom [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) via Gateway. - +If you are using [Cloudflare Zero Trust](/cloudflare-one/), you can choose assigned [locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) to apply custom [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) via Gateway. ::: diff --git a/src/content/docs/aegis/configuration-options/access-cni.mdx b/src/content/docs/aegis/configuration-options/access-cni.mdx index 89dc9875ad7cf1..56f03c08e3ea03 100644 --- a/src/content/docs/aegis/configuration-options/access-cni.mdx +++ b/src/content/docs/aegis/configuration-options/access-cni.mdx @@ -4,10 +4,9 @@ pcx_content_type: concept head: - tag: title content: Use Aegis with Access and CNI - --- -You can use Aegis combined with [Cloudflare Network Interconnect (CNI)](/network-interconnect/) to secure your applications with [Cloudflare Access](/cloudflare-one/policies/access/) without installing software or customizing code on your server. +You can use Aegis combined with [Cloudflare Network Interconnect (CNI)](/network-interconnect/) to secure your applications with [Cloudflare Access](/cloudflare-one/access-controls/policies/) without installing software or customizing code on your server. While Access allows you to enforce policies at the hostname level, other solutions are usually necessary to protect against origin IP bypass — when an attacker knows your origin server IP and uses it to directly interact with the target application. diff --git a/src/content/docs/aegis/index.mdx b/src/content/docs/aegis/index.mdx index 08d6046cc04c35..f3e66b784bc3ed 100644 --- a/src/content/docs/aegis/index.mdx +++ b/src/content/docs/aegis/index.mdx @@ -8,11 +8,19 @@ head: content: Overview --- -import { CardGrid, Description, GlossaryTooltip, LinkTitleCard, Plan, RelatedProduct } from "~/components" +import { + CardGrid, + Description, + GlossaryTooltip, + LinkTitleCard, + Plan, + RelatedProduct, +} from "~/components"; Leverage dedicated IPs to improve your origin security and implement Zero Trust. + @@ -21,29 +29,43 @@ Cloudflare Aegis provides dedicated egress IPs (from Cloudflare to your origin) Both [BYOIP](/byoip) and Cloudflare-leased IPs are supported by Cloudflare Aegis. - :::caution[Availability] Cloudflare Aegis is available in early access to Enterprise customers. Contact your account team to request access. ::: - -*** +--- ## Related products - -Cloudflare Access determines who can reach your application by applying the Access policies you configure. + + Cloudflare Access determines who can reach your application by applying the + Access policies you configure. - -Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. + + Cloudflare Tunnel provides you with a secure way to connect your resources to + Cloudflare without a publicly routable IP address. - -Authenticated Origin Pulls gives you the ability to perform mutual TLS between Cloudflare and your origin environment, providing cryptographically verifiable proof of the source of the traffic you receive. + + Authenticated Origin Pulls gives you the ability to perform mutual TLS between + Cloudflare and your origin environment, providing cryptographically verifiable + proof of the source of the traffic you receive. -*** +--- ## More resources @@ -52,11 +74,13 @@ Authenticated Origin Pulls gives you the ability to perform mutual TLS between C Deep dive into use cases where Aegis can help secure enterprise origins. + Reference Architecture for multi-vendor application security and performance. + diff --git a/src/content/docs/agents/model-context-protocol/authorization.mdx b/src/content/docs/agents/model-context-protocol/authorization.mdx index 57a373967015b1..e5c479409ad073 100644 --- a/src/content/docs/agents/model-context-protocol/authorization.mdx +++ b/src/content/docs/agents/model-context-protocol/authorization.mdx @@ -79,7 +79,7 @@ Remember — [authentication is different from authorization](https://www.cloud ### (2) Cloudflare Access integration -You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/integrations/identity-providers/) or a [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/policies/access/). +You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/integrations/identity-providers/) or a [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/access-controls/policies/). To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/). @@ -135,6 +135,7 @@ Read the docs for the [Workers oAuth Provider Library](https://github.com/cloudf If your application already implements an OAuth Provider itself, or you use authorization-as-a-service provider, you can use this in the same way that you would use a third-party OAuth provider, described above in (2). You can use the auth provider to: + - Allow users to authenticate to your MCP server through email, social logins, SSO (single sign-on), and MFA (multi-factor authentication). - Define scopes and permissions that directly map to your MCP tools. - Present users with a consent page corresponding with the requested permissions. @@ -248,6 +249,7 @@ async init() { ``` Benefits: + - Authorization check at the tool level ensures proper access control - Allows you to define permission checks once and reuse them across tools - Provides clear feedback to users when permission is denied diff --git a/src/content/docs/ai-gateway/features/dlp/index.mdx b/src/content/docs/ai-gateway/features/dlp/index.mdx index edbac8c89f1e93..62bb6a52cf2cb6 100644 --- a/src/content/docs/ai-gateway/features/dlp/index.mdx +++ b/src/content/docs/ai-gateway/features/dlp/index.mdx @@ -9,13 +9,11 @@ sidebar: import { Feature } from "~/components"; - Data Loss Prevention (DLP) for AI Gateway helps protect your organization from inadvertent exposure of sensitive data through AI interactions. By integrating with Cloudflare's proven DLP technology, AI Gateway can scan both incoming prompts and outgoing AI responses for sensitive information, ensuring your AI applications maintain security and compliance standards. ## How it works -AI Gateway DLP leverages the same powerful detection engines used in [Cloudflare's Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) solution to scan AI traffic in real-time. The system analyzes both user prompts sent to AI models and responses received from AI providers, identifying sensitive data patterns and taking appropriate protective actions. - +AI Gateway DLP leverages the same powerful detection engines used in [Cloudflare's Data Loss Prevention](/cloudflare-one/data-loss-prevention/) solution to scan AI traffic in real-time. The system analyzes both user prompts sent to AI models and responses received from AI providers, identifying sensitive data patterns and taking appropriate protective actions. ## Key benefits @@ -43,7 +41,7 @@ AI Gateway DLP uses the same detection profiles and policies as Cloudflare's ent - **Centralized reporting** - All DLP events appear in the same dashboard and logs - **Shared profiles** - Reuse existing DLP detection profiles for AI traffic -For more information about Cloudflare's DLP capabilities, refer to the [Data Loss Prevention documentation](/cloudflare-one/policies/data-loss-prevention/). +For more information about Cloudflare's DLP capabilities, refer to the [Data Loss Prevention documentation](/cloudflare-one/data-loss-prevention/). ## Getting started @@ -56,6 +54,6 @@ To enable DLP for your AI Gateway: ## Related resources - [Set up DLP for AI Gateway](/ai-gateway/features/dlp/set-up-dlp/) -- [Cloudflare Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) +- [Cloudflare Data Loss Prevention](/cloudflare-one/data-loss-prevention/) - [AI Gateway Security Features](/ai-gateway/features/guardrails/) -- [DLP Detection Profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) \ No newline at end of file +- [DLP Detection Profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/) diff --git a/src/content/docs/ai-gateway/features/dlp/set-up-dlp.mdx b/src/content/docs/ai-gateway/features/dlp/set-up-dlp.mdx index c25ffc25780d89..26ff179373e9ff 100644 --- a/src/content/docs/ai-gateway/features/dlp/set-up-dlp.mdx +++ b/src/content/docs/ai-gateway/features/dlp/set-up-dlp.mdx @@ -28,13 +28,13 @@ After enabling DLP, you can create policies to define how sensitive data should - **Policy ID**: Enter a unique name for this policy (e.g., "Block-PII-Requests") - **DLP Profiles**: Select the DLP profiles to check against. AI requests/responses will be checked against each of the selected profiles. Available profiles include: - **Financial Information** - Credit cards, bank accounts, routing numbers - - **Personal Identifiable Information (PII)** - Names, addresses, phone numbers + - **Personal Identifiable Information (PII)** - Names, addresses, phone numbers - **Government Identifiers** - SSNs, passport numbers, driver's licenses - **Healthcare Information** - Medical record numbers, patient data - **Custom Profiles** - Organization-specific data patterns - + :::note - DLP profiles can be created and managed in the [Zero Trust DLP dashboard](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). + DLP profiles can be created and managed in the [Zero Trust DLP dashboard](/cloudflare-one/data-loss-prevention/dlp-profiles/). ::: - **Action**: Choose the action to take when any of the selected profiles match: @@ -89,7 +89,6 @@ To view only DLP-related requests: - **FLAG** - Show only requests where sensitive data was flagged - **BLOCK** - Show only requests that were blocked due to DLP policies - ## Error handling When DLP policies are triggered, your application will receive additional information through response headers and error codes. @@ -121,18 +120,21 @@ When a request matches DLP policies (whether flagged or blocked), an additional ```json { - "findings": [ - { - "profile": { - "context": {}, - "entry_ids": ["a1b2c3d4-e5f6-7890-abcd-ef1234567890", "f7e8d9c0-b1a2-3456-789a-bcdef0123456"], - "profile_id": "12345678-90ab-cdef-1234-567890abcdef" - }, - "policy_ids": ["block_financial_data"], - "check": "REQUEST" - } - ], - "action": "BLOCK" + "findings": [ + { + "profile": { + "context": {}, + "entry_ids": [ + "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "f7e8d9c0-b1a2-3456-789a-bcdef0123456" + ], + "profile_id": "12345678-90ab-cdef-1234-567890abcdef" + }, + "policy_ids": ["block_financial_data"], + "check": "REQUEST" + } + ], + "action": "BLOCK" } ``` @@ -194,4 +196,4 @@ try { - Test with different sample data to understand detection patterns - Adjust profile selections if needed -For additional support with DLP configuration, refer to the [Cloudflare Data Loss Prevention documentation](/cloudflare-one/policies/data-loss-prevention/) or contact your Cloudflare support team. \ No newline at end of file +For additional support with DLP configuration, refer to the [Cloudflare Data Loss Prevention documentation](/cloudflare-one/data-loss-prevention/) or contact your Cloudflare support team. diff --git a/src/content/docs/browser-rendering/rest-api/json-endpoint.mdx b/src/content/docs/browser-rendering/rest-api/json-endpoint.mdx index d5d14dfc43ec80..a0413b90e4cf1d 100644 --- a/src/content/docs/browser-rendering/rest-api/json-endpoint.mdx +++ b/src/content/docs/browser-rendering/rest-api/json-endpoint.mdx @@ -24,19 +24,22 @@ https://api.cloudflare.com/client/v4/accounts//browser-rendering/json ``` ## Required fields + You must provide either `url` or `html`: -- `url` (string) -- `html` (string) + +- `url` (string) +- `html` (string) And at least one of: -- `prompt` (string), or -- `response_format` (object with a JSON Schema) + +- `prompt` (string), or +- `response_format` (object with a JSON Schema) ## Common use cases -- Extract product info (title, price, availability) or listings (jobs, rentals) -- Normalize article metadata (title, author, publish date, canonical URL) -- Convert unstructured pages into typed JSON for downstream pipelines +- Extract product info (title, price, availability) or listings (jobs, rentals) +- Normalize article metadata (title, author, publish date, canonical URL) +- Convert unstructured pages into typed JSON for downstream pipelines ## Basic Usage @@ -223,7 +226,7 @@ curl --request POST 'https://api.cloudflare.com/client/v4/accounts/CF_ACCOUNT_ID }, { "name": "Access", - "link": "https://developers.cloudflare.com/cloudflare-one/policies/access/" + "link": "https://developers.cloudflare.com/cloudflare-one/access-controls/policies/" }, { "name": "Tunnel", @@ -231,11 +234,11 @@ curl --request POST 'https://api.cloudflare.com/client/v4/accounts/CF_ACCOUNT_ID }, { "name": "Gateway", - "link": "https://developers.cloudflare.com/cloudflare-one/policies/gateway/" + "link": "https://developers.cloudflare.com/cloudflare-one/traffic-policies/" }, { "name": "Browser Isolation", - "link": "https://developers.cloudflare.com/cloudflare-one/policies/browser-isolation/" + "link": "https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/" }, { "name": "Replace your VPN", @@ -254,40 +257,37 @@ Below is an example using the TypeScript SDK: import Cloudflare from "cloudflare"; const client = new Cloudflare({ - apiToken: process.env["CLOUDFLARE_API_TOKEN"], // This is the default and can be omitted + apiToken: process.env["CLOUDFLARE_API_TOKEN"], // This is the default and can be omitted }); const json = await client.browserRendering.json.create({ - account_id: process.env["CLOUDFLARE_ACCOUNT_ID"], - url: "https://developers.cloudflare.com/", - prompt: "Get me the list of AI products", - response_format: { - type: "json_schema", - schema: { - type: "object", - properties: { - products: { - type: "array", - items: { - type: "object", - properties: { - name: { - type: "string" - }, - link: { - type: "string" - } - }, - required: [ - "name" - ] - } - } - } - } - } - } -); + account_id: process.env["CLOUDFLARE_ACCOUNT_ID"], + url: "https://developers.cloudflare.com/", + prompt: "Get me the list of AI products", + response_format: { + type: "json_schema", + schema: { + type: "object", + properties: { + products: { + type: "array", + items: { + type: "object", + properties: { + name: { + type: "string", + }, + link: { + type: "string", + }, + }, + required: ["name"], + }, + }, + }, + }, + }, +}); console.log(json); ``` @@ -375,12 +375,6 @@ In this example, Browser Rendering first calls Anthropic's Claude Sonnet 4 model ] ``` - + - + diff --git a/src/content/docs/browser-rendering/rest-api/links-endpoint.mdx b/src/content/docs/browser-rendering/rest-api/links-endpoint.mdx index 259e225064c729..4d7858eaece638 100644 --- a/src/content/docs/browser-rendering/rest-api/links-endpoint.mdx +++ b/src/content/docs/browser-rendering/rest-api/links-endpoint.mdx @@ -16,15 +16,17 @@ https://api.cloudflare.com/client/v4/accounts//browser-rendering/link ``` ## Required fields + You must provide either `url` or `html`: -- `url` (string) -- `html` (string) + +- `url` (string) +- `html` (string) ## Common use cases -- Collect only user-visible links for UX or SEO analysis -- Crawl a site by discovering links on seed pages -- Validate navigation/footers and detect broken or external links +- Collect only user-visible links for UX or SEO analysis +- Crawl a site by discovering links on seed pages +- Validate navigation/footers and detect broken or external links ## Basic usage @@ -74,10 +76,10 @@ curl -X POST 'https://api.cloudflare.com/client/v4/accounts//browser- "https://developers.cloudflare.com/ai-gateway/", "https://playground.ai.cloudflare.com/", "https://developers.cloudflare.com/products/?product-group=AI", - "https://developers.cloudflare.com/cloudflare-one/policies/access/", + "https://developers.cloudflare.com/cloudflare-one/access-controls/policies/", "https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/", - "https://developers.cloudflare.com/cloudflare-one/policies/gateway/", - "https://developers.cloudflare.com/cloudflare-one/policies/browser-isolation/", + "https://developers.cloudflare.com/cloudflare-one/traffic-policies/", + "https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/", "https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/", "https://developers.cloudflare.com/products/?product-group=Cloudflare+One", "https://workers.cloudflare.com/playground#LYVwNgLglgDghgJwgegGYHsHALQBM4RwDcABAEbogB2+CAngLzbPYZb6HbW5QDGU2AAwAmAIyiAzMIAsATlmi5ALhYs2wDnC40+AkeKlyFcgLAAoAMLoqEAKY3sAESgBnGOhdRo1pSXV4CYhIqOGBbBgAiKBpbAA8AOgArFwjSVCgwe1DwqJiE5IjzKxt7CGwAFToYW184GBgwPgIoa2REuAA3OBdeBFgIAGpgdFxwW3NzOPckElxbVDhwCBIAbzMSEm66Kl4-WwheAAsACgRbAEcQWxcIAEpV9Y2SXmsbkkOIYDASBhIAAwAPABCRwAeQs5QAmgAFACi70+YAAfI8NgCKLg6Cink8AYdREiABK2MBgdAkADqmDAuAByHx2JxJABMCR5UOrhIwEQAGsQDASAB3bokADm9lsCAItlw5DomxIFjJIFwqDAiFslMwPMl8TprNRzOQGKxfyIZkNZwgIAQVGCtkFJAAStd3FQXLZjh8vgAaB5M962OBzBAuXxrAMbCIvEoOCBVWwRXwROyxFDesBEI6ID0QBgAVXKADFsAAOCI+w0bAC+lZx1du5prlerRHMqmY6k02h4-CEYkkMnkilkRWsdgczjcHi8LSovn8mlIITCkTChE0qT8GSyq4iZDJZEKlnHpQqCdq9UavGarWS1gmZhWEW50QA+sNRpkk7k5vkUtW7Ydl2gQ9ro-YGEOxiyMwQA", @@ -190,10 +192,10 @@ curl -X POST 'https://api.cloudflare.com/client/v4/accounts//browser- "https://developers.cloudflare.com/ai-gateway/", "https://playground.ai.cloudflare.com/", "https://developers.cloudflare.com/products/?product-group=AI", - "https://developers.cloudflare.com/cloudflare-one/policies/access/", + "https://developers.cloudflare.com/cloudflare-one/access-controls/policies/", "https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/", - "https://developers.cloudflare.com/cloudflare-one/policies/gateway/", - "https://developers.cloudflare.com/cloudflare-one/policies/browser-isolation/", + "https://developers.cloudflare.com/cloudflare-one/traffic-policies/", + "https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/", "https://developers.cloudflare.com/learning-paths/replace-vpn/concepts/", "https://developers.cloudflare.com/products/?product-group=Cloudflare+One", "https://workers.cloudflare.com/playground#LYVwNgLglgDghgJwgegGYHsHALQBM4RwDcABAEbogB2+CAngLzbPYZb6HbW5QDGU2AAwAmAIyiAzMIAsATlmi5ALhYs2wDnC40+AkeKlyFcgLAAoAMLoqEAKY3sAESgBnGOhdRo1pSXV4CYhIqOGBbBgAiKBpbAA8AOgArFwjSVCgwe1DwqJiE5IjzKxt7CGwAFToYW184GBgwPgIoa2REuAA3OBdeBFgIAGpgdFxwW3NzOPckElxbVDhwCBIAbzMSEm66Kl4-WwheAAsACgRbAEcQWxcIAEpV9Y2SXmsbkkOIYDASBhIAAwAPABCRwAeQs5QAmgAFACi70+YAAfI8NgCKLg6Cink8AYdREiABK2MBgdAkADqmDAuAByHx2JxJABMCR5UOrhIwEQAGsQDASAB3bokADm9lsCAItlw5DomxIFjJIFwqDAiFslMwPMl8TprNRzOQGKxfyIZkNZwgIAQVGCtkFJAAStd3FQXLZjh8vgAaB5M962OBzBAuXxrAMbCIvEoOCBVWwRXwROyxFDesBEI6ID0QBgAVXKADFsAAOCI+w0bAC+lZx1du5prlerRHMqmY6k02h4-CEYkkMnkilkRWsdgczjcHi8LSovn8mlIITCkTChE0qT8GSyq4iZDJZEKlnHpQqCdq9UavGarWS1gmZhWEW50QA+sNRpkk7k5vkUtW7Ydl2gQ9ro-YGEOxiyMwQA", @@ -252,12 +254,6 @@ curl -X POST 'https://api.cloudflare.com/client/v4/accounts//browser- }' ``` - + - + diff --git a/src/content/docs/byoip/index.mdx b/src/content/docs/byoip/index.mdx index e55f48dbb11a96..198567c93eeedf 100644 --- a/src/content/docs/byoip/index.mdx +++ b/src/content/docs/byoip/index.mdx @@ -9,17 +9,23 @@ head: content: Bringing Your Own IPs to Cloudflare --- -import { Plan, Description, Feature, CardGrid, LinkTitleCard } from "~/components"; +import { + Plan, + Description, + Feature, + CardGrid, + LinkTitleCard, +} from "~/components"; -Get Cloudflare's security and performance while using your own IPs. + Get Cloudflare's security and performance while using your own IPs. Considering [how Cloudflare works as a reverse proxy](/fundamentals/concepts/how-cloudflare-works/), for some customers it may be important to maintain this functionality while also keeping their website or application associated with their own public IP space (instead of Cloudflare's[^1]). -With Bring Your Own IP (BYOIP), Cloudflare announces your IPs in all our locations. Use your IPs with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), [CDN services](/cache/), or Gateway [DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) and [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). +With Bring Your Own IP (BYOIP), Cloudflare announces your IPs in all our locations. Use your IPs with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), [CDN services](/cache/), or Gateway [DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) and [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). Learn how to [get started](/byoip/get-started/). @@ -28,11 +34,13 @@ Learn how to [get started](/byoip/get-started/). ## Features -Control whether traffic destined for a given IP address is routed to Magic Transit, CDN, or Spectrum. + Control whether traffic destined for a given IP address is routed to Magic + Transit, CDN, or Spectrum. -Specify which IP addresses should be mapped to DNS records when they are proxied through Cloudflare. + Specify which IP addresses should be mapped to DNS records when they are + proxied through Cloudflare. --- @@ -41,14 +49,23 @@ Specify which IP addresses should be mapped to DNS records when they are proxied - -An overview of BGP, RPKI, and other important aspects of Internet routing. + + An overview of BGP, RPKI, and other important aspects of Internet routing. - -Explore how you can leverage Cloudflare's platform to create solutions based on your business needs. + + Explore how you can leverage Cloudflare's platform to create solutions based + on your business needs. -[^1]: Without BYOIP, when your domain's records are `proxied`, Cloudflare responds with a Cloudflare-owned [anycast IP address](/fundamentals/concepts/cloudflare-ip-addresses/). \ No newline at end of file +[^1]: Without BYOIP, when your domain's records are `proxied`, Cloudflare responds with a Cloudflare-owned [anycast IP address](/fundamentals/concepts/cloudflare-ip-addresses/). diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx index d1d181653f56fd..16ffdc6ce4c72a 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx @@ -6,16 +6,15 @@ sidebar: head: - tag: title content: Secure with Cloudflare Access | Cloudflare for SaaS - --- -Cloudflare Access provides visibility and control over who has access to your [custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/). You can allow or block users based on identity, device posture, and other [Access rules](/cloudflare-one/policies/access/). +Cloudflare Access provides visibility and control over who has access to your [custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/). You can allow or block users based on identity, device posture, and other [Access rules](/cloudflare-one/access-controls/policies/). ## Prerequisites -* You must have an active custom hostname. For setup instructions, refer to [Configuring Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/). -* You must have a Cloudflare Zero Trust plan in your SaaS provider account. Learn more about [getting started with Zero Trust](/cloudflare-one/setup/). -* You can only run Access on custom hostnames if they are managed externally to Cloudflare or in a separate Cloudflare account. If the custom hostname zone is in the same account as the SaaS zone, the Access application will not be applied. +- You must have an active custom hostname. For setup instructions, refer to [Configuring Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/). +- You must have a Cloudflare Zero Trust plan in your SaaS provider account. Learn more about [getting started with Zero Trust](/cloudflare-one/setup/). +- You can only run Access on custom hostnames if they are managed externally to Cloudflare or in a separate Cloudflare account. If the custom hostname zone is in the same account as the SaaS zone, the Access application will not be applied. ## Setup diff --git a/src/content/docs/cloudflare-one/access-controls/index.mdx b/src/content/docs/cloudflare-one/access-controls/index.mdx new file mode 100644 index 00000000000000..091be4c3f1fd27 --- /dev/null +++ b/src/content/docs/cloudflare-one/access-controls/index.mdx @@ -0,0 +1,12 @@ +--- +pcx_content_type: navigation +title: Access controls +sidebar: + order: 7 + group: + hideIndex: true +--- + +import { DirectoryListing } from "~/components"; + + diff --git a/src/content/docs/cloudflare-one/policies/access/app-paths.mdx b/src/content/docs/cloudflare-one/access-controls/policies/app-paths.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/access/app-paths.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/app-paths.mdx diff --git a/src/content/docs/cloudflare-one/policies/access/external-evaluation.mdx b/src/content/docs/cloudflare-one/access-controls/policies/external-evaluation.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/access/external-evaluation.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/external-evaluation.mdx diff --git a/src/content/docs/cloudflare-one/policies/access/groups.mdx b/src/content/docs/cloudflare-one/access-controls/policies/groups.mdx similarity index 84% rename from src/content/docs/cloudflare-one/policies/access/groups.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/groups.mdx index 87f8f0c4e7a05b..a74cb54d1f8760 100644 --- a/src/content/docs/cloudflare-one/policies/access/groups.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/groups.mdx @@ -7,7 +7,7 @@ sidebar: import { Render } from "~/components"; -A rule group is a collection of Access rules that can be configured once and then quickly applied across many Access policies. Rule groups use the same [rule types](/cloudflare-one/policies/access/#rule-types) and [selectors](/cloudflare-one/policies/access/#selectors) shown in the Access policy builder. +A rule group is a collection of Access rules that can be configured once and then quickly applied across many Access policies. Rule groups use the same [rule types](/cloudflare-one/access-controls/policies/#rule-types) and [selectors](/cloudflare-one/access-controls/policies/#selectors) shown in the Access policy builder. :::note Rule groups are distinct from groups in your identity provider, like Okta groups. Rule groups can contain a mix of individual users, groups from identity providers, and service authentication options like service tokens. @@ -29,4 +29,4 @@ If adding more than one IP address or range to a rule group, use an Include rule ### Country requirements -You can create a rule group that consists of countries to allow or block. Access will treat the countries in the Include rule with an OR logical operator. When building policies for an Access application, you can assign this rule group to a Require policy to require at least one of the countries inside of the group. For an example policy, refer to [Require rules with OR operators](/cloudflare-one/policies/access/#require-rules-with-or-operators). +You can create a rule group that consists of countries to allow or block. Access will treat the countries in the Include rule with an OR logical operator. When building policies for an Access application, you can assign this rule group to a Require policy to require at least one of the countries inside of the group. For an example policy, refer to [Require rules with OR operators](/cloudflare-one/access-controls/policies/#require-rules-with-or-operators). diff --git a/src/content/docs/cloudflare-one/policies/access/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx similarity index 93% rename from src/content/docs/cloudflare-one/policies/access/index.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/index.mdx index 6352199c7c3582..a3f52c392385d0 100644 --- a/src/content/docs/cloudflare-one/policies/access/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx @@ -1,8 +1,8 @@ --- pcx_content_type: configuration -title: Access +title: Policies sidebar: - order: 2 + order: 1 head: - tag: title content: Access policies @@ -44,7 +44,7 @@ For example, this second configuration lets any user from Portugal with a `@team ### Block -The Block action prevents users who meet certain critera from reaching an application behind Access. For example, the following policy blocks requests from Russian source IPs that are not on your [list of approved IPs](/cloudflare-one/policies/gateway/lists/). +The Block action prevents users who meet certain critera from reaching an application behind Access. For example, the following policy blocks requests from Russian source IPs that are not on your [list of approved IPs](/cloudflare-one/traffic-policies/lists/). | Action | Rule type | Selector | Value | | ------ | --------- | -------- | ----------------- | @@ -57,9 +57,9 @@ Block policies are best used in conjunction with [Allow policies](#allow) as a w :::caution[Warning] -Bypass does not enforce any Access security controls and requests are not logged. Bypass policies should be tested before deploying to production. Consider using [Service Auth](/cloudflare-one/policies/access/#service-auth) if you would like to enforce policies and maintain logging without requiring user authentication. +Bypass does not enforce any Access security controls and requests are not logged. Bypass policies should be tested before deploying to production. Consider using [Service Auth](/cloudflare-one/access-controls/policies/#service-auth) if you would like to enforce policies and maintain logging without requiring user authentication. -As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/policies/access/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/policies/access/#selectors) (such as email). +As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/access-controls/policies/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/access-controls/policies/#selectors) (such as email). ::: @@ -116,7 +116,7 @@ the policy will only grant access to people reaching the application from both t To require only one country and one email ending: -1. [Create a rule group](/cloudflare-one/policies/access/groups/) that includes users in Portugal OR in the United States: +1. [Create a rule group](/cloudflare-one/access-controls/policies/groups/) that includes users in Portugal OR in the United States: | Rule type | Selector | Value | | --------- | -------- | --------------------------- | @@ -139,7 +139,7 @@ Non-identity attributes are polled continuously, meaning they are-evaluated with | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ | | Emails | `you@company.com` | ✅ | ❌ | ✅ | | Emails ending in | `@company.com` | ✅ | ❌ | ✅ | -| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ | ✅ | +| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/access-controls/policies/external-evaluation/) in an external API. | ✅ | ❌ | ✅ | | IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ | | Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ | | Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ | @@ -148,7 +148,7 @@ Non-identity attributes are polled continuously, meaning they are-evaluated with | Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ | ❌ | | Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ | ❌ | | Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | -| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | ✅ | +| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | ✅ | | Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). | ✅ | ❌ | ✅ | | SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | | OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | @@ -190,3 +190,7 @@ If you add any of the following rules to an Allow policy, anyone will be able to | Rule type | Selector | Value | | --------- | ------------- | -------------- | | Include | Login Methods | `One-time PIN` | + +## Additional resources + +- [API and Terraform](/cloudflare-one/api-terraform/) provide programmatic ways to manage your Access policies and configurations. diff --git a/src/content/docs/cloudflare-one/policies/access/isolate-application.mdx b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx similarity index 57% rename from src/content/docs/cloudflare-one/policies/access/isolate-application.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx index 9bee4fdde051f7..ff8a12b73024f5 100644 --- a/src/content/docs/cloudflare-one/policies/access/isolate-application.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx @@ -9,10 +9,10 @@ import { Render } from "~/components"; :::note -Requires [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/). +Requires [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/). ::: -With Access policies, you can require users to open self-hosted applications in a secure [remote browser](/cloudflare-one/policies/browser-isolation/). Because the remote browser is directly integrated into our Secure Web Gateway platform, [HTTP policies](/cloudflare-one/policies/gateway/http-policies/) can be applied to isolated applications without needing to install the WARP client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data. +With Access policies, you can require users to open self-hosted applications in a secure [remote browser](/cloudflare-one/remote-browser-isolation/). Because the remote browser is directly integrated into our Secure Web Gateway platform, [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) can be applied to isolated applications without needing to install the WARP client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data. ## Prerequisites @@ -24,11 +24,11 @@ With Access policies, you can require users to open self-hosted applications in ## Policies for isolated applications -Traffic to the isolated Access application is filtered by your Gateway [HTTP policies](/cloudflare-one/policies/gateway/http-policies/). Useful policies include: +Traffic to the isolated Access application is filtered by your Gateway [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). Useful policies include: -- [Identity-based policies](/cloudflare-one/policies/gateway/identity-selectors/) to allow or block requests based on user identity. -- [Data Loss Prevention policies](/cloudflare-one/policies/data-loss-prevention/) to log or block transmission of sensitive data. -- [Isolation policies](/cloudflare-one/policies/browser-isolation/isolation-policies/) to disable browser actions such as copy/paste, printing, or file downloads. +- [Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) to allow or block requests based on user identity. +- [Data Loss Prevention policies](/cloudflare-one/data-loss-prevention/) to log or block transmission of sensitive data. +- [Isolation policies](/cloudflare-one/remote-browser-isolation/isolation-policies/) to disable browser actions such as copy/paste, printing, or file downloads. For example, if your application is hosted on `internal.site.com`, the following policy blocks users from uploading and downloading credit card numbers within the remote browser: diff --git a/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx similarity index 95% rename from src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx index b37e4d0ce38531..8d3861a8362085 100644 --- a/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx @@ -27,7 +27,7 @@ To enforce an MFA requirement to an application: 4. If your application already has a policy containing an identity requirement, find it and select **Configure**. :::note - The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/policies/access/groups/), email domain, or identity provider group. + The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/access-controls/policies/groups/), email domain, or identity provider group. ::: 5. Add the following rule to the policy: diff --git a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx similarity index 91% rename from src/content/docs/cloudflare-one/policies/access/policy-management.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx index c516542de69520..b2807d54672dca 100644 --- a/src/content/docs/cloudflare-one/policies/access/policy-management.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx @@ -16,13 +16,13 @@ To create a reusable Access policy: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Policies**. 2. Select **Add a policy**. 3. Enter a **Policy name**. -4. Choose an [**Action**](/cloudflare-one/policies/access/#actions) for the policy. +4. Choose an [**Action**](/cloudflare-one/access-controls/policies/#actions) for the policy. 5. Choose a [**Session duration**](/cloudflare-one/identity/users/session-management/) for the policy. -6. Configure as many [**Rules**](/cloudflare-one/policies/access/#rule-types) as needed. +6. Configure as many [**Rules**](/cloudflare-one/access-controls/policies/#rule-types) as needed. 7. (Optional) Configure additional settings for users who match this policy: - - [Isolate application](/cloudflare-one/policies/access/isolate-application/). - - [Purpose justificaton](/cloudflare-one/policies/access/require-purpose-justification/) - - [Temporary authentication](/cloudflare-one/policies/access/temporary-auth/) + - [Isolate application](/cloudflare-one/access-controls/policies/isolate-application/). + - [Purpose justificaton](/cloudflare-one/access-controls/policies/require-purpose-justification/) + - [Temporary authentication](/cloudflare-one/access-controls/policies/temporary-auth/) 8. Select **Save**. You can now add this policy to an [Access application](/cloudflare-one/applications/). diff --git a/src/content/docs/cloudflare-one/policies/access/require-purpose-justification.mdx b/src/content/docs/cloudflare-one/access-controls/policies/require-purpose-justification.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/access/require-purpose-justification.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/require-purpose-justification.mdx diff --git a/src/content/docs/cloudflare-one/policies/access/temporary-auth.mdx b/src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx similarity index 96% rename from src/content/docs/cloudflare-one/policies/access/temporary-auth.mdx rename to src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx index 5b24cd305f50bd..18cededb5f144f 100644 --- a/src/content/docs/cloudflare-one/policies/access/temporary-auth.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx @@ -13,7 +13,7 @@ With Cloudflare Access, you can require that users obtain approval before they c 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Choose a **Self-hosted** or **SaaS** application and select **Configure**. 3. Choose an **Allow** policy and select **Configure**. -4. Under **Additional settings**, turn on [**Purpose justification**](/cloudflare-one/policies/access/require-purpose-justification/). +4. Under **Additional settings**, turn on [**Purpose justification**](/cloudflare-one/access-controls/policies/require-purpose-justification/). 5. Turn on **Temporary authentication**. 6. Enter the **Email addresses of the approvers**. :::note diff --git a/src/content/docs/cloudflare-one/account-limits.mdx b/src/content/docs/cloudflare-one/account-limits.mdx index 2c7a499ef400a9..40367f4faa37c7 100644 --- a/src/content/docs/cloudflare-one/account-limits.mdx +++ b/src/content/docs/cloudflare-one/account-limits.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Account limits sidebar: - order: 12 + order: 15 --- import { Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/index.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/index.mdx index 2ab3e01078f761..429e5f89c5ab06 100644 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/index.mdx +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/index.mdx @@ -1,5 +1,4 @@ --- - pcx_content_type: example title: Access API examples sidebar: @@ -34,4 +33,7 @@ You can use the Cloudflare Access API to create policies, including individual r ## Example rule configurations - + diff --git a/src/content/docs/cloudflare-one/api-terraform/index.mdx b/src/content/docs/cloudflare-one/api-terraform/index.mdx index 0c1668a442a4af..af1ac12afd7f9b 100644 --- a/src/content/docs/cloudflare-one/api-terraform/index.mdx +++ b/src/content/docs/cloudflare-one/api-terraform/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: navigation title: API and Terraform sidebar: - order: 10 + order: 11 --- import { DirectoryListing, Render } from "~/components"; @@ -26,4 +26,4 @@ All users, regardless of [user permissions](/cloudflare-one/roles-permissions/), The administrators managing policies and groups in Cloudflare Zero Trust might be different from those responsible for configuring WAF custom rules or other Cloudflare settings. You can configure scoped API tokens so that team members and automated systems can manage Zero Trust settings without having permission to modify other configurations in Cloudflare. -You can create a scoped API token [via the dashboard](/fundamentals/api/get-started/create-token/) or [via the API](/fundamentals/api/how-to/create-via-api/). For a list of available token permissions, refer to [API token permissions](/fundamentals/api/reference/permissions/). \ No newline at end of file +You can create a scoped API token [via the dashboard](/fundamentals/api/get-started/create-token/) or [via the API](/fundamentals/api/how-to/create-via-api/). For a list of available token permissions, refer to [API token permissions](/fundamentals/api/reference/permissions/). diff --git a/src/content/docs/cloudflare-one/applications/app-library.mdx b/src/content/docs/cloudflare-one/applications/app-library.mdx index a9f1c6c2f0eba7..5e07de6a6fcddc 100644 --- a/src/content/docs/cloudflare-one/applications/app-library.mdx +++ b/src/content/docs/cloudflare-one/applications/app-library.mdx @@ -7,11 +7,11 @@ sidebar: import { Render, GlossaryTooltip } from "~/components"; -The Application Library allows users to manage their SaaS applications in Cloudflare Zero Trust by consolidating views across all relevant products: [Gateway](/cloudflare-one/policies/gateway/), [Access](/cloudflare-one/policies/access/), and [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/). The App Library provides visibility and control for available applications, as well as the ability to view categorized hostnames and manage configuration for Access for SaaS and Gateway policies. For example, you can use the App Library to review how Gateway uses specific hostnames to match against application traffic. +The Application Library allows users to manage their SaaS applications in Cloudflare Zero Trust by consolidating views across all relevant products: [Gateway](/cloudflare-one/traffic-policies/), [Access](/cloudflare-one/access-controls/policies/), and [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/). The App Library provides visibility and control for available applications, as well as the ability to view categorized hostnames and manage configuration for Access for SaaS and Gateway policies. For example, you can use the App Library to review how Gateway uses specific hostnames to match against application traffic. -To access the App Library in [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **App Library**. Each application card will list the number of hostnames associated with the application, the supported Zero Trust product usage, and the [app type](/cloudflare-one/policies/gateway/application-app-types/#app-types). +To access the App Library in [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **App Library**. Each application card will list the number of hostnames associated with the application, the supported Zero Trust product usage, and the [app type](/cloudflare-one/traffic-policies/application-app-types/#app-types). -The App Library groups [Do Not Inspect applications](/cloudflare-one/policies/gateway/application-app-types/#do-not-inspect-applications) within the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. Traffic that does not match a known application will not be included in the App Library. +The App Library groups [Do Not Inspect applications](/cloudflare-one/traffic-policies/application-app-types/#do-not-inspect-applications) within the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. Traffic that does not match a known application will not be included in the App Library. ## View application details @@ -24,7 +24,7 @@ The **Overview** tab shows details about an application, including: - Name - Shadow IT [review status](#review-applications) - Number of hostnames -- [App type](/cloudflare-one/policies/gateway/application-app-types/#app-types) +- [App type](/cloudflare-one/traffic-policies/application-app-types/#app-types) - Supported Zero Trust applications - Application ID for use with the API and Terraform @@ -34,11 +34,11 @@ The **Findings** tab shows any connected [CASB integrations](/cloudflare-one/app ### Policies -The **Policies** tab shows any [Gateway](/cloudflare-one/policies/gateway/) and [Access for SaaS](/cloudflare-one/applications/configure-apps/saas-apps/) policies related to the selected application. +The **Policies** tab shows any [Gateway](/cloudflare-one/traffic-policies/) and [Access for SaaS](/cloudflare-one/applications/configure-apps/saas-apps/) policies related to the selected application. ### Usage -The **Usage** tab shows any logs for [Gateway traffic requests](/cloudflare-one/insights/logs/gateway-logs/), [Access authentication events](/cloudflare-one/insights/logs/audit-logs/#authentication-logs), [Shadow IT Discovery user sessions](/cloudflare-one/insights/analytics/shadow-it-discovery/), and [generative AI prompt logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#view-prompt-logs) sent to the selected application. This section requires logs to be turned on for each feature. +The **Usage** tab shows any logs for [Gateway traffic requests](/cloudflare-one/insights/logs/gateway-logs/), [Access authentication events](/cloudflare-one/insights/logs/audit-logs/#authentication-logs), [Shadow IT Discovery user sessions](/cloudflare-one/insights/analytics/shadow-it-discovery/), and [generative AI prompt logs](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#view-prompt-logs) sent to the selected application. This section requires logs to be turned on for each feature. The Shadow IT Discovery dashboard will provide more details for discovered applications. To access Shadow IT Discovery in [Zero Trust](https://one.dash.cloudflare.com/), go to **Analytics**, then select **Shadow IT Discovery**. @@ -61,28 +61,29 @@ To view an application's confidence scorecard: 3. Review the Application Posture Score and the Generative AI Posture Score which are generated on the application card. ### Scoring methodology + #### Application Posture Score (5 points) The Application Posture Score evaluates SaaS providers across five major categories. -| Category | Points | Assessment Criteria | Scoring Logic | -|-------------------------------------|:-------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Security and Privacy Compliance | 1.2 | Presence of SOC 2 and ISO 27001 certifications, which signal operational maturity and adherence to security frameworks. | Full credit awarded for both certifications; partial credit for one certification; no credit if neither certification is present. | -| Data Management Practices | 1.0 | Data retention windows and whether the provider shares data with third parties. | Shorter retention periods and no third-party data sharing earn the highest marks. Applications with indefinite data retention or extensive data sharing receive lower scores. | -| Security Controls | 1.0 | Support for Multi-Factor Authentication (MFA), Single Sign-On (SSO), TLS 1.3, role-based access controls, and session monitoring capabilities. | These represent table stakes of modern SaaS security. Full credit requires comprehensive support across all controls; partial credit awarded for subset implementation. | -| Security Reports and Incident History | 1.0 | Availability of trust or security pages, active bug bounty programs, incident response transparency, and recent breach history. | Recent material breaches result in full point deduction. Proactive security measures like bug bounty programs and transparent incident reporting increase scores. | -| Financial Stability | 0.8 | Company financial status, funding levels, and operational stability. | Public companies and heavily capitalized providers score highest, while startups with limited funding or companies in financial distress receive lower scores. | -| Total Points | 5.0 | | | +| Category | Points | Assessment Criteria | Scoring Logic | +| ------------------------------------- | :----: | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Security and Privacy Compliance | 1.2 | Presence of SOC 2 and ISO 27001 certifications, which signal operational maturity and adherence to security frameworks. | Full credit awarded for both certifications; partial credit for one certification; no credit if neither certification is present. | +| Data Management Practices | 1.0 | Data retention windows and whether the provider shares data with third parties. | Shorter retention periods and no third-party data sharing earn the highest marks. Applications with indefinite data retention or extensive data sharing receive lower scores. | +| Security Controls | 1.0 | Support for Multi-Factor Authentication (MFA), Single Sign-On (SSO), TLS 1.3, role-based access controls, and session monitoring capabilities. | These represent table stakes of modern SaaS security. Full credit requires comprehensive support across all controls; partial credit awarded for subset implementation. | +| Security Reports and Incident History | 1.0 | Availability of trust or security pages, active bug bounty programs, incident response transparency, and recent breach history. | Recent material breaches result in full point deduction. Proactive security measures like bug bounty programs and transparent incident reporting increase scores. | +| Financial Stability | 0.8 | Company financial status, funding levels, and operational stability. | Public companies and heavily capitalized providers score highest, while startups with limited funding or companies in financial distress receive lower scores. | +| Total Points | 5.0 | | | #### Generative AI Posture Score (5 points) -| Category | Points | Assessment Criteria | Scoring Logic | -|---------------------------|:-------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Compliance | 1.0 | Presence of ISO 42001 certification for AI management systems. | Full credit for ISO 42001 certification; no credit without this specialized AI governance certification. | -| Deployment Security Model | 1.0 | Whether application access requires authentication and implements rate limiting, or if services are publicly exposed without controls. | Authenticated access with proper rate limiting receives full credit; publicly exposed services without controls receive minimal scoring. | -| System Card | 1.0 | Publication of model or system cards documenting safety evaluations, bias testing, and risk assessments. | Comprehensive system cards with detailed safety and bias documentation receive full credit; incomplete or missing documentation results in score reduction. | -| Training Data Governance | 2.0 | Whether user data is explicitly excluded from model training and availability of opt-in/opt-out controls for training data usage. | Explicit exclusion of user data from training receives maximum points; opt-in/opt-out controls receive partial credit; no controls or guaranteed user data training receives minimal scoring. | -| **Total Points** | **5.0** | | | +| Category | Points | Assessment Criteria | Scoring Logic | +| ------------------------- | :-----: | -------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Compliance | 1.0 | Presence of ISO 42001 certification for AI management systems. | Full credit for ISO 42001 certification; no credit without this specialized AI governance certification. | +| Deployment Security Model | 1.0 | Whether application access requires authentication and implements rate limiting, or if services are publicly exposed without controls. | Authenticated access with proper rate limiting receives full credit; publicly exposed services without controls receive minimal scoring. | +| System Card | 1.0 | Publication of model or system cards documenting safety evaluations, bias testing, and risk assessments. | Comprehensive system cards with detailed safety and bias documentation receive full credit; incomplete or missing documentation results in score reduction. | +| Training Data Governance | 2.0 | Whether user data is explicitly excluded from model training and availability of opt-in/opt-out controls for training data usage. | Explicit exclusion of user data from training receives maximum points; opt-in/opt-out controls receive partial credit; no controls or guaranteed user data training receives minimal scoring. | +| **Total Points** | **5.0** | | | ### Automated scoring infrastructure diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-dlp.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-dlp.mdx index 9e820fa6458ba1..7a9aadbf009d09 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-dlp.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-dlp.mdx @@ -11,7 +11,7 @@ import { Render } from "~/components"; Requires Cloudflare CASB and Cloudflare DLP. ::: -You can use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) to discover if files stored in a SaaS application contains sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration. +You can use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) to discover if files stored in a SaaS application contains sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration. ## Supported integrations @@ -36,7 +36,7 @@ Your DLP profile is now ready to use with CASB. Your DLP profile is now ready to use with CASB. -For more information, refer to [Configure a DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). +For more information, refer to [Configure a DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/). ## Enable DLP scans in CASB @@ -70,6 +70,6 @@ In order to scan historical data, you must enable the DLP profile during the [in DLP in CASB will only scan: -- [Text-based files](/cloudflare-one/policies/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported. +- [Text-based files](/cloudflare-one/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported. - Files less than or equal 100 MB in size. - Source code with a minimum size of 5 KB for Java and R. diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx index 169fb868b747ea..384703ad5febe1 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx @@ -32,7 +32,7 @@ These permissions follow the principle of least privilege to ensure that only th ## Compute account -You can connect an AWS compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) scans within your S3 bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration. +You can connect an AWS compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/data-loss-prevention/) scans within your S3 bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration. ### Add a compute account @@ -48,7 +48,7 @@ Once your AWS compute account has successfully connected to your CASB integratio 2. Find and select your AWS integration. 3. Select **Create new configuration**. 4. In **Resources**, choose the buckets you want to scan. Select **Continue**. -5. Choose the file types, sampling percentage, and [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) to scan for. +5. Choose the file types, sampling percentage, and [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/) to scan for. 6. (Optional) Configure additional settings, such as the limit of API calls over time for CASB to adhere to. 7. Select **Continue**. 8. Review the details of the scan, then select **Start scan**. diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/gcp-cloud-storage.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/gcp-cloud-storage.mdx index 4f4b6c24b17796..7e53ecff996ff3 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/gcp-cloud-storage.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/gcp-cloud-storage.mdx @@ -31,7 +31,7 @@ These permissions follow the principle of least privilege to ensure that only th ## Compute account -You can connect a GCP compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) scans within your Cloud Storage bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration. +You can connect a GCP compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/data-loss-prevention/) scans within your Cloud Storage bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration. ### Add a compute account @@ -53,7 +53,7 @@ Once your GCP compute account has successfully connected to your CASB integratio 2. Find and select your GCP integration. 3. Select **Create new configuration**. 4. In **Resources**, choose the buckets you want to scan. Select **Continue**. -5. Choose the file types, sampling percentage, and [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) to scan for. +5. Choose the file types, sampling percentage, and [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/) to scan for. 6. (Optional) Configure additional settings, such as the limit of API calls over time for CASB to adhere to. 7. Select **Continue**. 8. Review the details of the scan, then select **Start scan**. diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/index.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/index.mdx index ab75fd6e440974..6d42598e2d5de9 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/index.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/microsoft-365/index.mdx @@ -110,8 +110,8 @@ To learn more about each permission, refer to the [Microsoft Graph permissions d :::note -Requires [Cloudflare DLP](/cloudflare-one/policies/data-loss-prevention/). +Requires [Cloudflare DLP](/cloudflare-one/data-loss-prevention/). ::: -Microsoft provides [MIP sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide) to classify and protect sensitive data. When you add the CASB Microsoft 365 integration, Cloudflare will automatically retrieve the labels from your Microsoft account and populate them in a [DLP Profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/). +Microsoft provides [MIP sensitivity labels](https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide) to classify and protect sensitive data. When you add the CASB Microsoft 365 integration, Cloudflare will automatically retrieve the labels from your Microsoft account and populate them in a [DLP Profile](/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles/). diff --git a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx index fe76ddbe4a1f48..d3f8650d69dd86 100644 --- a/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx @@ -54,7 +54,7 @@ The new severity level will only apply to the posture finding within this specif ## Content findings -Content findings include instances of potential data exposure as identified by [DLP](/cloudflare-one/policies/data-loss-prevention/). +Content findings include instances of potential data exposure as identified by [DLP](/cloudflare-one/data-loss-prevention/). To view details about the content findings that CASB found: @@ -182,7 +182,7 @@ CASB supports creating a Gateway policy for findings from the [Google Workspace :::note[Before you begin] -Ensure that you have [enabled HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) for your organization. +Ensure that you have [enabled HTTP filtering](/cloudflare-one/traffic-policies/initial-setup/http/) for your organization. ::: To create a Gateway policy directly from a CASB finding: @@ -195,7 +195,7 @@ To create a Gateway policy directly from a CASB finding: :::note Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider. ::: -6. (Optional) [Configure the HTTP policy](/cloudflare-one/policies/gateway/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. +6. (Optional) [Configure the HTTP policy](/cloudflare-one/traffic-policies/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads. 7. Select **Save**. Your HTTP policy will now prevent future instances of the security finding. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx index 11906144780757..124b7da3c97202 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx @@ -7,7 +7,7 @@ sidebar: import { Render } from "~/components"; -Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/policies/access/#selectors) to control who can log in to the application. +Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/access-controls/policies/#selectors) to control who can log in to the application. ![Cloudflare Access verifies a user's identity before granting access to your application.](~/assets/images/cloudflare-one/applications/diagram-saas.jpg) @@ -16,9 +16,8 @@ You can protect the following types of web applications: - [**SaaS applications**](/cloudflare-one/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration. - **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network. - - [**Public hostname applications**](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/). - - [**Private network applications**](/cloudflare-one/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/). + - [**Private network applications**](/cloudflare-one/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). - [**Model Context Protocol (MCP) servers**](/cloudflare-one/applications/configure-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx index 24ecb42795e274..147fe8901a86d8 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx @@ -8,11 +8,11 @@ sidebar: label: Enable MCP OAuth to self-hosted apps --- -import { Render, GlossaryTooltip, APIRequest } from "~/components" +import { Render, GlossaryTooltip, APIRequest } from "~/components"; Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes. -For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](/cloudflare-one/policies/access/#selectors) to ensure that only authorized users can access those applications, either directly or by using an MCP client. +For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](/cloudflare-one/access-controls/policies/#selectors) to ensure that only authorized users can access those applications, either directly or by using an MCP client. ```mermaid flowchart LR @@ -50,10 +50,7 @@ The first step is to add the MCP server to Cloudflare Access as an OIDC-based Sa Get the `id` of the MCP server SaaS application: - + ```json title="Response" { @@ -69,45 +66,45 @@ Get the `id` of the MCP server SaaS application: 1. Create the following Access policy, replacing the `app_uid` value with the `id` of your SaaS application: - - - :::note - The `linked_app_token` rule type only works with [`non_identity` decisions](/cloudflare-one/policies/access/#service-auth), similar to service token rules. - ::: + + + :::note + The `linked_app_token` rule type only works with [`non_identity` decisions](/cloudflare-one/access-controls/policies/#service-auth), similar to service token rules. + ::: 2. Copy the Access policy `id` returned in the response: - ```json title="Response" {5} - { - "created_at": "2025-08-06T20:06:23Z", - "decision": "non_identity", - "exclude": [], - "id": "a38ab4d4-336d-4f49-9e97-eff8550c13fa", - "include": [ - { - "linked_app_token": { - "app_uid": "6cdc3892-f9f1-4813-a5ce-38c2753e1208" - } - } - ], - "name": "Allow MCP server", - ... - } - ``` + ```json title="Response" {5} + { + "created_at": "2025-08-06T20:06:23Z", + "decision": "non_identity", + "exclude": [], + "id": "a38ab4d4-336d-4f49-9e97-eff8550c13fa", + "include": [ + { + "linked_app_token": { + "app_uid": "6cdc3892-f9f1-4813-a5ce-38c2753e1208" + } + } + ], + "name": "Allow MCP server", + ... + } + ``` This policy will allow requests if they present a valid OAuth access token that was issued for the specified SaaS application. @@ -117,22 +114,20 @@ You can add the `linked_app_token` policy to any `self_hosted` application in yo 1. Get your existing self-hosted application configuration: - + 2. Add the Access policy to the self-hosted application. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. - + ## 5. Configure the MCP server @@ -143,6 +138,7 @@ Authorization: Bearer ACCESS_TOKEN ``` The end-to-end authorization flow is as follows: + 1. The MCP server authenticates against the Access for SaaS app via OAuth. 2. Upon success, the MCP server receives an `access_token`. 3. The MCP server makes an API request to the self-hosted application with the token in the request headers. @@ -151,4 +147,4 @@ The end-to-end authorization flow is as follows: ## Known limitations -The MCP OAuth feature only works with self-hosted applications that rely on the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) to authenticate and identify the user. If the application implements its own layer of authentication after Cloudflare Access, then this feature is at best a partial solution. Requests that are successfully authenticated by Access may still be blocked by the application itself, resulting in an HTTP `401` or `403` error. \ No newline at end of file +The MCP OAuth feature only works with self-hosted applications that rely on the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) to authenticate and identify the user. If the application implements its own layer of authentication after Cloudflare Access, then this feature is at best a partial solution. Requests that are successfully authenticated by Access may still be blocked by the application itself, resulting in an HTTP `401` or `403` error. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx index 2de401e644a15f..ea5aba242c3aa3 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx @@ -10,7 +10,7 @@ sidebar: text: Beta --- -import { Render, GlossaryTooltip } from "~/components" +import { Render, GlossaryTooltip } from "~/components"; An MCP server portal centralizes multiple [Model Context Protocol (MCP) servers](https://www.cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) onto a single HTTP endpoint. Key benefits include: @@ -38,11 +38,12 @@ To add an MCP server: 4. Enter any name for the server. 5. (Optional) Enter a custom string for the **Server ID**. 6. In **HTTP URL**, enter the full URL of your MCP server. For example, if you want to add the [Cloudflare Documentation MCP server](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/docs-vectorize), enter `https://docs.mcp.cloudflare.com/sse`. -7. Add [Access policies](/cloudflare-one/policies/access/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals. +7. Add [Access policies](/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals. + + :::caution + Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/). + ::: - :::caution - Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/). - ::: 8. Select **Save and connect server**. 9. If the MCP server supports OAuth, you will be redirected to log in to your OAuth provider. You can log in to any account on the MCP server. The account used to authenticate will serve as the admin credential for that MCP server. You can [configure an MCP portal](#create-a-portal) to use this admin credential to make requests. @@ -52,11 +53,11 @@ Cloudflare Access will validate the server connection and fetch a list of tools The MCP server status indicates the synchronization status of the MCP server to Cloudflare Access. -| Status | Description | -| ------ | ----------- | -| Error | The server's authentication failed due to expired or incorrect credentials. To fix the issue, [reauthenticate the server](#reauthenticate-the-mcp-server). | -| Waiting | The server's tools, prompts, and resources are being synchronized. | -| Ready | The server was successfully synchronized and all tools, prompts, and resources are available. | +| Status | Description | +| ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Error | The server's authentication failed due to expired or incorrect credentials. To fix the issue, [reauthenticate the server](#reauthenticate-the-mcp-server). | +| Waiting | The server's tools, prompts, and resources are being synchronized. | +| Ready | The server was successfully synchronized and all tools, prompts, and resources are available. | ### Reauthenticate the MCP server @@ -89,13 +90,11 @@ To create an MCP server portal: 4. Under **Custom domain**, select a domain for the portal URL. Domains must belong to an active zone in your Cloudflare account. You can optionally specify a subdomain. 5. [Add MCP servers](#add-an-mcp-server) to the portal. 6. (Optional) Under **MCP servers**, configure the tools and prompts available through the portal. -7. (Optional) Configure **Require user auth** for servers that support OAuth: - - `Enabled`: (default) User will be prompted to utilize their own login credentials to establish a connection with the MCP server. - - `Disabled`: Users who are connected to the portal will automatically have access to the MCP server via its [admin credential](#reauthenticate-the-mcp-server). +7. (Optional) Configure **Require user auth** for servers that support OAuth: - `Enabled`: (default) User will be prompted to utilize their own login credentials to establish a connection with the MCP server. - `Disabled`: Users who are connected to the portal will automatically have access to the MCP server via its [admin credential](#reauthenticate-the-mcp-server). -7. Add [Access policies](/cloudflare-one/policies/access/) to define the users who can connect to the portal URL. -8. Select **Add an MCP server portal**. -9. (Optional) [Customize the login experience](#customize-login-settings) for the portal. +8. Add [Access policies](/cloudflare-one/access-controls/policies/) to define the users who can connect to the portal URL. +9. Select **Add an MCP server portal**. +10. (Optional) [Customize the login experience](#customize-login-settings) for the portal. Users can now [connect to the portal](#connect-to-a-portal) at `https://./mcp` using an MCP client. @@ -106,12 +105,12 @@ Cloudflare Access automatically creates an Access application for each MCP serve 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. 2. Find the portal that you want to configure, then select the three dots > **Edit**. 3. To configure identity providers for the portal: - 1. Select the **Login methods** tab. - 2. Select the [identity providers](/cloudflare-one/integrations/identity-providers/) that you want to enable for your application. - 3. (Recommended) If you plan to only allow access via a single identity provider, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/applications/login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. + 1. Select the **Login methods** tab. + 2. Select the [identity providers](/cloudflare-one/integrations/identity-providers/) that you want to enable for your application. + 3. (Recommended) If you plan to only allow access via a single identity provider, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/applications/login-page/). Instead, Cloudflare will redirect users directly to your SSO login event. 4. To customize the block page: - 1. Select the **Experience settings** tab. - 2. + 1. Select the **Experience settings** tab. + 2. 5. Select **Save application**. ## Connect to a portal @@ -131,24 +130,24 @@ Workers AI Playground will show a **Connected** status and list the available to For MCP clients with server configuration files, we recommend using the `npx` command with the `mcp-remote@latest` argument: -``` json title= "MCP client configuration for MCP portals" +```json title= "MCP client configuration for MCP portals" { - "mcpServers": { - "example-mcp-server": { - "command": "npx", - "args": [ - "-y", - "mcp-remote@latest", - "https://..com/mcp" - ] - } - } + "mcpServers": { + "example-mcp-server": { + "command": "npx", + "args": [ + "-y", + "mcp-remote@latest", + "https://..com/mcp" + ] + } + } } ``` We do not recommend using the `serverURL` parameter since it may cause issues with portal session creation and management. -If you want to force your MCP client to reauthenticate, most MCP clients will refresh a session after removing the existing MCP OAuth sessions. To clear authentication credentials used by your MCP client, open a terminal and run the following command: +If you want to force your MCP client to reauthenticate, most MCP clients will refresh a session after removing the existing MCP OAuth sessions. To clear authentication credentials used by your MCP client, open a terminal and run the following command: :::note This command will trigger all MCP servers using `mcp-remote@latest` to force reauthenticate, not just MCP portals. @@ -168,10 +167,10 @@ Portal logs allow you to monitor user activity through an MCP server portal. You ### Log fields -| Field | Description | -| ---- | ----------- | -| Time | Date and time of the request | -| Status | Whether the server successfully returned a response | -| Server | Name of the MCP server that handled the request | -| Capability | The tool used to process the request | -| Duration | Processing time for the request in milliseconds | +| Field | Description | +| ---------- | --------------------------------------------------- | +| Time | Date and time of the request | +| Status | Whether the server successfully returned a response | +| Server | Name of the MCP server that handled the request | +| Capability | The tool used to process the request | +| Duration | Processing time for the request in milliseconds | diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp.mdx index fe5f462eb6b805..08e24d79683eac 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp.mdx @@ -8,11 +8,17 @@ sidebar: label: Secure MCP servers with Access for SaaS --- -import { Render, GlossaryTooltip, Tabs, TabItem, APIRequest } from "~/components" +import { + Render, + GlossaryTooltip, + Tabs, + TabItem, + APIRequest, +} from "~/components"; You can secure [Model Context Protocol (MCP) servers](https://www.cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) by using Cloudflare Access as an OAuth Single Sign-On (SSO) provider. -This guide walks through how to deploy a remote MCP server on [Cloudflare Workers](/workers/) that requires Cloudflare Access for authentication. When users connect to the MCP server using an MCP client, they will be prompted to log in to your [identity provider](/cloudflare-one/integrations/identity-providers/) and are only granted access if they pass your [Access policies](/cloudflare-one/policies/access/#selectors). +This guide walks through how to deploy a remote MCP server on [Cloudflare Workers](/workers/) that requires Cloudflare Access for authentication. When users connect to the MCP server using an MCP client, they will be prompted to log in to your [identity provider](/cloudflare-one/integrations/identity-providers/) and are only granted access if they pass your [Access policies](/cloudflare-one/access-controls/policies/#selectors). ## Prerequisites @@ -24,56 +30,55 @@ This guide walks through how to deploy a remote " - } - ] - } - ``` + ```sh output + { + "kv_namespaces": [ + { + "binding": "OAUTH_KV", + "id": "" + } + ] + } + ``` -4. Open `wrangler.jsonc` in an editor and insert your `OAUTH_KV` namespace ID: +4. Open `wrangler.jsonc` in an editor and insert your `OAUTH_KV` namespace ID: - ```jsonc - "kv_namespaces": [ - { - "binding": "OAUTH_KV", - "id": "" - } - ], - ``` + ```jsonc + "kv_namespaces": [ + { + "binding": "OAUTH_KV", + "id": "" + } + ], + ``` +5. You can now deploy the Worker to Cloudflare's global network: -5. You can now deploy the Worker to Cloudflare's global network: - - ```sh - npx wrangler deploy - ``` + ```sh + npx wrangler deploy + ``` The Worker will be deployed to your `*.workers.dev` subdomain at `mcp-server-cf-access..workers.dev`. @@ -88,18 +93,18 @@ The Worker will be deployed to your `*.workers.dev` subdomain at `mcp-server-cf- 4. Select **OIDC** as the authentication protocol. 5. Select **Add application**. 6. In **Redirect URLs**, enter the authorization callback URL for your MCP server. The callback URL for our [example MCP server](#1-deploy-an-example-mcp-server) is - ```txt - https://mcp-server-cf-access..workers.dev/callback - ``` + `txt +https://mcp-server-cf-access..workers.dev/callback +` 7. Copy the following values to input into our example MCP server. Other MCP servers may require different sets of input values. - - **Client secret** - - **Client ID** - - **Token endpoint** - - **Authorization endpoint** - - **Key endpoint** + - **Client secret** + - **Client ID** + - **Token endpoint** + - **Authorization endpoint** + - **Key endpoint** 8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider. -9. Configure [Access policies](/cloudflare-one/policies/access/) to define the users who can access the MCP server. +9. Configure [Access policies](/cloudflare-one/access-controls/policies/) to define the users who can access the MCP server. 10. Save the application. @@ -107,31 +112,26 @@ The Worker will be deployed to your `*.workers.dev` subdomain at `mcp-server-cf- 1. Make a `POST` request to the [Access applications](/api/resources/zero_trust/subresources/access/subresources/applications/methods/create/) endpoint: - .workers.dev/callback" - ], - grant_type: [ - "authorization_code", - "refresh_tokens" - ], - refresh_token_options: { - lifetime: "90d" - } - }, - policies: [ - "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" - ], - allowed_idps: [] - }} - /> + .workers.dev/callback", + ], + grant_type: ["authorization_code", "refresh_tokens"], + refresh_token_options: { + lifetime: "90d", + }, + }, + policies: ["f174e90a-fafe-4643-bbbc-4a0ed4fc8415"], + allowed_idps: [], + }} + /> 2. Copy the `client_id` and `client_secret` returned in the response. 3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access). @@ -145,39 +145,39 @@ Your MCP server needs to perform an OAuth 2.0 authorization flow to get an `acce To add OAuth endpoints and credentials to our [example MCP server](#1-deploy-an-example-mcp-server): -1. Create the following [Workers secrets](/workers/configuration/secrets/): +1. Create the following [Workers secrets](/workers/configuration/secrets/): - ```sh - wrangler secret put ACCESS_CLIENT_ID - wrangler secret put ACCESS_CLIENT_SECRET - wrangler secret put ACCESS_TOKEN_URL - wrangler secret put ACCESS_AUTHORIZATION_URL - wrangler secret put ACCESS_JWKS_URL - ``` + ```sh + wrangler secret put ACCESS_CLIENT_ID + wrangler secret put ACCESS_CLIENT_SECRET + wrangler secret put ACCESS_TOKEN_URL + wrangler secret put ACCESS_AUTHORIZATION_URL + wrangler secret put ACCESS_JWKS_URL + ``` -2. When prompted to enter a secret value, paste the corresponding values from your SaaS app: +2. When prompted to enter a secret value, paste the corresponding values from your SaaS app: - | Workers secret | SaaS app field | - | ------------- | -------------- | - | `ACCESS_CLIENT_ID`| Client ID | - | `ACCESS_CLIENT_SECRET` | Client secret | - | `ACCESS_TOKEN_URL` | Token endpoint | - | `ACCESS_AUTHORIZATION_URL` | Authorization endpoint | - | `ACCESS_JWKS_URL` | Key endpoint | + | Workers secret | SaaS app field | + | -------------------------- | ---------------------- | + | `ACCESS_CLIENT_ID` | Client ID | + | `ACCESS_CLIENT_SECRET` | Client secret | + | `ACCESS_TOKEN_URL` | Token endpoint | + | `ACCESS_AUTHORIZATION_URL` | Authorization endpoint | + | `ACCESS_JWKS_URL` | Key endpoint | -3. Configure a cookie encryption key: +3. Configure a cookie encryption key: - a. Generate a random string: + a. Generate a random string: - ```sh - openssl rand -hex 32 - ``` + ```sh + openssl rand -hex 32 + ``` - b. Store the string in a Workers secret: + b. Store the string in a Workers secret: - ```sh - wrangler secret put COOKIE_ENCRYPTION_KEY - ``` + ```sh + wrangler secret put COOKIE_ENCRYPTION_KEY + ``` ## 4. Test the connection @@ -187,7 +187,7 @@ To test in Workers AI Playground: 1. Go to [Workers AI Playground](https://playground.ai.cloudflare.com/). -2. Under **MCP Servers**, enter `https://mcp-server-cf-access..workers.dev/mcp` for the MCP server URL. +2. Under **MCP Servers**, enter `https://mcp-server-cf-access..workers.dev/mcp` for the MCP server URL. 3. Select **Connect**. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx index 18ae810383f5fa..57a81d820e4bad 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/adobe-sign-saas.mdx @@ -4,16 +4,15 @@ title: Adobe Acrobat Sign reviewed: 2024-07-17 sidebar: order: 2 - --- This guide covers how to configure [Adobe Acrobat Sign](https://helpx.adobe.com/sign/using/enable-saml-single-sign-on.html) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Adobe Acrobat Sign account -* A [claimed domain](https://helpx.adobe.com/sign/using/claim-domain-names.html) in Adobe Acrobat Sign +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Adobe Acrobat Sign account +- A [claimed domain](https://helpx.adobe.com/sign/using/claim-domain-names.html) in Adobe Acrobat Sign ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -32,19 +31,19 @@ This guide covers how to configure [Adobe Acrobat Sign](https://helpx.adobe.com/ 3. Enter a hostname (for example, `yourcompanyname`). Users can use this URL or `https://secure.adobesign.com/public/login` to sign in via SSO. 4. (Optional) For **Single Sign On Login Message**, enter a custom message (for example, `Log in via SSO`). The default message is **Sign in using your corporate credentials**. 5. Fill in the following fields: - * **Entity ID/Issuer URL**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. - * **Login URL/SSO Endpoint**: SSO endpoint from application configuration in Cloudflare Zero Trust. - * **IdP Certificate**: Public key from application configuration in Cloudflare Zero Trust. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. + - **Entity ID/Issuer URL**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. + - **Login URL/SSO Endpoint**: SSO endpoint from application configuration in Cloudflare Zero Trust. + - **IdP Certificate**: Public key from application configuration in Cloudflare Zero Trust. Wrap the certificate in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 6. Copy the **Entity ID/SAML Audience** and **Assertion Consumer URL**. 7. Select **Save**. ## 3. Finish adding a SaaS application to Cloudflare Zero Trust 1. In your open Zero Trust window, fill in the following fields: - * **Entity ID**: Entity ID/SAML Audience from Adobe Acrobat Sign SAML SSO configuration. - * **Assertion Consumer Service URL**: Assertion Consumer URL from Adobe Acrobat Sign SAML SSO configuration. - * **Name ID format**: *Email* -2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. + - **Entity ID**: Entity ID/SAML Audience from Adobe Acrobat Sign SAML SSO configuration. + - **Assertion Consumer Service URL**: Assertion Consumer URL from Adobe Acrobat Sign SAML SSO configuration. + - **Name ID format**: _Email_ +2. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 4. Test the integration and finalize configuration @@ -53,10 +52,8 @@ This guide covers how to configure [Adobe Acrobat Sign](https://helpx.adobe.com/ :::note - If you receive an error while testing SSO integration, go to your profile picture > your name > **Account Settings** > **SAML Errors** for more information. - ::: 2. Once this is successful, you can make sign in via SSO mandatory. Select your profile picture > your name > **Account Settings** > **SAML Settings**, and then turn on **SAML Mandatory**. Keeping **Allow Acrobat Sign Account Administrators to log in using their Acrobat Sign Credentials** turned on will allow administrators to log in even if your account experiences SSO issues. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx index bb70dc43be9b2f..dcf6274dd26235 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/area-1.mdx @@ -4,7 +4,6 @@ title: Area 1 reviewed: 2024-07-18 sidebar: order: 3 - --- import { Render } from "~/components"; @@ -15,9 +14,9 @@ import { Render } from "~/components"; ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to your Area 1 account -* Your user's email in Area 1 matches their email in Zero Trust +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to your Area 1 account +- Your user's email in Area 1 matches their email in Zero Trust ## 1. Add Area 1 to Zero Trust @@ -30,13 +29,13 @@ import { Render } from "~/components"; 4. In the **Application** field, enter `Area 1` and select **Area 1**. (Area 1 is not currently listed in the default drop-down menu.) 5. Enter the following values for your application configuration: - | | | + | | | | ---------------------------------- | -------------------------------------------------- | - | **Entity ID** | `https://horizon.area1security.com` | + | **Entity ID** | `https://horizon.area1security.com` | | **Assertion Consumer Service URL** | `https://horizon.area1security.com/api/users/saml` | - | **Name ID Format** | *Email* | + | **Name ID Format** | _Email_ | -6. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +6. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 7. Save the application. @@ -48,12 +47,11 @@ Finally, you will need to configure Area 1 to allow users to log in through Clou 2. Turn on **Single Sign On**. -3. (Optional) To require users to sign in through Access, set **SSO Enforcement** to *All*. When SSO is enforced, users will no longer be able to sign in with their Area 1 credentials. +3. (Optional) To require users to sign in through Access, set **SSO Enforcement** to _All_. When SSO is enforced, users will no longer be able to sign in with their Area 1 credentials. 4. In **SAML SSO Domain**, enter `.cloudflareaccess.com`. 5. Get your Metadata XML file: - 1. In Zero Trust, copy the **SSO Endpoint** for your application. ![Copy SSO settings for a SaaS application from Zero Trust](~/assets/images/cloudflare-one/applications/saas-sso-endpoint.png) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx index 9496bf1549ea59..f36b1b86e2d1f1 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/asana-saas.mdx @@ -4,38 +4,37 @@ title: Asana reviewed: 2024-08-01 sidebar: order: 4 - --- This guide covers how to configure [Asana](https://help.asana.com/hc/en-us/articles/14075208738587-Authentication-and-access-management-options-for-paid-plans#gl-saml) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Super admin access to an Asana Enterprise, Enterprise+, or Legacy Enterprise account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Super admin access to an Asana Enterprise, Enterprise+, or Legacy Enterprise account ## 1. Add a SaaS application to Cloudflare Zero Trust 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS** > **Select**. -3. For **Application**, select *Asana*. +3. For **Application**, select _Asana_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `https://app.asana.com/` - * **Assertion Consumer Service URL**: `https://app.asana.com/-/saml/consume` - * **Name ID format**: *Email* + - **Entity ID**: `https://app.asana.com/` + - **Assertion Consumer Service URL**: `https://app.asana.com/-/saml/consume` + - **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Add a SAML SSO provider to Asana 1. In Asana, select your profile picture > **Admin console** > **Security** > **SAML authentication**. -2. Under **SAML options**, select *Optional*. +2. Under **SAML options**, select _Optional_. 3. Fill in the following fields: - * Sign-in page URL: SSO endpoint from application configuration in Cloudflare Zero Trust. - * X.509 certificate: Public key from application configuration in Cloudflare Zero Trust. Wrap the public key in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. + - Sign-in page URL: SSO endpoint from application configuration in Cloudflare Zero Trust. + - X.509 certificate: Public key from application configuration in Cloudflare Zero Trust. Wrap the public key in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 4. Select **Save changes**. ## 3. Test the integration and require SSO diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx index 395cb39573f428..0a5c5297ae37ff 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/atlassian-saas.mdx @@ -4,23 +4,22 @@ title: Atlassian Cloud reviewed: 2024-06-18 sidebar: order: 5 - --- This guide covers how to configure [Atlassian Cloud](https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to an Atlassian Cloud account -* Atlassian Guard Standard subscription -* A [domain](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/) verified in Atlassian Cloud +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to an Atlassian Cloud account +- Atlassian Guard Standard subscription +- A [domain](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/) verified in Atlassian Cloud ## 1. Add a SaaS application to Cloudflare Zero Trust 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS**. -3. For **Application**, select *Atlassian*. +3. For **Application**, select _Atlassian_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. @@ -33,32 +32,32 @@ This guide covers how to configure [Atlassian Cloud](https://support.atlassian.c ## 3. Configure an identity provider and SAML SSO in Atlassian Cloud -1. In Atlassian Cloud, go to **Security** > **Identity providers**. -2. Select **Other provider** > **Choose**. -3. For **Directory name**, enter your desired name. For example, you could enter `Cloudflare Access`. -4. Select **Add** > **Set up SAML single sign-on** > **Next**. - - :::note - This screen will advise you to create an authentication policy before proceeding. You will do this in step [5. Create an application policy to test integration](#5-create-an-authentication-policy-to-test-integration). - ::: - -5. Fill in the following fields: - * **Identity provider Entity ID**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. - * **Identity provider SSO URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. - * **Public x509 certificate**: Paste the entire x.509 certificate from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). -6. Select **Next**. -7. Copy the **Service provider entity URL** and **Service provider assertion consumer service URL**. -8. Select **Next**. -9. Under **Link domain**, select the domain you want to use with SAML SSO. +1. In Atlassian Cloud, go to **Security** > **Identity providers**. +2. Select **Other provider** > **Choose**. +3. For **Directory name**, enter your desired name. For example, you could enter `Cloudflare Access`. +4. Select **Add** > **Set up SAML single sign-on** > **Next**. + + :::note + This screen will advise you to create an authentication policy before proceeding. You will do this in step [5. Create an application policy to test integration](#5-create-an-authentication-policy-to-test-integration). + ::: + +5. Fill in the following fields: + - **Identity provider Entity ID**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. + - **Identity provider SSO URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. + - **Public x509 certificate**: Paste the entire x.509 certificate from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). +6. Select **Next**. +7. Copy the **Service provider entity URL** and **Service provider assertion consumer service URL**. +8. Select **Next**. +9. Under **Link domain**, select the domain you want to use with SAML SSO. 10. Select **Next** > **Stop and save SAML**. ## 4. Finish adding a SaaS application to Cloudflare Zero Trust 1. In your open Zero Trust window, fill in the following fields: - * **Entity ID**: Service provider entity URL from Atlassian Cloud SAML SSO set-up. - * **Assertion Consumer Service URL**: Service provider assertion consumer service URL from Atlassian Cloud SAML SSO set-up. - * **Name ID format**: *Email* -2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. + - **Entity ID**: Service provider entity URL from Atlassian Cloud SAML SSO set-up. + - **Assertion Consumer Service URL**: Service provider assertion consumer service URL from Atlassian Cloud SAML SSO set-up. + - **Name ID format**: _Email_ +2. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5. Create an authentication policy to test integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx index 6778a3907f3a16..aa0c0b3934b682 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas.mdx @@ -4,21 +4,20 @@ title: AWS reviewed: 2024-04-22 sidebar: order: 6 - --- This guide covers how to configure [AWS](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to an AWS account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to an AWS account ## 1. Get AWS URLs 1. In the AWS admin panel, search for `IAM Identity Center`. 2. Go to **IAM Identity Center** > **Settings**. -3. In the **Identity source** tab, select the **Actions** dropdown and select *Change identity source*. +3. In the **Identity source** tab, select the **Actions** dropdown and select _Change identity source_. 4. Change the identity source to **External identity provider**. 5. Copy the values shown in **Service provider metadata**. You will need these values when configuring the SaaS application in Zero Trust. @@ -28,19 +27,19 @@ Next, we will obtain **Identity provider metadata** from Zero Trust. 1. In a separate tab or window, open [Zero Trust](https://one.dash.cloudflare.com) and go to **Access** > **Applications**. 2. Select **SaaS**. -3. For **Application**, select *Amazon AWS*. +3. For **Application**, select _Amazon AWS_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: IAM Identity Center issuer URL - * **Assertion Consumer Service URL**: IAM Identity Center Assertion Consumer Service (ACS) URL - * **Name ID format**: *Email* + - **Entity ID**: IAM Identity Center issuer URL + - **Assertion Consumer Service URL**: IAM Identity Center Assertion Consumer Service (ACS) URL + - **Name ID format**: _Email_ 7. (Optional) Additional SAML attribute statements can be passed from your IdP to AWS SSO. To learn more about AWS Attribute mapping, refer to [Attribute mappings - AWS Single Sign-On](https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedidpattributes). 8. AWS supports uploading a metadata XML file. To download your SAML metadata from Access: 1. Copy the **SAML Metadata endpoint**. 2. In a separate browser window, go to the SAML Metadata endpoint (`https://.cloudflareaccess.com/cdn-cgi/access/sso/saml/xxx/saml-metadata`). 3. Save the page as `access_saml_metadata.xml`. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 10. Save the application. ## 3. Complete AWS configuration @@ -51,7 +50,7 @@ Next, we will obtain **Identity provider metadata** from Zero Trust. 3. Select **Next** to review settings, type **ACCEPT** and select **Change identity source** to confirm changes. -4. Confirm that **Provisioning** is set to *Manual*. +4. Confirm that **Provisioning** is set to _Manual_. :::caution[Important] diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx index c1335ffe039156..6c393e40ff5aca 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/braintree-saas.mdx @@ -4,15 +4,14 @@ title: Braintree reviewed: 2024-08-01 sidebar: order: 7 - --- This guide covers how to configure [Braintree](https://developer.paypal.com/braintree/articles/guides/single-sign-on-sso) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Braintree production or sandbox account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Braintree production or sandbox account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -22,11 +21,11 @@ This guide covers how to configure [Braintree](https://developer.paypal.com/brai 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields with temporary values: - * **Entity ID**: `placeholder` - * **Assertion Consumer Service URL**: `https://www.placeholder.com` - * **Name ID format**: *Email* + - **Entity ID**: `placeholder` + - **Assertion Consumer Service URL**: `https://www.placeholder.com` + - **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Enable SSO Configuration in Braintree @@ -34,10 +33,10 @@ This guide covers how to configure [Braintree](https://developer.paypal.com/brai 1. In Braintree, create a [support ticket](https://developer.paypal.com/braintree/help). 2. In **Search Issues**, enter `Login and password issues` and select the corresponding value. 3. In **Issue Details**, fill in the following: - * **Merchant ID**: Your Braintree Merchant ID. This is the 16-digit value that follows `/merchants/`in your Braintree Control Panel URL. - * **Email domain(s) to be used in user IDs**: The email domain(s) that should be allowed to sign in to your account via SSO. - * **Single Sign-on HTTP POST Binding URL**: SSO endpoint from application configuration in Cloudflare Zero Trust - * **Certificate for validation**: Public key from application configuration in Cloudflare Zero Trust. + - **Merchant ID**: Your Braintree Merchant ID. This is the 16-digit value that follows `/merchants/`in your Braintree Control Panel URL. + - **Email domain(s) to be used in user IDs**: The email domain(s) that should be allowed to sign in to your account via SSO. + - **Single Sign-on HTTP POST Binding URL**: SSO endpoint from application configuration in Cloudflare Zero Trust + - **Certificate for validation**: Public key from application configuration in Cloudflare Zero Trust. 4. Select whether you are using a **Production** or **Sandbox** account. 5. Fill out the **Your contact information** fields and select **Submit a help request**. 6. When you receive an email stating SSO has been successfully configured for your account, you can proceed to the next step. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx index c303cf07bc2400..49f461f1e97f5e 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/coupa-saas.mdx @@ -4,15 +4,14 @@ title: Coupa reviewed: 2024-07-26 sidebar: order: 8 - --- This guide covers how to configure [Coupa](https://compass.coupa.com/en-us/products/product-documentation/integration-technical-documentation/coupa-core-user-authentication/coupa-saml-sso-setup) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Coupa Stage or Production account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Coupa Stage or Production account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -22,13 +21,13 @@ This guide covers how to configure [Coupa](https://compass.coupa.com/en-us/produ 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: + - **Entity ID**: `sso-stg1.coupahost.com` for a stage account or `sso-prd1.coupahost.com` for a production account - * **Assertion Consumer Service URL**: `https://sso-stg1.coupahost.com/sp/ACS.saml2` for a stage account or `https://sso-prd1.coupahost.com/sp/ACS.saml2` for a production account - * **Name ID format**: *Email* + - **Assertion Consumer Service URL**: `https://sso-stg1.coupahost.com/sp/ACS.saml2` for a stage account or `https://sso-prd1.coupahost.com/sp/ACS.saml2` for a production account + - **Name ID format**: _Email_ 7. Copy the **Access Entity ID or Issuer** and **SAML Metadata Endpoint**. 8. In **Default relay state**, enter `https://.coupahost.com/sessions/saml_post`. -9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +9. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 10. Save the application. ## 2. Download the metadata file @@ -55,8 +54,6 @@ This guide covers how to configure [Coupa](https://compass.coupa.com/en-us/produ :::note - You can use the following URL to bypass SSO and login via a username and password: `https://.coupahost.com/sessions/support_login`. - ::: diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx index a2b570f4023f1e..484140885d2d5e 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/digicert-saas.mdx @@ -4,16 +4,15 @@ title: Digicert reviewed: 2024-06-18 sidebar: order: 9 - --- This guide covers how to configure [Digicert](https://docs.digicert.com/en/certcentral/manage-account/saml-admin-single-sign-on-guide/configure-saml-single-sign-on.html) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Digicert account -* [SAML](https://docs.digicert.com/en/certcentral/manage-account/saml-admin-single-sign-on-guide/saml-single-sign-on-prerequisites.html) enabled in your Digicert account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Digicert account +- [SAML](https://docs.digicert.com/en/certcentral/manage-account/saml-admin-single-sign-on-guide/saml-single-sign-on-prerequisites.html) enabled in your Digicert account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -23,11 +22,11 @@ This guide covers how to configure [Digicert](https://docs.digicert.com/en/certc 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `https://www.digicert.com/account/sso/metadata` - * **Assertion Consumer Service URL**: `https://www.digicert.com/account/sso/` - * **Name ID format**: *Email* + - **Entity ID**: `https://www.digicert.com/account/sso/metadata` + - **Assertion Consumer Service URL**: `https://www.digicert.com/account/sso/` + - **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Add a SAML SSO provider in Digicert @@ -44,12 +43,10 @@ This guide covers how to configure [Digicert](https://docs.digicert.com/en/certc 1. In Digicert, select **Settings** > **Single Sign-On**. 2. Copy the **SP Initiated Custom SSO URL**. 3. Paste the URL into an incognito browser window and sign in. Upon successful sign in, SAML SSO is fully enabled. -4. (Optional) By default, users can choose to sign in directly or with SSO. To require SSO sign in, go to **Account** > **Users**. Turn on **Only allow this user to log in through SAML/OIDC SSO** in the user details of the desired user. +4. (Optional) By default, users can choose to sign in directly or with SSO. To require SSO sign in, go to **Account** > **Users**. Turn on **Only allow this user to log in through SAML/OIDC SSO** in the user details of the desired user. :::note - Users can sign in using service provider initiated SSO by using the **SP Initiated Custom SSO URL**. Alternatively, users can go to `www.digicert.com/account`, select **Sign in with SSO**, and enter the name of the identity provider configured in step [2. Add a SAML SSO provider in Digicert](#2-add-a-saml-sso-provider-in-digicert). - ::: diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx index a1b1946596b3c3..78bf9120725f14 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/dropbox-saas.mdx @@ -4,15 +4,14 @@ title: Dropbox reviewed: 2024-07-30 sidebar: order: 11 - --- This guide covers how to configure [Dropbox](https://help.dropbox.com/security/sso-admin) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Dropbox Advanced, Business Plus, or Enterprise account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Dropbox Advanced, Business Plus, or Enterprise account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -22,11 +21,11 @@ This guide covers how to configure [Dropbox](https://help.dropbox.com/security/s 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `Dropbox` - * **Assertion Consumer Service URL**: `https://www.dropbox.com/saml_login` - * **Name ID format**: *Email* + - **Entity ID**: `Dropbox` + - **Assertion Consumer Service URL**: `https://www.dropbox.com/saml_login` + - **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Create a certificate file @@ -38,7 +37,7 @@ This guide covers how to configure [Dropbox](https://help.dropbox.com/security/s ## 3. Add a SAML SSO provider to Dropbox 1. In Dropbox, go to your profile picture > **Settings** > **Admin Console** > **Security** > **Single sign-on**. -2. For **Single sign-on**, select *Optional*. +2. For **Single sign-on**, select _Optional_. 3. Select **Add Identity provider sign-in URL**. 4. Paste the SSO endpoint from application configuration in Cloudflare Zero Trust and select **Done**. 5. Select **Add X.509 certificate** and upload the `.pem` file from step [2. Create a certificate file](#2-create-a-certificate-file). @@ -49,4 +48,4 @@ This guide covers how to configure [Dropbox](https://help.dropbox.com/security/s 1. Open an incognito browser window and go to your custom Dropbox SSO URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. -2. After this is successful, you may want to require users to log in via SSO. Go to your profile picture > **Settings** > **Admin Console** > **Security** > **Single sign-on**. For **Single sign-on**, select *Required*. Dropbox will send an email to your users notifying them of the change. +2. After this is successful, you may want to require users to log in via SSO. Go to your profile picture > **Settings** > **Admin Console** > **Security** > **Single sign-on**. For **Single sign-on**, select _Required_. Dropbox will send an email to your users notifying them of the change. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx index ebbb5a5df017b0..38a146f62b7090 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/github-saas.mdx @@ -4,30 +4,29 @@ title: GitHub Enterprise Cloud reviewed: 2024-07-18 sidebar: order: 12 - --- This guide covers how to configure [GitHub Enterprise Cloud](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* A GitHub Enterprise Cloud subscription -* Access to a GitHub account as an organization owner +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- A GitHub Enterprise Cloud subscription +- Access to a GitHub account as an organization owner ## 1. Add a SaaS application to Cloudflare Zero Trust 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS** > **Select**. -3. For **Application**, select *GitHub*. +3. For **Application**, select _GitHub_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `https://github.com/orgs/` - * **Assertion Consumer Service URL**: `https://github.com/orgs//saml/consume` - * **Name ID format**: *Email* + - **Entity ID**: `https://github.com/orgs/` + - **Assertion Consumer Service URL**: `https://github.com/orgs//saml/consume` + - **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Create an X.509 certificate @@ -40,9 +39,9 @@ This guide covers how to configure [GitHub Enterprise Cloud](https://docs.github 1. In your GitHub organization page, go to **Settings** > **Authentication security**. 2. Under **SAML single sign-on**, turn on **Enable SAML authentication**. 3. Fill in the following fields: - * **Sign on URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. - * **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. - * **Public certificate**: Paste the entire x.509 certificate from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). + - **Sign on URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. + - **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. + - **Public certificate**: Paste the entire x.509 certificate from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). ## 4. Test the integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx index bfc68983422756..b7c75d0566e4bb 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx @@ -37,7 +37,7 @@ When configuring Google Cloud with Access, the following limitations apply: - **Assertion Consumer Service URL**: `https://www.google.com/a//acs` - **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Create a x.509 certificate diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx index ec91ec2d126adf..044b3df9af69f9 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx @@ -38,7 +38,7 @@ The integration of Access as a single sign-on provider for your Google Workspace When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/integrations/identity-providers/google/) or [Google Workspace](/cloudflare-one/integrations/identity-providers/google-workspace/) as an identity provider. To secure Google Workspace behind Access and avoid an [authentication loop](/cloudflare-one/faq/troubleshooting/#after-putting-google-workspace-behind-access-i-cant-log-in-it-keeps-redirecting-between-access-and-google-without-ever-completing-authentication), you must configure a different identity provider (not Google or Google Workspace) for authentication. ::: -4. [Create an Access policy](/cloudflare-one/policies/access/) for your application. For example, you could allow users with an `@your_domain.com` email address. +4. [Create an Access policy](/cloudflare-one/access-controls/policies/) for your application. For example, you could allow users with an `@your_domain.com` email address. 5. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. These values will be used to configure Google Workspace. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx index 9239ada83b8193..175acfcaad79a9 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx @@ -4,15 +4,14 @@ title: Grafana Cloud reviewed: 2024-07-18 sidebar: order: 14 - --- This guide covers how to configure [Grafana Cloud](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/authorization/#configure-oauth-20-with-generic-oauth) as an OIDC application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Grafana Cloud account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Grafana Cloud account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -25,7 +24,7 @@ This guide covers how to configure [Grafana Cloud](https://grafana.com/docs/graf 7. In **Redirect URLs**, enter `https:///login/generic_oauth`. 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**. -10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. 12. Save the application. @@ -34,11 +33,11 @@ This guide covers how to configure [Grafana Cloud](https://grafana.com/docs/graf 1. In Grafana Cloud, select the **menu** icon > **Administration** > **Authentication** > **Generic OAuth**. 2. (Optional) For **Display name**, enter a new display name (for example, `Cloudflare Access`). Users will select **Sign in with (display name)** when signing in via SSO. 3. Fill in the following fields: - * **Client Id**: Client ID from application configuration in Cloudflare Zero Trust - * **Client secret**: Client secret from application configuration in Cloudflare Zero Trust - * **Scopes**: Delete `user:email` and enter the scopes configured in Cloudflare Zero Trust - * **Auth URL**: Authorization endpoint from application configuration in Cloudflare Zero Trust - * **Token URL**: Token endpoint from application configuration in Cloudflare Zero Trust + - **Client Id**: Client ID from application configuration in Cloudflare Zero Trust + - **Client secret**: Client secret from application configuration in Cloudflare Zero Trust + - **Scopes**: Delete `user:email` and enter the scopes configured in Cloudflare Zero Trust + - **Auth URL**: Authorization endpoint from application configuration in Cloudflare Zero Trust + - **Token URL**: Token endpoint from application configuration in Cloudflare Zero Trust 4. Select **Save**. ## 3. Test the integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx index 2b4c0df848b54d..c0e01fb1d7ad00 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx @@ -4,15 +4,14 @@ title: Grafana reviewed: 2024-07-18 sidebar: order: 14 - --- This guide covers how to configure [Grafana](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/) as an OIDC application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Grafana account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Grafana account :::note You can also configure OIDC SSO for Grafana using a [configuration file](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-generic-oauth-authentication-client-using-the-grafana-configuration-file) instead of using Grafana's user interface (UI), as documented in this guide. @@ -22,14 +21,14 @@ You can also configure OIDC SSO for Grafana using a [configuration file](https:/ 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **SaaS**. -3. For **Application**, select *Grafana*. +3. For **Application**, select _Grafana_. 4. For the authentication protocol, select **OIDC**. 5. Select **Add application**. 6. In **Scopes**, select the attributes that you want Access to send in the ID token. 7. In **Redirect URLs**, enter `https:///login/generic_oauth`. 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**. -10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https:///login`. 12. Save the application. @@ -38,11 +37,11 @@ You can also configure OIDC SSO for Grafana using a [configuration file](https:/ 1. In Grafana, select the **menu** icon > **Administration** > **Authentication** > **Generic OAuth**. 2. (Optional) For **Display name**, enter a new display name (for example, `Cloudflare Access`). Users will select **Sign in with (display name)** when signing in via SSO. 3. Fill in the following fields: - * **Client Id**: Client ID from application configuration in Cloudflare Zero Trust - * **Client secret**: Client secret from application configuration in Cloudflare Zero Trust - * **Scopes**: Delete `user:email` and enter the scopes configured in Cloudflare Zero Trust - * **Auth URL**: Authorization endpoint from application configuration in Cloudflare Zero Trust - * **Token URL**: Token endpoint from application configuration in Cloudflare Zero Trust + - **Client Id**: Client ID from application configuration in Cloudflare Zero Trust + - **Client secret**: Client secret from application configuration in Cloudflare Zero Trust + - **Scopes**: Delete `user:email` and enter the scopes configured in Cloudflare Zero Trust + - **Auth URL**: Authorization endpoint from application configuration in Cloudflare Zero Trust + - **Token URL**: Token endpoint from application configuration in Cloudflare Zero Trust 4. Select **Save**. ## 3. Test the integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx index c257209a1fb4b0..bcb639434a7a38 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/greenhouse-saas.mdx @@ -4,15 +4,14 @@ title: Greenhouse Recruiting reviewed: 2024-07-10 sidebar: order: 15 - --- This guide covers how to configure [Greenhouse Recruiting](https://support.greenhouse.io/hc/en-us/articles/360040753811-Configure-single-sign-on-SSO-for-Greenhouse-Recruiting) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to an Advanced or Expert Greenhouse Recruiting site +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to an Advanced or Expert Greenhouse Recruiting site ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -40,10 +39,10 @@ This guide covers how to configure [Greenhouse Recruiting](https://support.green ## 4. Finish adding a SaaS application to Cloudflare Zero Trust 1. In your open Zero Trust window, fill in the following fields: - * **Entity ID**: `greenhouse.io` - * **Assertion Consumer Service URL**: SSO Assertion Consumer URL from SSO configuration in Greenhouse Recruiting. - * **Name ID format**: *Email* -2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. + - **Entity ID**: `greenhouse.io` + - **Assertion Consumer Service URL**: SSO Assertion Consumer URL from SSO configuration in Greenhouse Recruiting. + - **Name ID format**: _Email_ +2. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5. Test the integration and finalize configuration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx index cc54fdf896bd5d..e9316914b1bc35 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas.mdx @@ -4,38 +4,37 @@ title: Hubspot reviewed: 2024-06-18 sidebar: order: 16 - --- This guide covers how to configure [Hubspot](https://knowledge.hubspot.com/account-security/set-up-single-sign-on-sso) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Hubspot Enterprise plan account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Hubspot Enterprise plan account ## 1. Configure Hubspot 1. Go to **Settings** > **Account**, then go to **Defaults** > **Security**. -2. Select *Single Sign-on*. -3. Copy the values for *Audience URI* and *Sign on URL*. +2. Select _Single Sign-on_. +3. Copy the values for _Audience URI_ and _Sign on URL_. ## 2. Configure Cloudflare Access 1. In Zero Trust, go to **Access** > **Applications** and create a SaaS application. -2. Set the **Application type** to *Hubspot*. +2. Set the **Application type** to _Hubspot_. 3. Use the following Hubspot field mappings: | Hubspot values | Cloudflare values | | -------------- | ------------------------------ | - | Audience URI | Entity ID | + | Audience URI | Entity ID | | Sign On URL | Assertion Consumer Service URL | -4. Set **NameID** to *Email*. +4. Set **NameID** to _Email_. -5. Add any desired [Access policies](/cloudflare-one/policies/access/) to your application. +5. Add any desired [Access policies](/cloudflare-one/access-controls/policies/) to your application. 6. Copy the **SSO endpoint** and **Access Entity ID**. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx index 9159f8da4162c4..561c72422d749e 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/ironclad-saas.mdx @@ -4,15 +4,14 @@ title: Ironclad reviewed: 2024-07-19 sidebar: order: 17 - --- This guide covers how to configure [Ironclad](https://support.ironcladapp.com/hc/articles/12286012625559-Set-Up-Generic-SSO-SAML-Integration) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Ironclad site +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Ironclad site ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -30,17 +29,17 @@ This guide covers how to configure [Ironclad](https://support.ironcladapp.com/hc 2. Select **Add SAML Configuration** > **Show Additional IdP Settings**. 3. Copy the **Callback** value. 4. Fill in the following fields: - * **Entry Point**: SSO endpoint from application configuration in Cloudflare Zero Trust. - * **Identity Provider Certificate**: Public key from application configuration in Cloudflare Zero Trust. The key will automatically be wrapped in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. + - **Entry Point**: SSO endpoint from application configuration in Cloudflare Zero Trust. + - **Identity Provider Certificate**: Public key from application configuration in Cloudflare Zero Trust. The key will automatically be wrapped in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. 5. Select **Save**. ## 3. Finish adding a SaaS application to Cloudflare Zero Trust 1. In your open Zero Trust window, fill in the following fields: - * **Entity ID**: `ironcladapp.com` - * **Assertion Consumer Service URL**: Callback from Ironclad SAML SSO set-up. - * **Name ID format**: *Email* -2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. + - **Entity ID**: `ironcladapp.com` + - **Assertion Consumer Service URL**: Callback from Ironclad SAML SSO set-up. + - **Name ID format**: _Email_ +2. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 4. Add a test user to Ironclad and test the integration diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx index 01ebe1319881b7..f8d6584342dde3 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/jamf-pro-saas.mdx @@ -4,15 +4,14 @@ title: Jamf Pro reviewed: 2024-06-18 sidebar: order: 18 - --- This guide covers how to configure [Jamf Pro](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Single_Sign-On.html) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Jamf Pro account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Jamf Pro account ## 1. Collect Jamf Pro information @@ -25,15 +24,15 @@ This guide covers how to configure [Jamf Pro](https://learn.jamf.com/en-US/bundl 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS**. -3. For **Application**, enter `Jamf` or `Jamf Pro` and select the corresponding textbox that appears. +3. For **Application**, enter `Jamf` or `Jamf Pro` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: Entity ID value from Jamf Pro metadata file. - * **Assertion Consumer Service URL**: Assertion Consumer Service value from Jamf Pro metadata file. - * **Name ID format**: *Email* + - **Entity ID**: Entity ID value from Jamf Pro metadata file. + - **Assertion Consumer Service URL**: Assertion Consumer Service value from Jamf Pro metadata file. + - **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 3. Edit Access SAML Metadata @@ -49,10 +48,10 @@ This guide covers how to configure [Jamf Pro](https://learn.jamf.com/en-US/bundl 2. In Identity Provider menu, select **Other**. 3. Label **Other provider** as `Cloudflare`. 4. Fill in the following fields: - * **Entity ID**: Entity ID from Jamf Pro metadata file. - * **Identity Provider Metadata Source**: Select **Metadata File** and upload the `.xml` file from step [2. Edit Access SAML Metadata](#2-add-a-saas-application-to-cloudflare-zero-trust). - * **Identity Provider User Mapping**: *Name ID* - * **Jamf Pro User Mapping**: *Email* + - **Entity ID**: Entity ID from Jamf Pro metadata file. + - **Identity Provider Metadata Source**: Select **Metadata File** and upload the `.xml` file from step [2. Edit Access SAML Metadata](#2-add-a-saas-application-to-cloudflare-zero-trust). + - **Identity Provider User Mapping**: _Name ID_ + - **Jamf Pro User Mapping**: _Email_ 5. Turn on **Single Sign On**. :::note diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx index 5ee7083210fbfd..fcc9f19cd3da7c 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/miro-saas.mdx @@ -28,7 +28,7 @@ This guide covers how to configure [Miro](https://help.miro.com/hc/articles/3600 - **Assertion Consumer Service URL**: `https://miro.com/sso/saml` - **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Add a SAML SSO provider to Miro diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx index b6e35a647e2685..883e0328a0da23 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx @@ -4,29 +4,28 @@ title: PagerDuty reviewed: 2024-07-10 sidebar: order: 20 - --- This guide covers how to configure [PagerDuty](https://support.pagerduty.com/docs/sso) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a PagerDuty site +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a PagerDuty site ## 1. Add a SaaS application to Cloudflare Zero Trust 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS**. -3. For **Application**, select *PagerDuty*. +3. For **Application**, select _PagerDuty_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `https://.pagerduty.com` - * **Assertion Consumer Service URL**: ` https://.pagerduty.com/sso/saml/consume` - * **Name ID format**: *Email* + - **Entity ID**: `https://.pagerduty.com` + - **Assertion Consumer Service URL**: ` https://.pagerduty.com/sso/saml/consume` + - **Name ID format**: _Email_ 7. Copy the **SSO endpoint** and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Create a x.509 certificate diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx index 5e3a83684c2c00..631038bc6d14d9 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/pingboard-saas.mdx @@ -4,15 +4,14 @@ title: Pingboard reviewed: 2024-07-09 sidebar: order: 21 - --- This guide covers how to configure [Pingboard](https://support.pingboard.com/hc/en-us/articles/360046585994-Set-Up-a-Custom-SSO-Solution) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Pingboard account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Pingboard account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -22,11 +21,11 @@ This guide covers how to configure [Pingboard](https://support.pingboard.com/hc/ 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `http://app.pingboard.com/sp` - * **Assertion Consumer Service URL**: `https://sso-demo.pingboard.com/auth/saml/consume` - * **Name ID format**: *Email* + - **Entity ID**: `http://app.pingboard.com/sp` + - **Assertion Consumer Service URL**: `https://sso-demo.pingboard.com/auth/saml/consume` + - **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Add a SAML SSO provider to Pingboard diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx index 475f55a68c643a..7f8f7973aca8e0 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx @@ -31,7 +31,7 @@ This guide covers how to configure [Salesforce](https://help.salesforce.com/s/ar - **Authorization endpoint** - **Token endpoint** - **User info endpoint** -10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.my.salesforce.com`. 12. Save the application. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx index bcfb5bd00a9567..254815f0d4e349 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx @@ -33,7 +33,7 @@ If you are unsure of which URL to use in the **Entity ID** and **Assertion Consu ::: 7. Copy the **SSO endpoint**, **Public key**, and **Access Entity ID or Issuer**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Create a certificate file diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx index afe7f3c3874b68..6700b0693198f8 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx @@ -4,15 +4,14 @@ title: ServiceNow (OIDC) reviewed: 2024-06-21 sidebar: order: 23 - --- This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/single-sign-on/task/create-OIDC-configuration-SSO.html) as an OIDC application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a ServiceNow account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a ServiceNow account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -25,9 +24,10 @@ This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bund 7. In **Redirect URLs**, enter `https://.service-now.com/navpage.do`. 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. 9. Copy the **Client secret** and **Client ID**. -10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://.service-now.com`. 12. Save the application. + ## 2. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow 1. In ServiceNow, select **All**. @@ -42,10 +42,10 @@ This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bund 2. In the search bar enter `Multi-Provider SSO`, and select **Identity Providers**. 3. Select **New** > **OpenID Connect**. 4. In the pop-up, fill in the following fields: - * **Name**: Name of the SSO (for example, `Cloudflare Access`). Unless otherwise configured, users will select this name when signing in to ServiceNow. - * **Client ID**: **Client ID** from application configuration in Cloudflare Zero Trust. - * **Client Secret**: **Client Secret** from application configuration in Cloudflare Zero Trust. - * **Well Known Configuration URL**: `https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//.well-known/openid-configuration`. + - **Name**: Name of the SSO (for example, `Cloudflare Access`). Unless otherwise configured, users will select this name when signing in to ServiceNow. + - **Client ID**: **Client ID** from application configuration in Cloudflare Zero Trust. + - **Client Secret**: **Client Secret** from application configuration in Cloudflare Zero Trust. + - **Well Known Configuration URL**: `https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//.well-known/openid-configuration`. 5. Select **Import**. 6. Ensure **Active** is turned on 7. Turn on **Show as Login option**, and for **SSO label** enter a label for the user login screen, if desired. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx index f0b96ebd22b931..978e5149593a30 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx @@ -4,15 +4,14 @@ title: ServiceNow (SAML) reviewed: 2024-06-21 sidebar: order: 23 - --- This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/single-sign-on/task/t_CreateASAML2Upd1SSOConfigMultiSSO.html) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a ServiceNow account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a ServiceNow account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -22,11 +21,11 @@ This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bund 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `https://.service-now.com` - * **Assertion Consumer Service URL**: `https://.service-now.com/navpage.do` - * **Name ID format**: *Email* + - **Entity ID**: `https://.service-now.com` + - **Assertion Consumer Service URL**: `https://.service-now.com/navpage.do` + - **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx index 795c1f321c4de5..8ed2f68c20a632 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/slack-saas.mdx @@ -4,31 +4,30 @@ title: Slack reviewed: 2024-06-18 sidebar: order: 24 - --- -import { TabItem, Tabs } from "~/components" +import { TabItem, Tabs } from "~/components"; This guide covers how to configure [Slack](https://slack.com/help/articles/203772216-SAML-single-sign-on) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Slack Business+ or Enterprise Grid plan account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Slack Business+ or Enterprise Grid plan account ## 1. Add a SaaS application to Cloudflare Zero Trust 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS**. -3. For **Application**, select *Slack*. +3. For **Application**, select _Slack_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `https://slack.com` - * **Assertion Consumer Service URL**: `https://.slack.com/sso/saml` - * **Name ID format**: The format expected by Slack, usually *Email* + - **Entity ID**: `https://slack.com` + - **Assertion Consumer Service URL**: `https://.slack.com/sso/saml` + - **Name ID format**: The format expected by Slack, usually _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Create a x.509 certificate @@ -44,15 +43,15 @@ This guide covers how to configure [Slack](https://slack.com/help/articles/20377 2. Select **Configure**. 3. Turn on **Test**. Configuration changes will not apply until **Configure** is turned on. 4. Fill in the following fields: - * **Service Provider Issuer URL**: Ensure set to `https://slack.com`. - * **SAML SSO URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. - * **Identity Provider Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. - * **Public Certificate**: Paste the entire x.509 certificate from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). + - **Service Provider Issuer URL**: Ensure set to `https://slack.com`. + - **SAML SSO URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. + - **Identity Provider Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. + - **Public Certificate**: Paste the entire x.509 certificate from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). 5. Under **Advanced Options**, select **Expand**. -6. For **AuthnContextClassRef**, ensure *urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport* is selected. +6. For **AuthnContextClassRef**, ensure _urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport_ is selected. 7. Ensure **Sign the AuthnRequest** is turned off. 8. For **SAML Response Signing**, turn on **Sign the Response** and **Sign the Assertion**. -9. In the main configuration page under **Settings**, choose whether SSO is *required*, *partially required*, or *optional* for workspace members. +9. In the main configuration page under **Settings**, choose whether SSO is _required_, _partially required_, or _optional_ for workspace members. 10. (Optional) Under **Customize**, enter a **Sign in Button Label**. 11. Test your set-up. If all works well, turn **Test** to **Configure**. @@ -63,11 +62,11 @@ This guide covers how to configure [Slack](https://slack.com/help/articles/20377 1. In Slack, go to **Settings & administration** > **Organization settings** > **Security** > **SSO Settings**. 2. For **SSO name**, enter your desired name. 3. Fill in the following fields: - * **SAML 2.0 Endpoint URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. - * **Identity Provider Issuer URL**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. - * **Service Provider Issuer URL**: Ensure set to `https://slack.com`. - * **x.509 Certificate**: Paste the entire x.509 certificate from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). -4. For **AuthnContextClassRef**, ensure *urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport* is selected. + - **SAML 2.0 Endpoint URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. + - **Identity Provider Issuer URL**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. + - **Service Provider Issuer URL**: Ensure set to `https://slack.com`. + - **x.509 Certificate**: Paste the entire x.509 certificate from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). +4. For **AuthnContextClassRef**, ensure _urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport_ is selected. 5. Ensure **Sign the AuthnRequest** is turned off. 6. For **SAML Response Signing**, turn on **Sign the Response** and **Sign the Assertion**. 7. Select **Test Configuration**. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx index 84eb7f78159e3e..df37a6a74dd39b 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/smartsheet-saas.mdx @@ -4,16 +4,15 @@ title: Smartsheet reviewed: 2024-07-08 sidebar: order: 25 - --- This guide covers how to configure [Smartsheet](https://help.smartsheet.com/articles/2483123-domain-level-saml-configuration) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Smartsheet Enterprise account -* A [domain](https://help.smartsheet.com/articles/2483051-domain-management) verified in Smartsheet +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Smartsheet Enterprise account +- A [domain](https://help.smartsheet.com/articles/2483051-domain-management) verified in Smartsheet :::note In Smartsheet, SSO is configured for a domain. If you have multiple plans using the same domain, the SSO configuration will apply to all Smartsheet users in that domain, regardless of their plan type. @@ -27,11 +26,11 @@ In Smartsheet, SSO is configured for a domain. If you have multiple plans using 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `urn:amazon:cognito:sp:us-east-1_xww1cbP43` - * **Assertion Consumer Service URL**: `https://saml.authn.smartsheet.com/saml2/idpresponse` - * **Name ID format**: *Unique ID* + - **Entity ID**: `urn:amazon:cognito:sp:us-east-1_xww1cbP43` + - **Assertion Consumer Service URL**: `https://saml.authn.smartsheet.com/saml2/idpresponse` + - **Name ID format**: _Unique ID_ 7. Copy the **SAML Metadata endpoint**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Create and test a SAML SSO provider in Smartsheet diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx index 186b9b127cf055..2d8ba4501fd955 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/sparkpost-saas.mdx @@ -4,15 +4,14 @@ title: SparkPost reviewed: 2024-01-08 sidebar: order: 26 - --- This guide covers how to configure [SparkPost or SparkPost EU](https://support.sparkpost.com/docs/my-account-and-profile/sso) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a SparkPost or SparkPost EU account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a SparkPost or SparkPost EU account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -22,17 +21,17 @@ This guide covers how to configure [SparkPost or SparkPost EU](https://support.s 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: - * `https://api.sparkpost.com` for SparkPost accounts - * `https://api.eu.sparkpost.com` for SparkPost EU accounts - * `https://` for SparkPost accounts with dedicated tenants - * **Assertion Consumer Service URL**: - * `https://api.sparkpost.com/api/v1/users/saml/consume` for SparkPost accounts - * `https://api.eu.sparkpost.com/api/v1/users/saml/consume` for SparkPost EU accounts - * `https:///api/v1/users/saml/consume` for SparkPost accounts with dedicated tenants - * **Name ID format**: *Email* + - **Entity ID**: + - `https://api.sparkpost.com` for SparkPost accounts + - `https://api.eu.sparkpost.com` for SparkPost EU accounts + - `https://` for SparkPost accounts with dedicated tenants + - **Assertion Consumer Service URL**: + - `https://api.sparkpost.com/api/v1/users/saml/consume` for SparkPost accounts + - `https://api.eu.sparkpost.com/api/v1/users/saml/consume` for SparkPost EU accounts + - `https:///api/v1/users/saml/consume` for SparkPost accounts with dedicated tenants + - **Name ID format**: _Email_ 7. Copy the **SAML Metadata endpoint**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Download the metadata file diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx index 62133eb8ecf0fd..06b1268461f356 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/tableau-saml-saas.mdx @@ -4,21 +4,20 @@ title: Tableau Cloud reviewed: 2024-07-03 sidebar: order: 27 - --- This guide covers how to configure [Tableau Cloud](https://help.tableau.com/current/online/en-us/saml_config_site.htm) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Tableau Cloud site +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Tableau Cloud site ## 1. Add a SaaS application to Cloudflare Zero Trust 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS**. -3. For **Application**, select *Tableau*. +3. For **Application**, select _Tableau_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Copy the **SAML Metadata endpoint**. @@ -32,7 +31,7 @@ This guide covers how to configure [Tableau Cloud](https://help.tableau.com/curr ## 3. Add a SAML SSO provider to Tableau Cloud 1. In Tableau Cloud, go to **Settings** > **Authentication**. -2. Turn on **Enable an additional authentication method**. For **select authentication type**, select *SAML*. +2. Turn on **Enable an additional authentication method**. For **select authentication type**, select _SAML_. 3. Under **1. Get Tableau Cloud metadata**, copy the **Tableau Cloud entity ID** and **Tableau Cloud ACS URL**. 4. Under **4. Upload metadata to Tableau**, select **Choose a file**, and upload the `.xml` file created in step [2. Download the metadata file](#2-download-the-metadata-file) 5. Under **5. Map attributes**, turn on **Full name**. For **Name (full name)**, enter `name`. @@ -42,10 +41,10 @@ This guide covers how to configure [Tableau Cloud](https://help.tableau.com/curr ## 4. Finish adding a SaaS application to Cloudflare Zero Trust 1. In your open Zero Trust window, fill in the following fields: - * **Entity ID**: Tableau Cloud entity ID from Tableau Cloud SAML SSO set-up. - * **Assertion Consumer Service URL**: Tableau Cloud ACS URL from Tableau Cloud SAML SSO set-up. - * **Name ID format**: *Email* -2. Configure [Access policies](/cloudflare-one/policies/access/) for the application. + - **Entity ID**: Tableau Cloud entity ID from Tableau Cloud SAML SSO set-up. + - **Assertion Consumer Service URL**: Tableau Cloud ACS URL from Tableau Cloud SAML SSO set-up. + - **Name ID format**: _Email_ +2. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 3. Save the application. ## 5. Test the integration and set default authentication type diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx index 9f2a1fc95e3032..7c90172a542d7d 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/workday-saas.mdx @@ -4,15 +4,14 @@ title: Workday reviewed: 2024-07-17 sidebar: order: 28 - --- This guide covers how to configure [Workday](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/saml/dan1370796470811.html?toc=1.5.1) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Workday account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Workday account ## 1. Add a SaaS application to Cloudflare Zero Trust @@ -22,11 +21,11 @@ This guide covers how to configure [Workday](https://doc.workday.com/admin-guide 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `http://www.workday.com` - * **Assertion Consumer Service URL**: `https://.myworkday.com//login-saml.flex` for a production account or `https://-impl.myworkday.com//login-saml.flex` for a preview sandbox account - * **Name ID format**: *Email* + - **Entity ID**: `http://www.workday.com` + - **Assertion Consumer Service URL**: `https://.myworkday.com//login-saml.flex` for a production account or `https://-impl.myworkday.com//login-saml.flex` for a preview sandbox account + - **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Download the metadata file @@ -40,20 +39,20 @@ This guide covers how to configure [Workday](https://doc.workday.com/admin-guide 2. Under **SAML Setup**, turn on **Enable SAML Authentication**. 3. In the **SAML Identity Providers** table, select **+**. 4. Fill in the following fields: - * **Identity Provider Name**: Your desired name for the identity provider (for example, `Cloudflare Access`) - * **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust - * **IdP SSO Service URL**: SSO endpoint from application configuration in Cloudflare Zero Trust + - **Identity Provider Name**: Your desired name for the identity provider (for example, `Cloudflare Access`) + - **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust + - **IdP SSO Service URL**: SSO endpoint from application configuration in Cloudflare Zero Trust 5. Under **x509 Certificate**, select the menu icon > **Create x509 Public Key**. 6. Under **Name**, enter a unique name (for example, `access`). 7. Under **Certificate**, paste the Public key from application configuration in Cloudflare Zero Trust. 8. Select **OK**. 9. If you want to enable SP-initiated login (login initiated by going to your Workday URL), fill in the following fields: - * **SP Initiated**: Turn on. - * **Service Provider ID**: `http://www.workday.com` - * **Sign SP-initiated request**: Turn off. + - **SP Initiated**: Turn on. + - **Service Provider ID**: `http://www.workday.com` + - **Sign SP-initiated request**: Turn off. 10. Under **Single Sign-On**, add one or both of the following entries to the **Redirection URLs** grid. For each entry, if your user groups will use the same authentication option to sign in, select **Single URL**. If they will use different authentication options, select **Authentication selector**. - * IdP-initiated SSO: Under **Login Redirect URL**, enter `.cloudflareaccess.com`. - * SP-initiated SSO: Under **Login Redirect URL**, enter `https:///.cloudflareaccess.com`. + - SP-initiated SSO: Under **Login Redirect URL**, enter `https:///.cloudflareaccess.com`. Select the **Workday** tile. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. + - **If you have enabled SP-initiated login**: Open an incognito browser window, go to your Workday URL, and enter your test user's email. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. + - **If you have not enabled SP-initiated login**: Go to your App Launcher at `https://.cloudflareaccess.com`. Select the **Workday** tile. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 6. Once login is successful, you can configure your security settings further, such as adding [user groups](https://doc.workday.com/admin-guide/en-us/authentication-and-security/configurable-security/security-groups/user-based-security-groups/dan1370796695367.html?toc=2.2.12.0) or [authentication rules](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/authentication-policies/dan1370796466772.html) to configure different login rules for different groups of users. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx index cdaf7250792ee5..15b7a8dbd25e3a 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx @@ -38,21 +38,20 @@ This guide covers how to configure [Zendesk](https://support.zendesk.com/hc/en-u Zendesk will [use the user's email address as their name](https://support.zendesk.com/hc/en-us/articles/203663676#topic_dzb_gl5_2v) if the name is not provided. -6. To determine who can access Zendesk, [create an Access policy](/cloudflare-one/policies/access/). +6. To determine who can access Zendesk, [create an Access policy](/cloudflare-one/access-controls/policies/). 7. Copy the **SSO Endpoint** and **Public Key**. 8. Transform the public key into a fingerprint: + 1. Open a [fingerprint calculator](https://www.samltool.com/fingerprint.php). - 1. Open a [fingerprint calculator](https://www.samltool.com/fingerprint.php). + 2. Paste the **Public Key** into **X.509 cert**. - 2. Paste the **Public Key** into **X.509 cert**. + 3. Wrap the value with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. - 3. Wrap the value with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. + 4. Set **Algorithm** to _SHA256_ and select **Calculate Fingerprint**. - 4. Set **Algorithm** to _SHA256_ and select **Calculate Fingerprint**. - - 5. Copy the **Formatted FingerPrint** value. + 5. Copy the **Formatted FingerPrint** value. 9. Add the Cloudflare values to the following Zendesk fields: diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx index 9ebfe3a2a8758f..6aee21b46da033 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zoom-saas.mdx @@ -4,31 +4,30 @@ title: Zoom reviewed: 2024-07-17 sidebar: order: 30 - --- -This guide covers how to configure [Zoom](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0060673) as a SAML application in Cloudflare Zero Trust. +This guide covers how to configure [Zoom](https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060673) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust -* Admin access to a Zoom Business, Education, or Enterprise account -* An [associated domain](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0066259) configured in your Zoom account -* A [vanity URL](https://support.zoom.com/hc/en/article?id=zm_kb\&sysparm_article=KB0061540) configured in your Zoom account +- An [identity provider](/cloudflare-one/integrations/identity-providers/) configured in Cloudflare Zero Trust +- Admin access to a Zoom Business, Education, or Enterprise account +- An [associated domain](https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0066259) configured in your Zoom account +- A [vanity URL](https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0061540) configured in your Zoom account ## 1. Add a SaaS application to Cloudflare Zero Trust 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS** > **Select**. -3. For **Application**, select *Zoom*. +3. For **Application**, select _Zoom_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: ` https://.zoom.us` - * **Assertion Consumer Service URL**: `https://.zoom.us/saml/SSO` - * **Name ID format**: *Email* + - **Entity ID**: ` https://.zoom.us` + - **Assertion Consumer Service URL**: `https://.zoom.us/saml/SSO` + - **Name ID format**: _Email_ 7. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**. -8. Configure [Access policies](/cloudflare-one/policies/access/) for the application. +8. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2. Add a SAML SSO provider in Zoom @@ -36,11 +35,11 @@ This guide covers how to configure [Zoom](https://support.zoom.com/hc/en/article 1. In Zoom, go to **Advanced** > **Single Sign-On**. 2. For **Vanity URL**, select the vanity URL you want to configure SSO for. 3. Fill out the following fields: - * **Sign in page URL**: SSO endpoint from application configuration in Cloudflare Zero Trust - * **Identity Provider Certificate**: Public key from application configuration in Cloudflare Zero Trust - * **Service Provider (SP) Entity ID**: `yourvanityurl.zoom.us` (no `https://`) - * **Issuer (DP Entity ID)**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust -4. For **Binding**, select *http-redirect*. + - **Sign in page URL**: SSO endpoint from application configuration in Cloudflare Zero Trust + - **Identity Provider Certificate**: Public key from application configuration in Cloudflare Zero Trust + - **Service Provider (SP) Entity ID**: `yourvanityurl.zoom.us` (no `https://`) + - **Issuer (DP Entity ID)**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust +4. For **Binding**, select _http-redirect_. 5. For **Signature Hash Algorithm**, ensure **SHA-256** is selected. 6. Under **Security**, turn off **Sign SAML request** and **Sign SAML logout request**. 7. Select **Save Changes**. diff --git a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx index 3e2cb95bebc2cc..0aa8b66fbd4a1d 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp.mdx @@ -41,7 +41,7 @@ Once selected, `cloudflared` will download a wildcard certificate for the site. ### 3. Secure the subdomain with Cloudflare Access -Next, protect the subdomain you plan to register with a Cloudflare Access policy. Follow [these instructions](/cloudflare-one/policies/access/) to build a new policy to control who can connect to the resource. +Next, protect the subdomain you plan to register with a Cloudflare Access policy. Follow [these instructions](/cloudflare-one/access-controls/policies/) to build a new policy to control who can connect to the resource. For example, if you share the resource at `tcp.site.com`, build a policy to only allow your team members to connect to that subdomain. diff --git a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx index 1040d3dbbd6538..4c1b853015c6bb 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/index.mdx @@ -12,14 +12,14 @@ Users log in to the application by running a `cloudflared access` command in the :::note -Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/policies/access/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances. +Automated services should only authenticate with `cloudflared` if they cannot use a [service token](/cloudflare-one/identity/service-tokens/). Cloudflared authentication relies on WebSockets to establish a connection. WebSockets have a known limitation where persistent connections may close unexpectedly. We recommend either a [Service Auth policy](/cloudflare-one/access-controls/policies/#service-auth) or using [Warp to Tunnel routing](/cloudflare-one/applications/non-http/) in these instances. ::: For examples of how to connect to Access applications with client-side `cloudflared`, refer to these tutorials: -* [Connect through Access using a CLI](/cloudflare-one/tutorials/cli/) -* [Connect through Access using kubectl](/cloudflare-one/tutorials/kubectl/) -* [Connect over SSH with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/) (legacy) -- SSH connections are now managed through [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). -* [Connect over RDP with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/#connect-to-rdp-server-with-cloudflared-access) -* [Connect over SMB with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/) -* [Connect over arbitrary TCP with cloudflared](/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/) \ No newline at end of file +- [Connect through Access using a CLI](/cloudflare-one/tutorials/cli/) +- [Connect through Access using kubectl](/cloudflare-one/tutorials/kubectl/) +- [Connect over SSH with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-cloudflared-authentication/) (legacy) -- SSH connections are now managed through [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). +- [Connect over RDP with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/#connect-to-rdp-server-with-cloudflared-access) +- [Connect over SMB with cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb/) +- [Connect over arbitrary TCP with cloudflared](/cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/) diff --git a/src/content/docs/cloudflare-one/applications/non-http/index.mdx b/src/content/docs/cloudflare-one/applications/non-http/index.mdx index 7864d4cb361610..d548c27f9c0826 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/index.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/index.mdx @@ -21,7 +21,7 @@ Non-HTTP applications require [connecting your private network](/cloudflare-one/ ## WARP client -Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route unless they are protected by an Access policy or Gateway firewall rule. To secure the application, you can [create a self-hosted application](/cloudflare-one/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/policies/access/) that allow or block specific users. +Users can connect by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices connect to your applications as if they were on your private network. By default, all devices enrolled in your organization can access any private route unless they are protected by an Access policy or Gateway firewall rule. To secure the application, you can [create a self-hosted application](/cloudflare-one/applications/non-http/self-hosted-private-app/) for a private IP range, port range, and/or hostname and build [Access policies](/cloudflare-one/access-controls/policies/) that allow or block specific users. If you would like to define how users access specific infrastructure servers within your network, [create an infrastructure application](/cloudflare-one/applications/non-http/infrastructure-apps/) in Access for Infrastructure. Access for Infrastructure provides an additional layer of control and visibility over how users access non-HTTP applications, including: diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index e5785ece4551df..66fd1ac1b25bde 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -10,8 +10,8 @@ import { Badge, Details, Tabs, TabItem, Render } from "~/components";
| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | -| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -|
  • Gateway with WARP
  • Secure Web Gateway without DNS filtering
| All plans | +| ---------------------------------------------------------------------------------------- | ------------------------------------------------------------- | +|
  • Gateway with WARP
  • Secure Web Gateway without DNS filtering
| All plans | | System | Availability | | -------- | ------------ | @@ -63,7 +63,7 @@ Certain protocols require configuring the server to trust connections through Ac ## 5. Connect as a user -Users connect to the target's IP address using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname. +Users connect to the target's IP address using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/traffic-policies/resolver-policies/) to allow connections to the target's private hostname. ### Connect to different VNET @@ -106,7 +106,7 @@ To revoke a user's access to all infrastructure targets, you can either [revoke ## Infrastructure policy selectors -The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications: +The following [Access policy selectors](/cloudflare-one/access-controls/policies/#selectors) are available for securing infrastructure applications: - Email - Emails ending in diff --git a/src/content/docs/cloudflare-one/applications/non-http/legacy-private-network-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/legacy-private-network-app.mdx index 9fe81db67fed37..b7a4fa86d23495 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/legacy-private-network-app.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/legacy-private-network-app.mdx @@ -24,7 +24,7 @@ To create a private network application: 5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`). :::note - If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/policies/gateway/network-policies/) using the **Destination IP** selector. + If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/traffic-policies/network-policies/) using the **Destination IP** selector. ::: 6. Configure your [App Launcher](/cloudflare-one/applications/app-launcher/) visibility and logo. @@ -46,7 +46,7 @@ To create a private network application: | -------------- | -------- | ------------ | ------ | | Destination IP | in | `10.128.0.7` | Block | - Policies are evaluated in [numerical order](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/policies/gateway/network-policies/). + Policies are evaluated in [numerical order](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/traffic-policies/network-policies/). 9. Select **Add application**. diff --git a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx index 1afdfd00a1124d..e87bd18bf82b41 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx @@ -17,9 +17,9 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl ## Prerequisites - Private IPs and hostnames are reachable over Cloudflare WARP, Magic WAN or Browser Isolation. For more details, refer to [Connect a private network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/). -- Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/). +- Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/). - Public IPs and hostnames can be used to define a private application, however the IP or hostname must route through Cloudflare via [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/), [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/), or [Magic WAN](/magic-wan/configuration/manually/how-to/configure-routes/). -- (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications). +- (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications). ## Add your application to Access @@ -29,10 +29,10 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl params={{ private: true }} /> -6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path. +6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/access-controls/policies/app-paths/) with private hostnames to protect multiple parts of an application that share a root path. :::note - Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI). If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/policies/browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports). + Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI). If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports). ::: 7. @@ -56,7 +56,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl product="cloudflare-one" /> - These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). + These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). 14. Select **Save**. @@ -66,9 +66,9 @@ Users can now connect to your private application after authenticating with Clou ### HTTPS applications -If [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). +If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). -If [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) is turned off, session management is [handled in the WARP client](#non-https-applications) instead of in the browser. +If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned off, session management is [handled in the WARP client](#non-https-applications) instead of in the browser. ### Non-HTTPS applications @@ -80,8 +80,12 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece ### Access vs Gateway policies - + ### Private hostname vs private IP -An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to `10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)). +An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to `10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)). diff --git a/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx b/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx index 64e58793d0ddab..6a5867334db4d9 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/short-lived-certificates-legacy.mdx @@ -28,7 +28,7 @@ To secure your server behind Cloudflare Access: 2. Create a [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for the server. :::note -If you do not wish to use Access, refer instead to our [SSH proxy instructions](/cloudflare-one/policies/gateway/network-policies/ssh-logging/). +If you do not wish to use Access, refer instead to our [SSH proxy instructions](/cloudflare-one/traffic-policies/network-policies/ssh-logging/). ::: ## 2. Ensure Unix usernames match user SSO identities @@ -92,4 +92,4 @@ By default, the browser-based terminal prompts the user for a username/password --- -Your SSH server is now protected behind Cloudflare Access — users will be prompted to authenticate with your identity provider before they can connect. You can also enable SSH command logging by configuring a [Gateway Audit SSH policy](/cloudflare-one/policies/gateway/network-policies/ssh-logging/). +Your SSH server is now protected behind Cloudflare Access — users will be prompted to authenticate with your identity provider before they can connect. You can also enable SSH command logging by configuring a [Gateway Audit SSH policy](/cloudflare-one/traffic-policies/network-policies/ssh-logging/). diff --git a/src/content/docs/cloudflare-one/changelog/access.mdx b/src/content/docs/cloudflare-one/changelog/access.mdx index 00e9c4dfc44cf0..d955ee7807d30e 100644 --- a/src/content/docs/cloudflare-one/changelog/access.mdx +++ b/src/content/docs/cloudflare-one/changelog/access.mdx @@ -23,7 +23,7 @@ You can now filter Access policies by their action, selectors, rule groups, and **Private self-hosted applications and reusable policies GA** -[Private self-hosted applications](/cloudflare-one/applications/non-http/self-hosted-private-app/) and [reusable Access policies](/cloudflare-one/policies/access/policy-management/) are now generally available (GA) for all customers. +[Private self-hosted applications](/cloudflare-one/applications/non-http/self-hosted-private-app/) and [reusable Access policies](/cloudflare-one/access-controls/policies/policy-management/) are now generally available (GA) for all customers. ## 2025-01-21 diff --git a/src/content/docs/cloudflare-one/changelog/dlp.mdx b/src/content/docs/cloudflare-one/changelog/dlp.mdx index 887048d91c7bc7..38a37be0cfdb58 100644 --- a/src/content/docs/cloudflare-one/changelog/dlp.mdx +++ b/src/content/docs/cloudflare-one/changelog/dlp.mdx @@ -23,19 +23,19 @@ When viewing decrypted payload log matches, DLP now provides more context by lis **Profile confidence levels** -DLP profiles now support setting a [confidence level](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels) to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede [context analysis](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#context-analysis). +DLP profiles now support setting a [confidence level](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#confidence-levels) to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede [context analysis](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#context-analysis). ## 2024-11-01 **Send entire HTTP requests to a Logpush destination** -In addition to [logging the payload](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) from HTTP requests that matched a DLP policy in Cloudflare Logs, Enterprise users can now configure a [Logpush job](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#send-http-requests-to-logpush-destination) to send the entire HTTP request that triggered a DLP match to a storage destination. This allows long-term storage of full requests for use in forensic investigation. +In addition to [logging the payload](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) from HTTP requests that matched a DLP policy in Cloudflare Logs, Enterprise users can now configure a [Logpush job](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-http-requests-to-logpush-destination) to send the entire HTTP request that triggered a DLP match to a storage destination. This allows long-term storage of full requests for use in forensic investigation. ## 2024-09-03 **Exact Data Match multi-entry upload support** -You can now upload files with [multiple columns of data](/cloudflare-one/policies/data-loss-prevention/detection-entries/#upload-a-new-dataset) as Exact Data Match datasets. DLP can use each column as a separate existing detection entry. +You can now upload files with [multiple columns of data](/cloudflare-one/data-loss-prevention/detection-entries/#upload-a-new-dataset) as Exact Data Match datasets. DLP can use each column as a separate existing detection entry. ## 2024-05-23 @@ -47,4 +47,4 @@ You can now scan your [Box](/cloudflare-one/applications/casb/casb-integrations/ **Optical character recognition** -DLP can now [detect sensitive data](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#optical-character-recognition-ocr) in jpeg, jpg, and png files. This helps companies prevent the leak of sensitive data in images, such as screenshots. +DLP can now [detect sensitive data](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#optical-character-recognition-ocr) in jpeg, jpg, and png files. This helps companies prevent the leak of sensitive data in images, such as screenshots. diff --git a/src/content/docs/cloudflare-one/changelog/gateway.mdx b/src/content/docs/cloudflare-one/changelog/gateway.mdx index 4bb15d9d8bd821..5358b0217a8a9e 100644 --- a/src/content/docs/cloudflare-one/changelog/gateway.mdx +++ b/src/content/docs/cloudflare-one/changelog/gateway.mdx @@ -17,7 +17,7 @@ import { ProductChangelog, Render } from "~/components"; **Upload/Download File Size selectors for HTTP policies** -Gateway and DLP users can now create HTTP policies with the [Download and Upload File Size (MiB)](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-size) traffic selectors. This update allows users to block uploads or downloads based on file size. +Gateway and DLP users can now create HTTP policies with the [Download and Upload File Size (MiB)](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-size) traffic selectors. This update allows users to block uploads or downloads based on file size. ## 2025-02-02 @@ -35,7 +35,7 @@ Enterprise users can now [provide an IP address](/cloudflare-one/team-and-resour **Category filtering in the network policy builder** -Gateway users can now create network policies with the [Content Categories](/cloudflare-one/policies/gateway/network-policies/#content-categories) and [Security Risks](/cloudflare-one/policies/gateway/network-policies/#security-risks) traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management. +Gateway users can now create network policies with the [Content Categories](/cloudflare-one/traffic-policies/network-policies/#content-categories) and [Security Risks](/cloudflare-one/traffic-policies/network-policies/#security-risks) traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management. ## 2024-10-17 @@ -47,7 +47,7 @@ Gateway users can now generate [unique root CAs](/cloudflare-one/team-and-resour **Time-based policy duration** -Gateway now offers [time-based DNS policy duration](/cloudflare-one/policies/gateway/dns-policies/timed-policies/#time-based-policy-duration). With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off. +Gateway now offers [time-based DNS policy duration](/cloudflare-one/traffic-policies/dns-policies/timed-policies/#time-based-policy-duration). With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off. ## 2024-10-04 @@ -59,7 +59,7 @@ Gateway now offers new fields in [activity logs](/cloudflare-one/insights/logs/g **File sandboxing** -Gateway users on Enterprise plans can create HTTP policies with [file sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/) to quarantine previously unseen files downloaded by your users and scan them for malware. +Gateway users on Enterprise plans can create HTTP policies with [file sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) to quarantine previously unseen files downloaded by your users and scan them for malware. ## 2024-07-30 @@ -77,10 +77,10 @@ Gateway users can now select which endpoints to use for a given DNS location. Av **Gateway DNS policy setting to ignore CNAME category matches** -Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the [**Ignore CNAME domain categories** setting](/cloudflare-one/policies/gateway/domain-categories/#ignore-cname-domain-categories) in the policy builder and the [`ignore_cname_category_matches` setting](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) in the API. +Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the [**Ignore CNAME domain categories** setting](/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories) in the policy builder and the [`ignore_cname_category_matches` setting](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) in the API. ## 2024-04-05 **Gateway file type control improvements** -Gateway now offers a more extensive, categorized [list of files](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types) to control uploads and downloads. +Gateway now offers a more extensive, categorized [list of files](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) to control uploads and downloads. diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries.mdx similarity index 87% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/detection-entries.mdx index faaf166dd29540..d7ae0556086d17 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries.mdx @@ -7,9 +7,9 @@ sidebar: import { Details } from "~/components"; -Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in custom detection entries. Detection entries allow you to define custom data patterns for DLP to detect using [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). Detection entries include custom [datasets](#datasets) with defined data, [document entries](#documents) with example fingerprints, and [AI prompt topics](#ai-prompt-topics). +Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in custom detection entries. Detection entries allow you to define custom data patterns for DLP to detect using [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/). Detection entries include custom [datasets](#datasets) with defined data, [document entries](#documents) with example fingerprints, and [AI prompt topics](#ai-prompt-topics). -You can configure sensitive data to be hashed before reaching Cloudflare and redacted from matches in [payload logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). +You can configure sensitive data to be hashed before reaching Cloudflare and redacted from matches in [payload logs](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). ## Datasets @@ -77,7 +77,7 @@ DLP will save your dataset in cleartext.
-The dataset will appear in the list with an **Uploading** status. Once the upload is complete, the status will change to **Complete**. To use your uploaded dataset, add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile). +The dataset will appear in the list with an **Uploading** status. Once the upload is complete, the status will change to **Complete**. To use your uploaded dataset, add it as an existing entry to a [custom DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). ### Manage existing datasets @@ -92,7 +92,7 @@ Uploaded DLP datasets are read-only. To update a dataset, you must upload a new Your new dataset will replace the original dataset. :::caution[Remove existing column entries] -If you want to update an Exact Data Match dataset to remove a column in use as an [existing detection entry](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile), you must remove the existing entry from any custom DLP profiles using it before updating the dataset. +If you want to update an Exact Data Match dataset to remove a column in use as an [existing detection entry](/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile), you must remove the existing entry from any custom DLP profiles using it before updating the dataset. ::: ## Documents @@ -119,7 +119,7 @@ To upload a new document entry to DLP: The document will appear in the list with a **Pending** status. Once the upload is complete, the status will change to **Complete**. If you created a document entry with Terraform, the status will be **No file** until you upload a file. -To use your uploaded document fingerprint, add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile). +To use your uploaded document fingerprint, add it as an existing entry to a [custom DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). ### Manage existing document entries @@ -135,7 +135,7 @@ Your new document entry will replace the original document entry. If your file u ## AI prompt topics -DLP uses [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls) to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported AI prompt protection detections include: +DLP uses [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/#application-granular-controls) to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported AI prompt protection detections include: | Detection entry | Description | | ------------------------------------- | ------------------------------------------------------------------------------------------------- | @@ -150,4 +150,4 @@ DLP uses [Application Granular Controls](/cloudflare-one/policies/gateway/http-p Each detection entry is categorized as either Content or Intent. Content focuses on the specific text or data the user provides the generative AI tool. It is the information the AI needs to process and analyze to generate a response. Intent focuses on the user's goal or objective for the AI's response. It dictates the type of output the user wants to receive. This category is particularly useful for customers who are using SaaS connectors or MCPs that provide the AI application access to internal data sources that contain sensitive information. -To use an AI prompt topic, configure the corresponding [predefined DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) or add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile). AI prompt protection is available for ChatGPT, Google Gemini, Perplexity, and Claude. +To use an AI prompt topic, configure the corresponding [predefined DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) or add it as an existing entry to a [custom DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile). AI prompt protection is available for ChatGPT, Google Gemini, Perplexity, and Claude. diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx similarity index 87% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx index c1a44768037870..8843f6f73c0669 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/common-policies.mdx @@ -25,11 +25,11 @@ The **Allow** action functions as an implicit logger, providing visibility into -For more information on what file formats DLP can scan, refer to [Supported file types](/cloudflare-one/policies/data-loss-prevention/#supported-file-types). +For more information on what file formats DLP can scan, refer to [Supported file types](/cloudflare-one/data-loss-prevention/#supported-file-types). ## Block uploads/downloads for specific users -You can configure access on a per-user or group basis by adding [identity-based conditions](/cloudflare-one/policies/gateway/identity-selectors/) to your policies. The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps. +You can configure access on a per-user or group basis by adding [identity-based conditions](/cloudflare-one/traffic-policies/identity-selectors/) to your policies. The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps. | Selector | Operator | Value | Logic | Action | | ------------------ | -------- | ----------------------- | ----- | ------ | @@ -39,7 +39,7 @@ You can configure access on a per-user or group basis by adding [identity-based ## Exclude Android applications -Many Android applications (such as Google Drive) use certificate pinning, which is incompatible with Gateway inspection. If needed, you can create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) so that the app can continue to function on Android: +Many Android applications (such as Google Drive) use certificate pinning, which is incompatible with Gateway inspection. If needed, you can create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) so that the app can continue to function on Android: 1. Set up an [OS version device posture check](/cloudflare-one/identity/devices/warp-client-checks/os-version/) that checks for the Android operating system. @@ -54,9 +54,9 @@ Android users can now use the app, but the app traffic will bypass DLP scanning. ## Exclude specific sites -In your [DLP logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#4-view-dlp-logs), you may find that certain sites are a common source of noise. To exempt these sites from DLP scanning: +In your [DLP logs](/cloudflare-one/data-loss-prevention/dlp-policies/#4-view-dlp-logs), you may find that certain sites are a common source of noise. To exempt these sites from DLP scanning: -1. [Create a list](/cloudflare-one/policies/gateway/lists/) of hostnames or URLs. +1. [Create a list](/cloudflare-one/traffic-policies/lists/) of hostnames or URLs. 2. Exclude the list from your DLP policy as shown in the example below: diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx similarity index 83% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx index d6d6679fd18655..c090f6cc33de31 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/index.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx @@ -10,13 +10,13 @@ You can scan HTTP traffic for sensitive data through Secure Web Gateway policies ## Prerequisites -- Set up [Gateway HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/). - - HTTP filtering requires turning on the [Gateway proxy](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy) for TCP traffic. -- Turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption). +- Set up [Gateway HTTP filtering](/cloudflare-one/traffic-policies/initial-setup/http/). + - HTTP filtering requires turning on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP traffic. +- Turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption). ## 1. Configure a DLP profile -Refer to [Configure a DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). We recommend getting started with a predefined profile. +Refer to [Configure a DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/). We recommend getting started with a predefined profile. :::caution[Important] @@ -25,13 +25,13 @@ DLP scans will not start until you [create a DLP policy](#2-create-a-dlp-policy) ## 2. Create a DLP policy -DLP Profiles may be used alongside other Zero Trust rules in a [Gateway HTTP policy](/cloudflare-one/policies/gateway/http-policies/). To start logging or blocking traffic, create a policy for DLP: +DLP Profiles may be used alongside other Zero Trust rules in a [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/). To start logging or blocking traffic, create a policy for DLP: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies**. Select **HTTP**. 2. Select **Add a policy**. -3. Build an [HTTP policy](/cloudflare-one/policies/gateway/http-policies/) using the [DLP Profile](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector. For example, the following policy prevents users from uploading sensitive data to any location other than an approved corporate application: +3. Build an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) using the [DLP Profile](/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector. For example, the following policy prevents users from uploading sensitive data to any location other than an approved corporate application: | Selector | Operator | Value | Logic | Action | | ----------- | -------- | -------------------------------------------------------- | ----- | ------ | @@ -63,7 +63,7 @@ Different sites will send requests in different ways. For example, some sites wi - **DLP Profiles** shows the requests which matched a specific DLP profile. - **Policy** shows the requests which matched a specific DLP policy. -You can expand an individual row to view details about the request. To see the data that triggered the DLP policy, [configure logging options](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/). +You can expand an individual row to view details about the request. To see the data that triggered the DLP policy, [configure logging options](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/). ### Report false positives diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx similarity index 88% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx index 2cc89a71cdaa3c..1db7c7c8b5c7e6 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx @@ -33,10 +33,10 @@ DLP can log the payload of matched HTTP requests in your Cloudflare logs. ### Turn on payload logging for a DLP policy -You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector. +You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector. 1. Go to **Gateway** > **Firewall policies** > **HTTP**. -2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). +2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). 3. In the policy builder, scroll down to **Configure policy settings** and turn on **Log the payload of matched rules**. 4. Select **Save**. @@ -59,7 +59,7 @@ Cloudflare does not store the key or the decrypted payload. ### Report false and true positives to AI context analysis -When you have [AI context analysis](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/#ai-context-analysis) turned on for a DLP profile, you can train the AI model to adjust its confident threshold by reporting false and true positives. +When you have [AI context analysis](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/#ai-context-analysis) turned on for a DLP profile, you can train the AI model to adjust its confident threshold by reporting false and true positives. To report a DLP match payload as a false or true positive: @@ -75,7 +75,7 @@ Based on your report, DLP's machine learning will adjust its confidence in futur - All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule. - Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key. - DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`. - - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings. + - You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings. ## Log generative AI prompt content @@ -83,10 +83,10 @@ DLP can detect and log the prompt topic sent to an AI tool. ### Turn on AI prompt content logging for a DLP policy -You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/policies/gateway/http-policies/#application) selector with a supported [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls) application. +You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/traffic-policies/http-policies/#application) selector with a supported [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/#application-granular-controls) application. 1. Go to **Gateway** > **Firewall policies** > **HTTP**. -2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). +2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). 3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**. 4. Select **Save**. @@ -120,7 +120,7 @@ To set up the DLP Forensic Copy Logpush job: 4. Choose a [Logpush destination](/logs/logpush/logpush-job/enable-destinations/). 5. In **Configure logpush job**, choose the _DLP forensic copies_ dataset. Select **Create Logpush job**. 6. Return to Zero Trust and go to **Gateway** > **Firewall policies** > **HTTP**. -7. Edit an existing Allow or Block policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). Your policy does not need to include a DLP profile. +7. Edit an existing Allow or Block policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). Your policy does not need to include a DLP profile. 8. In the policy builder, scroll down to **Configure policy settings** and turn on **Send DLP forensic copies to storage**. 9. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests. 10. Select **Save policy**. diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings.mdx similarity index 80% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings.mdx index 9d31571d064554..77a71edd9e454a 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings.mdx @@ -7,7 +7,7 @@ sidebar: import { Badge } from "~/components"; -This page lists the profile settings available when configuring a [predefined](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) or [custom](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile) DLP profile. You can configure profile settings when you create a custom profile or [edit profile settings](#edit-profile-settings) for an existing predefined or custom profile. +This page lists the profile settings available when configuring a [predefined](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) or [custom](/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile) DLP profile. You can configure profile settings when you create a custom profile or [edit profile settings](#edit-profile-settings) for an existing predefined or custom profile. ## Edit profile settings @@ -40,15 +40,15 @@ AI context analysis only supports Gateway HTTP and HTTPS traffic. AI context analysis uses a pretrained model to analyze and adjust the confidence in a detection based on its surrounding context. DLP will log any matches that are above your confidence threshold. -DLP redacts any matched text, then submits the context as an AI text embedding vector to [Cloudflare Workers AI](/workers-ai/). Vectors are stored in user-specific private namespaces for up to six months, along with hit count and the [false positive/negative report](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). +DLP redacts any matched text, then submits the context as an AI text embedding vector to [Cloudflare Workers AI](/workers-ai/). Vectors are stored in user-specific private namespaces for up to six months, along with hit count and the [false positive/negative report](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). To use AI context analysis: 1. Turn on **AI context analysis** in a DLP profile. -2. [Add the profile](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) to a DLP policy. -3. When configuring the DLP policy, turn on [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). +2. [Add the profile](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) to a DLP policy. +3. When configuring the DLP policy, turn on [payload logging](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules). -AI context analysis results will appear in the payload section of your [DLP logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#4-view-dlp-logs). To improve future detections of sensitive data, you need to [report false and true positives](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). +AI context analysis results will appear in the payload section of your [DLP logs](/cloudflare-one/data-loss-prevention/dlp-policies/#4-view-dlp-logs). To improve future detections of sensitive data, you need to [report false and true positives](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#report-false-and-true-positives-to-ai-context-analysis). ### Confidence thresholds diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/index.mdx new file mode 100644 index 00000000000000..d7e3e392df9a52 --- /dev/null +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/index.mdx @@ -0,0 +1,26 @@ +--- +pcx_content_type: how-to +title: DLP profiles +sidebar: + order: 3 + label: Configure DLP profiles +--- + +import { Render } from "~/components"; + +A DLP profile is a collection of regular expressions and [detection entries](/cloudflare-one/data-loss-prevention/detection-entries/) that define the data patterns you want to detect. Cloudflare DLP provides predefined profiles for common detections, or you can build custom DLP profiles specific to your data, organization, and risk tolerance. + +## Configure a predefined profile + + + +You can now use this profile in a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) or [CASB integration](/cloudflare-one/applications/casb/casb-dlp/). + +## Build a custom profile + + + +You can now use this profile in a [DLP policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) or [CASB integration](/cloudflare-one/applications/casb/casb-dlp/). diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles.mdx similarity index 93% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles.mdx index 31dec684783bde..09effebe9d7491 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles.mdx @@ -22,7 +22,7 @@ Microsoft provides [Purview Information Protection sensitivity labels](https://l To add MIP sensitivity labels to a DLP Profile, simply integrate your Microsoft account with [Cloudflare CASB](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/). A new integration profile will appear under **Data loss prevention** > **DLP profiles**. The profile is named **MIP Sensitivity Labels** followed by the name of the CASB integration. -MIP sensitivity labels can also be added to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile) as an existing entry. +MIP sensitivity labels can also be added to a [custom DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile) as an existing entry. ### Syncing diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles.mdx similarity index 96% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles.mdx index d74eea3fc428b6..d82b83504cc16f 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles.mdx @@ -7,7 +7,7 @@ sidebar: import { Render } from "~/components"; -Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure [advanced settings](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for predefined profiles. +Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure [advanced settings](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for predefined profiles. ## AI Prompt @@ -19,7 +19,7 @@ DLP provides AI prompt protection with the following predefined profiles: - AI Prompt: PII - AI Prompt: Technical -For more information on included detection entries, refer to [AI prompt topics](/cloudflare-one/policies/data-loss-prevention/detection-entries/#ai-prompt-topics). +For more information on included detection entries, refer to [AI prompt topics](/cloudflare-one/data-loss-prevention/detection-entries/#ai-prompt-topics). ## Credentials and Secrets diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx similarity index 63% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/index.mdx index 8ef2474a4172f9..623444037667a5 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/index.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx @@ -1,8 +1,8 @@ --- pcx_content_type: concept -title: Data Loss Prevention +title: Data loss prevention sidebar: - order: 5 + order: 10 learning_center: title: What is DLP (data loss prevention)? link: https://www.cloudflare.com/learning/access-management/what-is-dlp/ @@ -13,24 +13,24 @@ import { GlossaryDefinition, Render } from "~/components"; :::note[Availability] Available as an add-on to Zero Trust Enterprise plans. -Users on Zero Trust Free and Pay-as-you-go plans can use the [Financial Information](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles, [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules), and [false positive reporting](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#report-false-positives). +Users on Zero Trust Free and Pay-as-you-go plans can use the [Financial Information](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#financial-information) and [Social Security, Insurance, Tax, and Identifier Numbers](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#social-security-insurance-tax-and-identifier-numbers) predefined profiles, [payload logging](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules), and [false positive reporting](/cloudflare-one/data-loss-prevention/dlp-policies/#report-false-positives). ::: -To prevent interference, Cloudflare does not write scanned content to disk. Instead, DLP only encrypts and temporarily stores content in memory. Optionally, you can configure [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) to store encrypted copies of payloads from matching HTTP requests or a [Logpush destination](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#send-http-requests-to-logpush-destination) to export entire matching HTTP requests. +To prevent interference, Cloudflare does not write scanned content to disk. Instead, DLP only encrypts and temporarily stores content in memory. Optionally, you can configure [payload logging](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) to store encrypted copies of payloads from matching HTTP requests or a [Logpush destination](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-http-requests-to-logpush-destination) to export entire matching HTTP requests. ## Data in transit -Data Loss Prevention complements [Secure Web Gateway](/cloudflare-one/policies/gateway/) to detect sensitive data transferred in HTTP requests. DLP scans the entire HTTP body, which may include uploaded or downloaded files, chat messages, forms, and other web content. You can also use DLP with [Email Security](/cloudflare-one/email-security/) to scan [outbound emails](/cloudflare-one/email-security/outbound-dlp/). +Data Loss Prevention complements [Secure Web Gateway](/cloudflare-one/traffic-policies/) to detect sensitive data transferred in HTTP requests. DLP scans the entire HTTP body, which may include uploaded or downloaded files, chat messages, forms, and other web content. You can also use DLP with [Email Security](/cloudflare-one/email-security/) to scan [outbound emails](/cloudflare-one/email-security/outbound-dlp/). -DLP requires [Gateway HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) with [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) for visibility into data in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policy). +DLP requires [Gateway HTTP filtering](/cloudflare-one/traffic-policies/initial-setup/http/) with [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) for visibility into data in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy). -To get started, refer to [Scan HTTP traffic with DLP](/cloudflare-one/policies/data-loss-prevention/dlp-policies/). +To get started, refer to [Scan HTTP traffic with DLP](/cloudflare-one/data-loss-prevention/dlp-policies/). ## Data at rest -Data Loss Prevention complements [Cloudflare CASB](/cloudflare-one/applications/casb/) to detect sensitive data stored in your SaaS applications. Unlike data in transit scans which read files sent through Cloudflare Gateway, CASB retrieves files directly via the API. Therefore, Gateway and WARP settings (such as [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policies and [Split Tunnel](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) configurations) will not affect data at rest scans. +Data Loss Prevention complements [Cloudflare CASB](/cloudflare-one/applications/casb/) to detect sensitive data stored in your SaaS applications. Unlike data in transit scans which read files sent through Cloudflare Gateway, CASB retrieves files directly via the API. Therefore, Gateway and WARP settings (such as [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policies and [Split Tunnel](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) configurations) will not affect data at rest scans. To get started, refer to [Scan SaaS applications with DLP](/cloudflare-one/applications/casb/casb-dlp/). diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/saas-apps.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/saas-apps.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/data-loss-prevention/saas-apps.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/saas-apps.mdx diff --git a/src/content/docs/cloudflare-one/email-security/email-monitoring/search-email.mdx b/src/content/docs/cloudflare-one/email-security/email-monitoring/search-email.mdx index b22266eebbc742..92c1970912ddf2 100644 --- a/src/content/docs/cloudflare-one/email-security/email-monitoring/search-email.mdx +++ b/src/content/docs/cloudflare-one/email-security/email-monitoring/search-email.mdx @@ -273,12 +273,12 @@ Email Security displays the following details: - Autonomous sys name: This name identifies your autonomous system (AS). - Country 4. **Links identified**: A list of malicious links identified by Email Security. Refer to [Open links](/cloudflare-one/email-security/email-monitoring/search-email/#open-links) to open links in Security Center, Browser Isolation or an external tool of your choice. -5. **Attachments**: If an email has an attachment, the Cloudflare dashboard will display the filename, and the disposition assigned. You can open attachments in [Browser Isolation](/cloudflare-one/policies/browser-isolation/). Only PDF files are currently supported. +5. **Attachments**: If an email has an attachment, the Cloudflare dashboard will display the filename, and the disposition assigned. You can open attachments in [Browser Isolation](/cloudflare-one/remote-browser-isolation/). Only PDF files are currently supported. 6. **Reasons for disposition**: Description of why the email was deemed as malicious, suspicious, or spam. #### Open links -You can open links in [Security Center](/security-center/) or [Browser Isolation](/cloudflare-one/policies/browser-isolation/), or copy and paste the link so you can investigate content in external tools. +You can open links in [Security Center](/security-center/) or [Browser Isolation](/cloudflare-one/remote-browser-isolation/), or copy and paste the link so you can investigate content in external tools. To open links in Security Center: @@ -298,19 +298,19 @@ To open links in Browser Isolation: 3. Locate the link you want to open, and select **Open in Browser Isolation**. 4. The link will open in a separate window where you will be able to browse the content securely. -Alternatively, you can directly [open links in Browser Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/#open-links-in-browser-isolation). +Alternatively, you can directly [open links in Browser Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#open-links-in-browser-isolation). :::note -If you purchased [Gateway](/cloudflare-one/policies/gateway/) and [Browser Isolation](/cloudflare-one/policies/browser-isolation/), you can perform more actions when opening links. +If you purchased [Gateway](/cloudflare-one/traffic-policies/) and [Browser Isolation](/cloudflare-one/remote-browser-isolation/), you can perform more actions when opening links. When opening links, Email Security will not allow you to: -- [Copy (from remote to client)](/cloudflare-one/policies/browser-isolation/isolation-policies/#copy-from-remote-to-client) -- [Paste (from client to remote)](/cloudflare-one/policies/browser-isolation/isolation-policies/#paste-from-client-to-remote) -- Use [keyboard](/cloudflare-one/policies/browser-isolation/isolation-policies/#keyboard) -- [Print](/cloudflare-one/policies/browser-isolation/isolation-policies/#printing) -- [Download files](/cloudflare-one/policies/browser-isolation/isolation-policies/#file-downloads) -- [Uploads files](/cloudflare-one/policies/browser-isolation/isolation-policies/#file-uploads) +- [Copy (from remote to client)](/cloudflare-one/remote-browser-isolation/isolation-policies/#copy-from-remote-to-client) +- [Paste (from client to remote)](/cloudflare-one/remote-browser-isolation/isolation-policies/#paste-from-client-to-remote) +- Use [keyboard](/cloudflare-one/remote-browser-isolation/isolation-policies/#keyboard) +- [Print](/cloudflare-one/remote-browser-isolation/isolation-policies/#printing) +- [Download files](/cloudflare-one/remote-browser-isolation/isolation-policies/#file-downloads) +- [Uploads files](/cloudflare-one/remote-browser-isolation/isolation-policies/#file-uploads) ::: diff --git a/src/content/docs/cloudflare-one/email-security/outbound-dlp.mdx b/src/content/docs/cloudflare-one/email-security/outbound-dlp.mdx index a712e76b63beb9..0c4ea7be1aa611 100644 --- a/src/content/docs/cloudflare-one/email-security/outbound-dlp.mdx +++ b/src/content/docs/cloudflare-one/email-security/outbound-dlp.mdx @@ -9,7 +9,7 @@ sidebar: Outbound DLP is only compatible with Microsoft 365. You need to have Microsoft E3 or E5 license to enable Outbound DLP. ::: -Outbound Data Loss Prevention ensures the protection of sensitive information in outbound emails with [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/). Outbound Data Loss Prevention integrates with your inbox, and it proactively monitors your email to prevent unauthorized data leaks. +Outbound Data Loss Prevention ensures the protection of sensitive information in outbound emails with [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/). Outbound Data Loss Prevention integrates with your inbox, and it proactively monitors your email to prevent unauthorized data leaks. To enable Outbound DLP: @@ -43,7 +43,7 @@ After creating your policy, you can modify or reorder your policies in **Email S | ------------------- | -------------------------------------------------------------------------------------------------------------------------- | | Recipient email | The intended recipient of an outbound email. | | Email sender | The user in your organization sending an email. | -| Matched DLP profile | The [DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) that content of an email matches upon scan. | +| Matched DLP profile | The [DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/) that content of an email matches upon scan. | ## 2. DLP Assist add-in diff --git a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx index 467f3d96ae2d45..e4eebd7ee79ae1 100644 --- a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx @@ -61,7 +61,7 @@ Cloudflare Zero Trust subscriptions consist of seats that users in your account User seats can be removed for Access and Gateway at **My Team** > **Users**. Removing a user will have consequences both on Access and on Gateway: -- **Access**: All active sessions for that user will be invalidated. A user will be able to log back into an application unless you create an [Access policy](/cloudflare-one/policies/access/) to block future logins from that user. +- **Access**: All active sessions for that user will be invalidated. A user will be able to log back into an application unless you create an [Access policy](/cloudflare-one/access-controls/policies/) to block future logins from that user. - **Gateway**: All active devices for that user will be logged out of your Zero Trust organization, which stops all filtering and routing via the WARP client. A user will be able to re-enroll their device unless you create a [device enrollment policy](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/) to block them. diff --git a/src/content/docs/cloudflare-one/faq/policies-faq.mdx b/src/content/docs/cloudflare-one/faq/policies-faq.mdx index 858c184a6f6b3b..d4bdea3fda5453 100644 --- a/src/content/docs/cloudflare-one/faq/policies-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/policies-faq.mdx @@ -13,11 +13,11 @@ description: Review frequently asked questions about policies in Cloudflare Zero ## What is the order of policy enforcement? -Gateway and Access policies generally trigger from top to bottom based on their position in the policy table in the UI. Exceptions include Bypass and Service Auth policies, which Access evaluates first. Similarly, for Gateway HTTP policies, Do Not Inspect and Isolate policies take precedence over all Allow or Block policies. To learn more about order of enforcement, refer to our documentation for [Access policies](/cloudflare-one/policies/access/#order-of-execution) and [Gateway policies](/cloudflare-one/policies/gateway/order-of-enforcement/). +Gateway and Access policies generally trigger from top to bottom based on their position in the policy table in the UI. Exceptions include Bypass and Service Auth policies, which Access evaluates first. Similarly, for Gateway HTTP policies, Do Not Inspect and Isolate policies take precedence over all Allow or Block policies. To learn more about order of enforcement, refer to our documentation for [Access policies](/cloudflare-one/access-controls/policies/#order-of-execution) and [Gateway policies](/cloudflare-one/traffic-policies/order-of-enforcement/). ## **How can I bypass the L7 firewall for a website?** -Cloudflare Gateway uses the hostname in the HTTP `CONNECT` header to identify the destination of the request. Administrators who wish to bypass a site must create a [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policy in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. +Cloudflare Gateway uses the hostname in the HTTP `CONNECT` header to identify the destination of the request. Administrators who wish to bypass a site must create a [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. Bypassing the L7 firewall results in no HTTP traffic inspection, and logging is disabled for that HTTP session. @@ -59,12 +59,12 @@ If the domain is only blocked by a network policy, it may be because: ## When does Access return a Forbidden status page versus a login page? -Access returns a Forbidden page with status codes `401`/`403` when it determines there is no way a user can pass a [policy](/cloudflare-one/policies/access/). If Cloudflare can make a full policy determination that a user will not be able to log in, Access will return a Forbidden page instead of a [login page](/cloudflare-one/applications/login-page/). +Access returns a Forbidden page with status codes `401`/`403` when it determines there is no way a user can pass a [policy](/cloudflare-one/access-controls/policies/). If Cloudflare can make a full policy determination that a user will not be able to log in, Access will return a Forbidden page instead of a [login page](/cloudflare-one/applications/login-page/). -For example, your application has a policy that requires a user to be in a [specific geolocation](/cloudflare-one/policies/access/#allow) to log in. +For example, your application has a policy that requires a user to be in a [specific geolocation](/cloudflare-one/access-controls/policies/#allow) to log in. -As admin, you could define this geolocation policy by using [Include](/cloudflare-one/policies/access/#include) rules, meaning the user could log in to the application from Country A or Country B. +As admin, you could define this geolocation policy by using [Include](/cloudflare-one/access-controls/policies/#include) rules, meaning the user could log in to the application from Country A or Country B. -Or you could define this geolocation policy using a [Require](/cloudflare-one/policies/access/#require) rule, meaning the user must be in Country A to log in. +Or you could define this geolocation policy using a [Require](/cloudflare-one/access-controls/policies/#require) rule, meaning the user must be in Country A to log in. If a user from country C attempts to access the application, in both the Include and Require scenarios, the user will receive the Forbidden page. This is because Country C was not defined in either scenario. Therefore, Cloudflare has determined that this user cannot meet policy requirements and will receive the Forbidden status page. diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index 25a5ceb7a7f9e3..eaee4ce88e1544 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -49,7 +49,7 @@ Gateway presents an **HTTP Response Code: 526** error page in the following case - **The connection from Gateway to the origin is insecure.** Gateway does not trust origins which: - Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the [SSL Server Test tool](https://www.ssllabs.com/ssltest/index.html) to check which ciphers are supported by the origin. - - Do not support [FIPS-compliant ciphers](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). + - Do not support [FIPS-compliant ciphers](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). - Redirect all HTTPS requests to HTTP. If none of the above scenarios apply, contact Cloudflare support with the following information: @@ -74,7 +74,7 @@ You may not see analytics on the Overview page for the following reasons: ## I see a "No Browsers Available" alert. -If you encounter this error, [file feedback](/cloudflare-one/policies/browser-isolation/known-limitations/) via the WARP client and we will investigate. +If you encounter this error, [file feedback](/cloudflare-one/remote-browser-isolation/known-limitations/) via the WARP client and we will investigate. ## I see a "Maximum Sessions Reached" alert. @@ -206,7 +206,7 @@ For WARP client versions before and after 2024.12.554.0, certificate propagation 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. 2. Turn on **Install CA to system certificate store**. -If **Install CA to system certificate store** is turned off, you must [manually install the certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/), use an [MDM solution](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software) to distribute the Cloudflare certificate to your fleet of devices, or not use the Cloudflare certificate because you do not want to have TLS decryption enabled. [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) must be enabled to enforce Gateway HTTP policies for HTTPS traffic. +If **Install CA to system certificate store** is turned off, you must [manually install the certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/), use an [MDM solution](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software) to distribute the Cloudflare certificate to your fleet of devices, or not use the Cloudflare certificate because you do not want to have TLS decryption enabled. [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) must be enabled to enforce Gateway HTTP policies for HTTPS traffic. After enabling certificate propagation, you must update your certificate: @@ -260,7 +260,7 @@ If the new certificate is not activating on the end-user device or you are getti 3. Turn off TLS Decryption. -If no measure is working quickly and you are encountering browser warnings that are blocking work, [turning off TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption) will prevent HTTP policies from being enforced and will ensure websites resolve until the certificate can be deployed to more user devices. +If no measure is working quickly and you are encountering browser warnings that are blocking work, [turning off TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption) will prevent HTTP policies from being enforced and will ensure websites resolve until the certificate can be deployed to more user devices. Turning off TLS decryption should be a temporary measure. TLS decryption should be turned on if you need to enforce HTTP policies and log traffic for HTTPS traffic. diff --git a/src/content/docs/cloudflare-one/glossary.mdx b/src/content/docs/cloudflare-one/glossary.mdx index 08fbad8089c243..8164505fc3ba5a 100644 --- a/src/content/docs/cloudflare-one/glossary.mdx +++ b/src/content/docs/cloudflare-one/glossary.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Glossary sidebar: - order: 14 + order: 16 --- import { Glossary, Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx index 1a873730709df1..ba1e81d362d220 100644 --- a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx @@ -41,13 +41,13 @@ The mTLS certificate is used only to verify the client certificate. It does not 5. In **Associated hostnames**, enter the fully-qualified domain names (FQDN) that will use this certificate. - These FQDNs will be the hostnames used for the resources being protected in the [Access policy](/cloudflare-one/policies/access/). You must associate the Root CA with the FQDN that the application being protected uses. + These FQDNs will be the hostnames used for the resources being protected in the [Access policy](/cloudflare-one/access-controls/policies/). You must associate the Root CA with the FQDN that the application being protected uses. 6. Save the policy. 7. Go to **Access** > **Policies**. -8. [Create an Access policy](/cloudflare-one/policies/access/policy-management/#create-a-policy) using one of the following [selectors](/cloudflare-one/policies/access/#selectors): +8. [Create an Access policy](/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) using one of the following [selectors](/cloudflare-one/access-controls/policies/#selectors): - **Valid Certificate**: Any client certificate that can authenticate with the Root CA will be allowed to proceed. - **Common Name**: Only client certificates with a specific common name will be allowed to proceed. @@ -98,7 +98,7 @@ When the authentication process completes successfully, a `CF_Authorization Set- :::caution -Cloudflare Gateway cannot inspect traffic to mTLS-protected domains. If a device has the WARP client turned on and passes HTTP requests through Gateway, access will be blocked unless you [bypass HTTP inspection](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for the domain. +Cloudflare Gateway cannot inspect traffic to mTLS-protected domains. If a device has the WARP client turned on and passes HTTP requests through Gateway, access will be blocked unless you [bypass HTTP inspection](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for the domain. ::: ### Test in a browser diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/tanium.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/tanium.mdx index 3cc3ffa7ff8c9c..1b726dfb9d1888 100644 --- a/src/content/docs/cloudflare-one/identity/devices/access-integrations/tanium.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/access-integrations/tanium.mdx @@ -18,7 +18,7 @@ Cloudflare Access can use endpoint data from [Tanium™](https://www.tanium.com/ :::caution[Gateway device posture limitation] -The Tanium integration cannot be used with [Gateway device posture policies](/cloudflare-one/policies/gateway/network-policies/#device-posture). +The Tanium integration cannot be used with [Gateway device posture policies](/cloudflare-one/traffic-policies/network-policies/#device-posture). ::: @@ -60,7 +60,7 @@ The integration does not currently support Safari. Adding the certificate allows Cloudflare to validate that the response from the Tanium agent is valid. -You can now build [Access policies](/cloudflare-one/policies/access/) that check [device posture signals](#tanium-endpoint-signals) from the Tanium endpoint. +You can now build [Access policies](/cloudflare-one/access-controls/policies/) that check [device posture signals](#tanium-endpoint-signals) from the Tanium endpoint. ## Example Access policy diff --git a/src/content/docs/cloudflare-one/identity/devices/index.mdx b/src/content/docs/cloudflare-one/identity/devices/index.mdx index 12825b5002497c..72abcb60fa5206 100644 --- a/src/content/docs/cloudflare-one/identity/devices/index.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/index.mdx @@ -28,7 +28,7 @@ Before integrating a device posture check in a Gateway or Access policy, verify ## 3. Build a device posture policy -You can now use your device posture check in an [Access policy](/cloudflare-one/policies/access/) or a Gateway [network](/cloudflare-one/policies/gateway/network-policies/common-policies/#enforce-device-posture) or [HTTP](/cloudflare-one/policies/gateway/http-policies/common-policies/#check-device-posture) policy. In Access, the enabled device posture attributes will appear in the list of available [selectors](/cloudflare-one/policies/access/#selectors). In Gateway, the attributes will appear when you choose the [Passed Device Posture Check](/cloudflare-one/policies/gateway/network-policies/#device-posture) selector. +You can now use your device posture check in an [Access policy](/cloudflare-one/access-controls/policies/) or a Gateway [network](/cloudflare-one/traffic-policies/network-policies/common-policies/#enforce-device-posture) or [HTTP](/cloudflare-one/traffic-policies/http-policies/common-policies/#check-device-posture) policy. In Access, the enabled device posture attributes will appear in the list of available [selectors](/cloudflare-one/access-controls/policies/#selectors). In Gateway, the attributes will appear when you choose the [Passed Device Posture Check](/cloudflare-one/traffic-policies/network-policies/#device-posture) selector. :::caution[Gateway policy limitation] diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/corp-device.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/corp-device.mdx index d05603eee8623a..2259325be4ed17 100644 --- a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/corp-device.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/corp-device.mdx @@ -22,7 +22,7 @@ Cloudflare Zero Trust allows you to build Zero Trust rules based on device seria ## Create a list of serial numbers -To create rules based on device serial numbers, you first need to create a [Gateway List](/cloudflare-one/policies/gateway/lists/) of numbers. +To create rules based on device serial numbers, you first need to create a [Gateway List](/cloudflare-one/traffic-policies/lists/) of numbers. 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **My Team** > **Lists**. @@ -36,7 +36,7 @@ To create rules based on device serial numbers, you first need to create a [Gate 6. Select **Save**. -You can now create an [Access policy](/cloudflare-one/policies/access/) or a Gateway [network policy](/cloudflare-one/policies/gateway/network-policies/common-policies/#enforce-device-posture) that checks if the device presents a serial number on your list. In Access, the serial number check will appear as a _Device Posture - Serial Number List_ selector. In Gateway, your serial number list will appear in the **Value** dropdown when you choose the [Passed Device Posture Check](/cloudflare-one/policies/gateway/network-policies/#device-posture) selector. +You can now create an [Access policy](/cloudflare-one/access-controls/policies/) or a Gateway [network policy](/cloudflare-one/traffic-policies/network-policies/common-policies/#enforce-device-posture) that checks if the device presents a serial number on your list. In Access, the serial number check will appear as a _Device Posture - Serial Number List_ selector. In Gateway, your serial number list will appear in the **Value** dropdown when you choose the [Passed Device Posture Check](/cloudflare-one/traffic-policies/network-policies/#device-posture) selector. ## Validate the serial number diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/device-uuid.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/device-uuid.mdx index 0d22769f2c0ca3..10b77ef0fe02e5 100644 --- a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/device-uuid.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/device-uuid.mdx @@ -30,7 +30,7 @@ You will need to use a [managed deployment tool](/cloudflare-one/team-and-resour ## 2. Create a list of UUIDs -To create rules based on device UUIDs, you first need to create a [Gateway List](/cloudflare-one/policies/gateway/lists/) of UUIDs. +To create rules based on device UUIDs, you first need to create a [Gateway List](/cloudflare-one/traffic-policies/lists/) of UUIDs. 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **My Team** > **Lists**. diff --git a/src/content/docs/cloudflare-one/identity/index.mdx b/src/content/docs/cloudflare-one/identity/index.mdx index 5634de017535e8..0c6305af2a8b34 100644 --- a/src/content/docs/cloudflare-one/identity/index.mdx +++ b/src/content/docs/cloudflare-one/identity/index.mdx @@ -9,7 +9,7 @@ import { DirectoryListing, Render } from "~/components"; Cloudflare Zero Trust integrates with your organization's identity provider to apply Zero Trust and Secure Web Gateway policies. If you work with partners, contractors, or other organizations, you can integrate multiple identity providers simultaneously. -As an alternative to configuring an identity provider, Cloudflare Zero Trust can send a [one-time PIN (OTP)](/cloudflare-one/integrations/identity-providers/one-time-pin/) to approved email addresses. No configuration needed — simply add a user's email address to an [Access policy](/cloudflare-one/policies/access/) and to the group that allows your team to reach the application. +As an alternative to configuring an identity provider, Cloudflare Zero Trust can send a [one-time PIN (OTP)](/cloudflare-one/integrations/identity-providers/one-time-pin/) to approved email addresses. No configuration needed — simply add a user's email address to an [Access policy](/cloudflare-one/access-controls/policies/) and to the group that allows your team to reach the application. You can simultaneously configure an OTP and an identity provider to allow users to use their own authentication method. diff --git a/src/content/docs/cloudflare-one/identity/service-tokens.mdx b/src/content/docs/cloudflare-one/identity/service-tokens.mdx index fb54c0efc73bc1..fe65d05f81c689 100644 --- a/src/content/docs/cloudflare-one/identity/service-tokens.mdx +++ b/src/content/docs/cloudflare-one/identity/service-tokens.mdx @@ -5,7 +5,12 @@ sidebar: order: 6 --- -import { AvailableNotifications, Render, APIRequest, DashButton } from "~/components"; +import { + AvailableNotifications, + Render, + APIRequest, + DashButton, +} from "~/components"; You can provide automated systems with service tokens to authenticate against your Zero Trust policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access. @@ -15,7 +20,7 @@ This section covers how to create, renew, and revoke a service token. -You can now configure your Access applications and [device enrollment permissions](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/#check-for-service-token) to accept this service token. Make sure to set the policy action to [**Service Auth**](/cloudflare-one/policies/access/#service-auth); otherwise, Access will prompt for an identity provider login. +You can now configure your Access applications and [device enrollment permissions](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/#check-for-service-token) to accept this service token. Make sure to set the policy action to [**Service Auth**](/cloudflare-one/access-controls/policies/#service-auth); otherwise, Access will prompt for an identity provider login. ## Connect your service to Access @@ -124,7 +129,7 @@ An alert can be configured to notify a week before a service token expires to al To configure a service token expiration alert: 1. In the [Cloudflare dashboard](https://dash.cloudflare.com), go to the **Notifications** page. - + 2. Select **Add**. 3. Select _Expiring Access Service Token_. 4. Enter a name for your alert and an optional description. diff --git a/src/content/docs/cloudflare-one/identity/users/seat-management.mdx b/src/content/docs/cloudflare-one/identity/users/seat-management.mdx index 4a8da4d9444b54..d2b9c9ef50a8c1 100644 --- a/src/content/docs/cloudflare-one/identity/users/seat-management.mdx +++ b/src/content/docs/cloudflare-one/identity/users/seat-management.mdx @@ -17,7 +17,7 @@ If either one of these events occurs, that user's identity is added as an Active A user who authenticates will hold their seat until you [remove the user](#remove-a-user) from your account. By default, inactive users will not be [automatically removed](#enable-seat-expiration) from your account. You can remove a single user or all users at any time, and those users will immediately stop counting against the seat count defined in your subscription. -If you notice a number of accounts greater than the number of your users, you may need to configure an Access [bypass policy](/cloudflare-one/policies/access/#bypass). Alternatively, you can use Access [service tokens](/cloudflare-one/identity/service-tokens/) to allow access to applications without consuming seats. +If you notice a number of accounts greater than the number of your users, you may need to configure an Access [bypass policy](/cloudflare-one/access-controls/policies/#bypass). Alternatively, you can use Access [service tokens](/cloudflare-one/identity/service-tokens/) to allow access to applications without consuming seats. ## Manage users diff --git a/src/content/docs/cloudflare-one/index.mdx b/src/content/docs/cloudflare-one/index.mdx index 3dae36c88f9e70..55860325c49761 100644 --- a/src/content/docs/cloudflare-one/index.mdx +++ b/src/content/docs/cloudflare-one/index.mdx @@ -20,7 +20,7 @@ import { Plan, RelatedProduct, Render, - Stream + Stream, } from "~/components"; @@ -33,7 +33,7 @@ Secure your organization with Cloudflare Zero Trust — a cloud security model t Cloudflare Zero Trust is part of Cloudflare One, our name for the Secure Access Service Edge (SASE) platform that protects enterprise applications, users, devices, and networks. -By progressively adopting Cloudflare One, organizations can move away from a patchwork of hardware appliances and point solutions, and instead consolidate security and networking through a unified control plane that includes products like [Cloudflare Access](/cloudflare-one/policies/access/), [Secure Web Gateway (SWG)](/cloudflare-one/policies/gateway/), [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/), [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/), [Remote Browser Isolation (RBI)](/cloudflare-one/policies/browser-isolation/), [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/), and [Email Security](/cloudflare-one/email-security/). +By progressively adopting Cloudflare One, organizations can move away from a patchwork of hardware appliances and point solutions, and instead consolidate security and networking through a unified control plane that includes products like [Cloudflare Access](/cloudflare-one/access-controls/policies/), [Secure Web Gateway (SWG)](/cloudflare-one/traffic-policies/), [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/), [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/), [Remote Browser Isolation (RBI)](/cloudflare-one/remote-browser-isolation/), [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/), and [Email Security](/cloudflare-one/email-security/). Refer to our [SASE reference architecture](/reference-architecture/architectures/sase/) to learn how to plan, deploy, and manage SASE architecture with Cloudflare. @@ -55,7 +55,7 @@ Refer to our [SASE reference architecture](/reference-architecture/architectures ## Products - + Authenticate users accessing your applications, seamlessly onboard third-party users, and log every event and request. @@ -67,7 +67,7 @@ Securely connect your resources to Cloudflare without exposing a public IP by us - + Inspect and filter DNS, network, HTTP, and egress traffic to enforce your company's Acceptable Use Policy (UAP), block risky sites with custom blocklists and threat intelligence, and enhance visibility and protection across SaaS applications. @@ -79,7 +79,7 @@ Protect corporate devices by privately sending traffic from those devices to Clo - + Mitigate the impact of attacks by executing all browser code in the cloud and securely browse high-risk or sensitive websites in a remote browser. @@ -91,7 +91,7 @@ Protect users and sensitive data at rest in SaaS applications and cloud environm - + Scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. diff --git a/src/content/docs/cloudflare-one/insights/analytics/access.mdx b/src/content/docs/cloudflare-one/insights/analytics/access.mdx index f5fd2e12699c86..814d1442d76724 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/access.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/access.mdx @@ -5,7 +5,7 @@ sidebar: order: 3 --- -Access event analytics allows you to review login attempts to the applications you protect behind [Access](/cloudflare-one/policies/access/). Access event analytics are powered by [Access audit logs](/cloudflare-one/insights/logs/audit-logs/). +Access event analytics allows you to review login attempts to the applications you protect behind [Access](/cloudflare-one/access-controls/policies/). Access event analytics are powered by [Access audit logs](/cloudflare-one/insights/logs/audit-logs/). To view Access event analytics: @@ -13,11 +13,12 @@ To view Access event analytics: 2. Go to **Analytics** > **Dashboards**. 3. Select **Access event analytics**. -Access Event Analytics aggregates authentication activity based on your [Access policies](/cloudflare-one/policies/access/policy-management/). +Access Event Analytics aggregates authentication activity based on your [Access policies](/cloudflare-one/access-controls/policies/policy-management/). ## Available insights The Access event analytics dashboard includes a chart of Access activity over time. You can view a chronological chart of access events. The Access event analytics dashboard shows when access requests occurred, helping you spot spikes in login attempts. + - Events are displayed on the vertical axis. - Time (in your local timezone) is shown along the horizontal axis. @@ -30,4 +31,4 @@ The Access event analytics dashboard also shows data on your usage patterns with - Top countries - Top application types -These insights help you detect anomalies, and optimize policy rules. \ No newline at end of file +These insights help you detect anomalies, and optimize policy rules. diff --git a/src/content/docs/cloudflare-one/insights/analytics/ai-prompt-logs.mdx b/src/content/docs/cloudflare-one/insights/analytics/ai-prompt-logs.mdx index a63f5758d525e1..b1fd7fd70ee224 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/ai-prompt-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/ai-prompt-logs.mdx @@ -1,7 +1,7 @@ --- pcx_content_type: navigation title: AI prompt logs -external_link: /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content +external_link: /cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content sidebar: order: 5 --- diff --git a/src/content/docs/cloudflare-one/insights/analytics/data-analytics.mdx b/src/content/docs/cloudflare-one/insights/analytics/data-analytics.mdx index 7865ceaba61436..35830b27dec6f0 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/data-analytics.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/data-analytics.mdx @@ -15,7 +15,7 @@ To view the Data security analytics dashboard: To populate this dashboard, you must have: -- [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) configured to generate event data from scanned web traffic or SaaS applications. +- [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) configured to generate event data from scanned web traffic or SaaS applications. - At least one [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/) integration connected to capture findings from your SaaS applications or cloud environments. ## Available insights @@ -32,7 +32,7 @@ The dashboard includes the following panels and metrics: ### SaaS and Cloud findings by count -The SaaS and Cloud findings by count chart shows a time series view of Posture and Content findings. [Posture](/cloudflare-one/applications/casb/manage-findings/#posture-findings) denotes posture findings which include misconfigurations, unauthorized user activity, and other data security issues. [Content](/cloudflare-one/applications/casb/manage-findings/#content-findings) denotes content findings which include instances of potential data exposure as identified by [DLP](/cloudflare-one/policies/data-loss-prevention/). +The SaaS and Cloud findings by count chart shows a time series view of Posture and Content findings. [Posture](/cloudflare-one/applications/casb/manage-findings/#posture-findings) denotes posture findings which include misconfigurations, unauthorized user activity, and other data security issues. [Content](/cloudflare-one/applications/casb/manage-findings/#content-findings) denotes content findings which include instances of potential data exposure as identified by [DLP](/cloudflare-one/data-loss-prevention/). Each bar represents the total number of findings detected within a given time interval. You can use this view to observe patterns or spikes in findings over time. Hover over any bar to view the exact count of Posture and Content findings for that period. @@ -46,7 +46,7 @@ To review findings in detail, log into [Zero Trust](https://one.dash.cloudflare. ### DLP matches in HTTP requests over time -The DLP matches in HTTP requests over time chart displays when [DLP policies](/cloudflare-one/policies/data-loss-prevention/dlp-policies/) were triggered by users over a specified period of time. +The DLP matches in HTTP requests over time chart displays when [DLP policies](/cloudflare-one/data-loss-prevention/dlp-policies/) were triggered by users over a specified period of time. Unlike the SaaS and Cloud findings by count chart above, which relies on CASB findings from data at rest, the DLP matches in HTTP requests over time chart reflects DLP detections in HTTP traffic — helping you monitor sensitive data movement in real time. diff --git a/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx b/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx index dd71ebae5d33dc..297973944cb66e 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/gateway.mdx @@ -15,7 +15,7 @@ To review Gateway analytics, log in to [Zero Trust](https://one.dash.cloudflare. ## HTTP request analytics -The HTTP request analytics dashboard is powered by your [Gateway HTTP policies](/cloudflare-one/policies/gateway/http-policies/). If you are not using Gateway HTTP policies, the dashboard will appear empty. +The HTTP request analytics dashboard is powered by your [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/). If you are not using Gateway HTTP policies, the dashboard will appear empty. The HTTP request analytics dashboard helps you identify trends in how your HTTP policies are applied over time. By visualizing allowed, isolated, and do not inspect requests, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. @@ -24,7 +24,7 @@ To review a detailed description of an HTTP request and its associated policy, l ### Provided analytics - HTTP Requests over time - - Time series view of HTTP requests + - Time series view of HTTP requests - Top Actions - Top Countries - Top Blocked Users @@ -34,7 +34,7 @@ To review a detailed description of an HTTP request and its associated policy, l ## DNS query analytics -The DNS query analytics dashboard is powered by your [Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/). If you are not using Gateway DNS policies, the dashboard will appear empty. +The DNS query analytics dashboard is powered by your [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/). If you are not using Gateway DNS policies, the dashboard will appear empty. The DNS query analytics dashboard helps you identify trends in how your DNS policies are applied over time. By visualizing allowed, blocked, and overridden queries, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. @@ -43,7 +43,7 @@ To review a detailed description of a DNS query and its associated policy, log i ### Provided analytics - DNS Queries over time - - Time series view of DNS queries + - Time series view of DNS queries - Top Actions - Top Countries - Top Blocked Users @@ -52,7 +52,7 @@ To review a detailed description of a DNS query and its associated policy, log i ## Network session analytics -The Network session analytics dashboard is powered by your [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/). If you are not using Gateway network policies, the dashboard will appear empty. +The Network session analytics dashboard is powered by your [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/). If you are not using Gateway network policies, the dashboard will appear empty. The Network session analytics dashboard helps you identify trends in how your network policies are applied over time. By visualizing allowed, blocked, and overridden sessions, the dashboard provides insights into traffic behavior and policy trends, making it easier to spot anomalies or shifts in usage patterns. @@ -61,7 +61,7 @@ To review a detailed description of a network session and its associated policy, ### Provided analytics - Network Sessions over time - - Time series view of network sessions + - Time series view of network sessions - Top Actions - Top Countries - Top Blocked Users @@ -82,7 +82,7 @@ You can use the [GraphQL Analytics API](/analytics/graphql-api/) to query your G | `gatewayResolverQueriesAdaptiveGroups` | Metrics for Gateway DNS queries with adaptive sampling. | | `gatewayResolverByRuleExecutionPerformanceAdaptiveGroups` | Time to execute Gateway DNS policies on the Cloudflare global network. | | `gatewayResolverByCustomResolverGroups` | Metrics for Gateway DNS queries resolved using custom resolvers. | -| `gatewayResolverByCategoryAdaptiveGroups` | Metrics for Gateway DNS queries sorted by [domain category](/cloudflare-one/policies/gateway/domain-categories/) with adaptive sampling. | +| `gatewayResolverByCategoryAdaptiveGroups` | Metrics for Gateway DNS queries sorted by [domain category](/cloudflare-one/traffic-policies/domain-categories/) with adaptive sampling. | To explore the schema, you can use a GraphQL client such as [GraphiQL](https://github.com/graphql/graphiql/tree/main/packages/graphiql#readme) or [Altair](https://altairgraphql.dev/). diff --git a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx index 6a454e13efcd0f..dbce6bd833fb4d 100644 --- a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx +++ b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx @@ -13,7 +13,7 @@ To access Shadow IT SaaS analytics, in [Zero Trust](https://one.dash.cloudflare. ## Prerequisites -To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/). +To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP filtering](/cloudflare-one/traffic-policies/initial-setup/http/). ## Use Shadow IT SaaS analytics @@ -30,7 +30,7 @@ Review the Shadow IT SaaS analytics dashboard for application usage. Filter the | Field | Description | | ---------------- | ---------------------------------------------------------------------------------------------------------------------------- | | Application | SaaS application's name and logo. | - | Application type | [Application type](/cloudflare-one/policies/gateway/application-app-types/#app-types) assigned by Cloudflare Zero Trust. | + | Application type | [Application type](/cloudflare-one/traffic-policies/application-app-types/#app-types) assigned by Cloudflare Zero Trust. | | Status | Application's approval status. | | Secured | Whether the application is currently secured behind Cloudflare Access. | | Users | Number of users who connected to the application over the period of time specified on the Shadow IT Discovery overview page. | @@ -39,10 +39,10 @@ To manage application statuses in bulk, select **Set Application Statuses** to r ### 3. Create policies -After marking applications, you can create [HTTP policies](/cloudflare-one/policies/gateway/http-policies/) based on application review status. For example, you can create policies that: +After marking applications, you can create [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) based on application review status. For example, you can create policies that: -- Launch all **Unreviewed** and **In review** applications in an [isolated browser](/cloudflare-one/policies/gateway/http-policies/common-policies/#1-isolate-unreviewed-or-in-review-applications). -- [Block access](/cloudflare-one/policies/gateway/http-policies/common-policies/#2-block-unapproved-applications) to all **Unapproved** applications. +- Launch all **Unreviewed** and **In review** applications in an [isolated browser](/cloudflare-one/traffic-policies/http-policies/common-policies/#1-isolate-unreviewed-or-in-review-applications). +- [Block access](/cloudflare-one/traffic-policies/http-policies/common-policies/#2-block-unapproved-applications) to all **Unapproved** applications. - Limit file upload capabilities for specific application statuses. To create an HTTP status policy directly from Shadow IT Discovery: diff --git a/src/content/docs/cloudflare-one/insights/dex/index.mdx b/src/content/docs/cloudflare-one/insights/dex/index.mdx index 2a5b6437935acc..255b8b2e164ad3 100644 --- a/src/content/docs/cloudflare-one/insights/dex/index.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/index.mdx @@ -14,7 +14,7 @@ With DEX, you can monitor the state of your [WARP client](/cloudflare-one/team-a Use DEX to troubleshoot other Zero Trust features: - Test connectivity to a [SaaS application secured with Access](/cloudflare-one/applications/configure-apps/saas-apps/). -- Verify that a website routed through [Gateway](/cloudflare-one/policies/gateway/) is reachable from user devices. +- Verify that a website routed through [Gateway](/cloudflare-one/traffic-policies/) is reachable from user devices. - Confirm that users can successfully reach internal resources after configuring a [Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). ### Get started diff --git a/src/content/docs/cloudflare-one/insights/dex/rules.mdx b/src/content/docs/cloudflare-one/insights/dex/rules.mdx index 109a35d049ae32..ed283403536285 100644 --- a/src/content/docs/cloudflare-one/insights/dex/rules.mdx +++ b/src/content/docs/cloudflare-one/insights/dex/rules.mdx @@ -28,14 +28,14 @@ Review the available selectors and their scope in the following list. | Selector | Description | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -| **User email** | For specifying [user emails](/cloudflare-one/policies/gateway/identity-selectors/#user-email). | -| **User group emails** | For specifying [group emails](/cloudflare-one/policies/gateway/identity-selectors/#user-group-email). | -| **User group IDs** | For specifying [group IDs](/cloudflare-one/policies/gateway/identity-selectors/#user-group-ids). | -| **User group names** | For specifying a [group name](/cloudflare-one/policies/gateway/identity-selectors/#user-group-names). | +| **User email** | For specifying [user emails](/cloudflare-one/traffic-policies/identity-selectors/#user-email). | +| **User group emails** | For specifying [group emails](/cloudflare-one/traffic-policies/identity-selectors/#user-group-email). | +| **User group IDs** | For specifying [group IDs](/cloudflare-one/traffic-policies/identity-selectors/#user-group-ids). | +| **User group names** | For specifying a [group name](/cloudflare-one/traffic-policies/identity-selectors/#user-group-names). | | **Operating systems** | For specifying operating systems. | | **Operating system version** | For specifying an operating system version (use Operator `in`) or versions (use Operator `is`). | | **Managed network** | For specifying users accessing the network from the office (managed network) compared to those accessing remotely. | -| **SAML attributes** | For specifying a value from the [SAML Attribute Assertion](/cloudflare-one/policies/gateway/identity-selectors/#saml-attributes). | +| **SAML attributes** | For specifying a value from the [SAML Attribute Assertion](/cloudflare-one/traffic-policies/identity-selectors/#saml-attributes). | | **Colos** | For specifying a Cloudflare data center location users are connected to. | ## Add a rule to a test diff --git a/src/content/docs/cloudflare-one/insights/index.mdx b/src/content/docs/cloudflare-one/insights/index.mdx index 20d78fbff84de4..453fbc50a88b24 100644 --- a/src/content/docs/cloudflare-one/insights/index.mdx +++ b/src/content/docs/cloudflare-one/insights/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: navigation title: Insights sidebar: - order: 8 + order: 6 group: hideIndex: true --- diff --git a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx index 330aa9b5f37ea7..d4992963091837 100644 --- a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx @@ -13,7 +13,7 @@ Gateway logs will only show the public IP address for the **Source IP** field. P ::: -Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/policies/gateway/network-policies/ssh-logging/) for sessions proxied by Gateway. +Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/traffic-policies/network-policies/ssh-logging/) for sessions proxied by Gateway. To view Gateway activity logs, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Logs** > **Gateway**. Select an individual row to investigate the event in more detail. @@ -36,7 +36,7 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is | **Query name** | Name of the domain that was queried. | | **Query ID** | UUID of the query assigned by Cloudflare. | | **Email** | Email address of the user who registered the WARP client where traffic originated from. If a non-identity on-ramp (such as a [proxy endpoint](/cloudflare-one/team-and-resources/devices/agentless/pac-files/)) or machine-level authentication (such as a [service token](/cloudflare-one/identity/service-tokens/)) was used, this value will be `non_identity@.cloudflareaccess.com`. | -| **Action** | The [Action](/cloudflare-one/policies/gateway/dns-policies/#actions) Gateway applied to the query (such as Allow or Block). | +| **Action** | The [Action](/cloudflare-one/traffic-policies/dns-policies/#actions) Gateway applied to the query (such as Allow or Block). | | **Time** | Date and time of the DNS query. | | **Resolver decision** | The reason why Gateway applied a particular **Action** to the request. Refer to the [list of resolver decisions](#resolver-decisions). | | **Resolved IPs** | Resolved IP addresses in the response. | @@ -70,7 +70,7 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is | ------------------------------------------ | ----------------------------------------------------------------------------------------------------- | | **Query ID** | UUID of the query assigned by Cloudflare. | | **Query type** | Type of [DNS query](https://en.wikipedia.org/wiki/List_of_DNS_record_types). | -| **Initial query domain categories** | [Content categories](/cloudflare-one/policies/gateway/domain-categories/) that the domain belongs to. | +| **Initial query domain categories** | [Content categories](/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | | **Matched categories** | Name of the Gateway policy category that match the domain. | | **Matched indicator feed names** | Name of the indicator feeds that matched a Gateway policy. | | **Query indicator feed names** | Name of the indicator feeds that a matched domain or IP belongs to. | @@ -137,7 +137,7 @@ Gateway can log failed connections in [network session logs](/logs/logpush/logpu | **Source IP** | IP address of the user sending the packet. | | **Source Internal IP** | Private IP address assigned by the user's local network. | | **Destination IP** | IP address of the packet's target. | -| **Action** | The Gateway [Action](/cloudflare-one/policies/gateway/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | +| **Action** | The Gateway [Action](/cloudflare-one/traffic-policies/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Session ID** | ID of the unique session. | | **Time** | Date and time of the session. | @@ -175,7 +175,7 @@ Gateway can log failed connections in [network session logs](/logs/logpush/logpu | **Destination IP continent** | Continent code of the IP address for the packet's destination. | | **Destination IP country** | Country code of the IP address for the packet's destination. | | **Transport protocol** | Protocol over which the packet was sent. | -| **Detected Protocol** | The detected [network protocol](/cloudflare-one/policies/gateway/network-policies/protocol-detection/). | +| **Detected Protocol** | The detected [network protocol](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). | | **SNI** | Host whose Server Name Indication (SNI) header Gateway will filter traffic against. | | **Virtual Network** | [Virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | | **Category details** | Category or categories associated with the packet. | @@ -199,13 +199,13 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Host** | Hostname in the HTTP header for the HTTP request. Gateway will log the SNI in this field if it responded to the request with a Do Not Inspect action. If Gateway does not receive the SNI, this field will be empty. | | **Email** | Email address of the user who made the HTTP request. This is generated by the WARP client. | -| **Action** | The Gateway [Action](/cloudflare-one/policies/gateway/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | +| **Action** | The Gateway [Action](/cloudflare-one/traffic-policies/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Request ID** | Unique ID of the request. | | **Time** | Date and time of the HTTP request. | | **Source internal IP** | Private IP address assigned by the user's local network. | | **User agent** | User agent header sent in the request by the originating device. | | **Policy details** | Policy corresponding to the decision Gateway made based on the traffic criteria of the request. | -| **DLP profiles** | Name of the matched [DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). | +| **DLP profiles** | Name of the matched [DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/). | | **DLP profile entries** | Name of the matched entry within the DLP profile. | | **Uploaded/downloaded file** | Information about the file transferred in the request found by [enhanced file detection](#enhanced-file-detection). Details include:
  • File name
  • File type
  • File size
  • File hash (for Allowed requests only)
  • Content type
  • Direction (Upload/Download)
  • Action (Block/Allow)
| @@ -252,10 +252,10 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th | **Category details** | Detailed information on the category the blocked file belongs to. | | **Application ID** | ID of the application that matched the domain. | | **Application name** | Name of the application that matched the domain. | -| **Categories** | [Content categories](/cloudflare-one/policies/gateway/domain-categories/) that the domain belongs to. | +| **Categories** | [Content categories](/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. | | **Proxy endpoint** | [PAC file proxy endpoint](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) Gateway forwarded traffic to, if applicable. | | **Virtual Network** | [Virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. | -| **Sandbox scanned** | Status of the [file quarantine](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/). | +| **Sandbox scanned** | Status of the [file quarantine](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). | #### File detection details @@ -281,7 +281,7 @@ To turn on enhanced file detection: ### Isolate requests -When a user creates an [isolation policy](/cloudflare-one/policies/browser-isolation/isolation-policies/), Gateway logs the initial request that triggers isolation as an Isolate action. Because this request is not isolated yet, the `is_isolated` field will return `false`. Zero Trust then securely returns the result to the user in an isolated browser. Gateway will log all subsequent requests in the isolated browser with the action (such as Allow or Block), and the `is_isolated` field will return `true`. +When a user creates an [isolation policy](/cloudflare-one/remote-browser-isolation/isolation-policies/), Gateway logs the initial request that triggers isolation as an Isolate action. Because this request is not isolated yet, the `is_isolated` field will return `false`. Zero Trust then securely returns the result to the user in an isolated browser. Gateway will log all subsequent requests in the isolated browser with the action (such as Allow or Block), and the `is_isolated` field will return `true`. ## Limitations diff --git a/src/content/docs/cloudflare-one/insights/logs/logpush.mdx b/src/content/docs/cloudflare-one/insights/logs/logpush.mdx index 753255327b480e..b4ee35fbe89de7 100644 --- a/src/content/docs/cloudflare-one/insights/logs/logpush.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/logpush.mdx @@ -46,7 +46,7 @@ Refer to [Logpush datasets](/logs/logpush/logpush-job/datasets/) for a list of a | [Browser Isolation User Actions](/logs/logpush/logpush-job/datasets/account/biso_user_actions/) | Data transfer actions performed by a user in the remote browser | | [CASB Findings](/logs/logpush/logpush-job/datasets/account/casb_findings/) | Security issues detected by Cloudflare CASB | | [Device Posture Results](/logs/logpush/logpush-job/datasets/account/device_posture_results/) | Device posture status from the WARP client | -| [DLP Forensic Copies](/logs/logpush/logpush-job/datasets/account/dlp_forensic_copies/) | Entire HTTP requests or payloads of HTTP requests captured by [Cloudflare DLP](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/) | +| [DLP Forensic Copies](/logs/logpush/logpush-job/datasets/account/dlp_forensic_copies/) | Entire HTTP requests or payloads of HTTP requests captured by [Cloudflare DLP](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/) | | [Gateway DNS](/logs/logpush/logpush-job/datasets/account/gateway_dns/) | DNS queries inspected by Cloudflare Gateway | | [Gateway HTTP](/logs/logpush/logpush-job/datasets/account/gateway_http/) | HTTP requests inspected by Cloudflare Gateway | | [Gateway Network](/logs/logpush/logpush-job/datasets/account/gateway_network/) | Network packets inspected by Cloudflare Gateway | diff --git a/src/content/docs/cloudflare-one/insights/risk-score.mdx b/src/content/docs/cloudflare-one/insights/risk-score.mdx index aad74f92fcf699..8a82682487fbec 100644 --- a/src/content/docs/cloudflare-one/insights/risk-score.mdx +++ b/src/content/docs/cloudflare-one/insights/risk-score.mdx @@ -53,7 +53,7 @@ By default, all predefined behaviors are disabled. When a behavior is enabled, Z | Risk behaviors | Requirements | Description | | -------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Impossible travel | [A configured Access application](/cloudflare-one/applications/) | User has a successful login from two different locations that they could not have traveled between in that period of time. Matches will appear in your [Access audit logs](/cloudflare-one/insights/logs/audit-logs/). | -| High number of DLP policies triggered | [A configured DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) | User has created a high number of DLP policy matches within a narrow frame of time. Matches will appear in your [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/). | +| High number of DLP policies triggered | [A configured DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/) | User has created a high number of DLP policy matches within a narrow frame of time. Matches will appear in your [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/). | | SentinelOne threat detected on machine | [SentinelOne service provider integration](/cloudflare-one/identity/devices/service-providers/sentinelone/) | SentinelOne returns one or more configured [device posture attributes](/cloudflare-one/identity/devices/service-providers/sentinelone/#device-posture-attributes) for a user. | ## Manage risk behaviors diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/adfs.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/adfs.mdx index 7903e2850fc07f..8e3bedb21ae862 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/adfs.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/adfs.mdx @@ -13,6 +13,7 @@ To set up the Microsoft Entra ID IdP integration with Zero Trust, refer to [Micr ::: Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory integrates with Cloudflare Access using Security Assertion Markup Language (SAML). + ## Before you start To get started, you need: @@ -88,7 +89,7 @@ The **Edit Claim Rules for CF Login** screen automatically displays. ## Create claim rules -Now create 2 Claim Rules so that AD FS can take information from Cloudflare and return it to create [Access policies](/cloudflare-one/policies/access/). +Now create 2 Claim Rules so that AD FS can take information from Cloudflare and return it to create [Access policies](/cloudflare-one/access-controls/policies/). If you closed the Add Relying Trust wizard, use Explorer to find the **Relying Party Trusts** folder, select the newly created RPT file, and select **Edit Claim Rules** in the **Action** sidebar. diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx index 00dcbde51833b0..6eb3c8ee4b2fc2 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx @@ -249,7 +249,7 @@ When [SCIM synchronization is enabled](#synchronize-users-and-groups), your Entr If building an Access policy, choose the _Azure Groups_ selector. ![Azure group names displayed in the Access policy builder](~/assets/images/cloudflare-one/identity/azure/azure-scim-groups.png) -If building a Gateway policy, choose the [_User Group Names_](/cloudflare-one/policies/gateway/identity-selectors/#user-group-names) selector. +If building a Gateway policy, choose the [_User Group Names_](/cloudflare-one/traffic-policies/identity-selectors/#user-group-names) selector. ### Manual entry diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx index d2ab836d42f5d1..ffc6fdf5d6eae4 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx @@ -141,7 +141,7 @@ If you would like to build policies based on IdP groups: ### Custom OIDC claims -All OIDC IdP integrations support the use of custom OIDC claims. Once configured, Access will add the claims to the [Access JWT](/cloudflare-one/identity/authorization-cookie/application-token/) for consumption by your origin services. You can reference the custom OIDC claims in [Access policies](/cloudflare-one/policies/access/), offering a means to control user access to applications based on custom identity attributes. Custom OIDC claims are not currently supported in Gateway policies. +All OIDC IdP integrations support the use of custom OIDC claims. Once configured, Access will add the claims to the [Access JWT](/cloudflare-one/identity/authorization-cookie/application-token/) for consumption by your origin services. You can reference the custom OIDC claims in [Access policies](/cloudflare-one/access-controls/policies/), offering a means to control user access to applications based on custom identity attributes. Custom OIDC claims are not currently supported in Gateway policies. To add a custom OIDC claim to an IdP integration: diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-saml.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-saml.mdx index b351133b43afd8..8fb661deed4e32 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-saml.mdx @@ -129,7 +129,7 @@ This optional configuration signs the [Access JWT](/cloudflare-one/identity/auth ### Email attribute name -Many [Access policies](/cloudflare-one/policies/access/) depend on a user's email address. Some identity providers have a different naming for the email address attribute (for example, `Email`, `e-mail`, `emailAddress`). This can typically be checked in the identity provider's SAML test option. +Many [Access policies](/cloudflare-one/access-controls/policies/) depend on a user's email address. Some identity providers have a different naming for the email address attribute (for example, `Email`, `e-mail`, `emailAddress`). This can typically be checked in the identity provider's SAML test option. Example in Okta: diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/google.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/google.mdx index 289d76103ea45a..2a51dafe4f35ed 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/google.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/google.mdx @@ -5,7 +5,7 @@ title: Google import { GlossaryTooltip, Render } from "~/components"; -You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration allows any user with a Google account to log in (if the [Access policy](/cloudflare-one/policies/access/) allows them to reach the resource). Unlike the instructions for [Google Workspace](/cloudflare-one/integrations/identity-providers/google-workspace/), the steps below will not allow you to pull group membership information from a Google Workspace account. +You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration allows any user with a Google account to log in (if the [Access policy](/cloudflare-one/access-controls/policies/) allows them to reach the resource). Unlike the instructions for [Google Workspace](/cloudflare-one/integrations/identity-providers/google-workspace/), the steps below will not allow you to pull group membership information from a Google Workspace account. You do not need to be a Google Cloud Platform user to integrate Google as an identity provider with Cloudflare Zero Trust. You will only need to open the Google Cloud Platform to configure IdP integration settings. @@ -20,7 +20,6 @@ You do not need to be a Google Cloud Platform user to integrate Google as an ide ![Location to configure a Consent Screen in the Google Cloud Platform console.](~/assets/images/cloudflare-one/identity/google/configure-consent-screen.png) 4. To configure the consent screen: - 1. Select **Get started**. 2. Enter an **App name** and a **User support email**. 3. Choose **External** as the Audience Type. Since this application is not being created in a Google Workspace account, any user with a Gmail address can log in. diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/jumpcloud-saml.mdx index 4a29a6693de121..5479d3191ae62b 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/jumpcloud-saml.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/jumpcloud-saml.mdx @@ -66,7 +66,7 @@ The following steps are specific to setting up JumpCloud with Cloudflare Access. 7. Select **Save**. -You can now [test your connection](/cloudflare-one/integrations/identity-providers/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes. +You can now [test your connection](/cloudflare-one/integrations/identity-providers/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/access-controls/policies/) based on the configured login method and SAML attributes. ## Synchronize users and groups diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/okta-saml.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/okta-saml.mdx index 8af703f56fdcfa..df1eea8b8ddf8a 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/okta-saml.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/okta-saml.mdx @@ -69,7 +69,7 @@ To set up SAML with Okta as your identity provider: 16. (Recommended) Enable **Sign SAML authentication request**. -17. (Recommended) Under **SAML attributes**, add the `email` and `groups` attributes. The `groups` attribute is required if you want to create policies based on [Okta groups](/cloudflare-one/policies/gateway/identity-selectors/#okta-saml). +17. (Recommended) Under **SAML attributes**, add the `email` and `groups` attributes. The `groups` attribute is required if you want to create policies based on [Okta groups](/cloudflare-one/traffic-policies/identity-selectors/#okta-saml). ![Adding optional SAML attributes in Zero Trust](~/assets/images/cloudflare-one/identity/okta-saml/okta-saml-6.png) diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/one-time-pin.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/one-time-pin.mdx index daafb6ee3a6a7a..f1af46128ae22a 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/one-time-pin.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/one-time-pin.mdx @@ -57,7 +57,7 @@ Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subr If your organization uses a third-party email scanning service (for example, Mimecast or Barracuda), add `noreply@notify.cloudflare.com` to the email scanning allowlist. ::: -To grant a user access to an application, simply add their email address to an [Access policy](/cloudflare-one/policies/access/policy-management/#create-a-policy). +To grant a user access to an application, simply add their email address to an [Access policy](/cloudflare-one/access-controls/policies/policy-management/#create-a-policy). ## Log in with OTP diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/pingone-oidc.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/pingone-oidc.mdx index a71ac033498843..b72dd7b509ab0b 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/pingone-oidc.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/pingone-oidc.mdx @@ -38,7 +38,7 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C 7. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) that you wish to add to your users' identity. 8. Select **Save**. -You can now [test your connection](/cloudflare-one/integrations/identity-providers/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method. +You can now [test your connection](/cloudflare-one/integrations/identity-providers/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/access-controls/policies/) based on the configured login method. ## Example API configuration diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/pingone-saml.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/pingone-saml.mdx index 504992c8c7b6b7..9bd84f3761ea09 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/pingone-saml.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/pingone-saml.mdx @@ -7,6 +7,7 @@ description: Learn how to integrate PingOne as a SAML identity provider with Clo import { GlossaryTooltip } from "~/components"; The PingOne cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as a SAML identity provider. + ## Set up PingOne as a SAML provider ## 1. Create an application in PingOne @@ -22,7 +23,6 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C 5. Select **Configure**. 6. To fill in your Cloudflare Access metadata: - 1. Select **Import from URL**. 2. Set the **Import URL** to: @@ -30,10 +30,7 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C https://.cloudflareaccess.com/cdn-cgi/access/saml-metadata ``` - where `` is your Cloudflare Zero Trust team name. - - 3. Select **Import**. - 4. **Save** the configuration. + where `` is your Cloudflare Zero Trust team name. 3. Select **Import**. 4. **Save** the configuration. 7. In the **Configuration** tab, select **Download metadata** and save the XML metadata file. This file will be used in a later step to add PingOne to Zero Trust. @@ -65,4 +62,4 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C 7. Select **Save**. -You can now [test your connection](/cloudflare-one/integrations/identity-providers/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes. +You can now [test your connection](/cloudflare-one/integrations/identity-providers/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/access-controls/policies/) based on the configured login method and SAML attributes. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/azure.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/azure.mdx index 53147a89be6189..2171cd3b93923d 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/azure.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/azure.mdx @@ -113,4 +113,4 @@ systemctl start cloudflared systemctl status cloudflared ``` -Next, visit Zero Trust and ensure your new tunnel shows as **active**. Optionally, begin creating [Access policies](/cloudflare-one/policies/access/) to secure your private resources. +Next, visit Zero Trust and ensure your new tunnel shows as **active**. Optionally, begin creating [Access policies](/cloudflare-one/access-controls/policies/) to secure your private resources. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel.mdx index 3fc17b63f6acef..932ba84c4dd4e9 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel.mdx @@ -205,6 +205,6 @@ Your tunnel configuration is complete! If you want to get information on the tun cloudflared tunnel info ``` -You can now [route traffic](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) to your tunnel using Cloudflare DNS or [determine who can reach your tunnel](/cloudflare-one/policies/access/) with Cloudflare Access. +You can now [route traffic](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) to your tunnel using Cloudflare DNS or [determine who can reach your tunnel](/cloudflare-one/access-controls/policies/) with Cloudflare Access. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx index d446c7919219d5..9aba6f9b9a3040 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr.mdx @@ -45,7 +45,7 @@ To connect your infrastructure with Cloudflare Tunnel: If you have applications clearly defined by IPs or hostnames, we recommend [creating an Access application](/cloudflare-one/applications/non-http/self-hosted-private-app/) and managing user access alongside your SaaS and other web apps. Alternatively, if you prefer to secure a private network using a traditional firewall model, you can build Gateway network and DNS policies for IP ranges and domains. -For more information on building Gateway policies, refer to [Secure your first application](/learning-paths/replace-vpn/build-policies/create-policy/) and [Common network policies](/cloudflare-one/policies/gateway/network-policies/common-policies/#restrict-access-to-private-networks). +For more information on building Gateway policies, refer to [Secure your first application](/learning-paths/replace-vpn/build-policies/create-policy/) and [Common network policies](/cloudflare-one/traffic-policies/network-policies/common-policies/#restrict-access-to-private-networks). ## 5. Connect as a user diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx index 08fb645aea052c..8d158da638aa0c 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname.mdx @@ -138,7 +138,7 @@ Only available on Enterprise plans Gateway will automatically resolve DNS queries using your internal DNS server as long as the DNS server is behind the same Cloudflare Tunnel as your application. If your DNS server is behind a different Cloudflare Tunnel (for example, if you separated DNS traffic into its own tunnel for [high availability](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/system-requirements/#private-dns)), then you need to point Gateway to the correct tunnel and DNS server. -1. [Create a Gateway resolver policy](/cloudflare-one/policies/gateway/resolver-policies/#create-a-resolver-policy) that matches the private hostname for which you are establishing the route: +1. [Create a Gateway resolver policy](/cloudflare-one/traffic-policies/resolver-policies/#create-a-resolver-policy) that matches the private hostname for which you are establishing the route: | Selector | Operator | Value | | -------- | -------- | ---------------------- | @@ -166,7 +166,7 @@ If your private hostname points to an HTTPS application on port `443`, you can s - **Option 1 (Recommended)**: Create an [Access self-hosted private app](/cloudflare-one/applications/non-http/self-hosted-private-app/) to manage user access alongside your SaaS and other web apps. - - **Option 2**: If you prefer to secure the application using a traditional firewall model, build Gateway network policies using the [SNI](/cloudflare-one/policies/gateway/network-policies/#sni) or [SNI Domain](/cloudflare-one/policies/gateway/network-policies/#sni-domain) selector. For an additional layer of protection, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/policies/gateway/dns-policies/#host) or [Domain](/cloudflare-one/policies/gateway/dns-policies/#domain) from resolving. + - **Option 2**: If you prefer to secure the application using a traditional firewall model, build Gateway network policies using the [SNI](/cloudflare-one/traffic-policies/network-policies/#sni) or [SNI Domain](/cloudflare-one/traffic-policies/network-policies/#sni-domain) selector. For an additional layer of protection, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/traffic-policies/dns-policies/#host) or [Domain](/cloudflare-one/traffic-policies/dns-policies/#domain) from resolving.
The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. @@ -188,7 +188,7 @@ If your private hostname points to an HTTPS application on port `443`, you can s ##### Non-HTTPS applications -Access policies and Gateway network policies only support hostname-based filtering for applications on port `443`. If your application runs on a non-`443` port, you will need to allow or block network traffic using the [Destination IP](/cloudflare-one/policies/gateway/network-policies/#destination-ip) selector. Then, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/policies/gateway/dns-policies/#host) or [Domain](/cloudflare-one/policies/gateway/dns-policies/#domain) from resolving. +Access policies and Gateway network policies only support hostname-based filtering for applications on port `443`. If your application runs on a non-`443` port, you will need to allow or block network traffic using the [Destination IP](/cloudflare-one/traffic-policies/network-policies/#destination-ip) selector. Then, add a Gateway DNS policy to allow or block the [Host](/cloudflare-one/traffic-policies/dns-policies/#host) or [Domain](/cloudflare-one/traffic-policies/dns-policies/#domain) from resolving.
The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx index dfc300c5d2457f..60360d94ad9f51 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns.mdx @@ -26,9 +26,9 @@ To resolve private DNS queries: 3. Route specific DNS queries to your internal DNS resolver using one of the following options: - [Create a Local Domain Fallback entry](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) that points to the internal DNS resolver. For example, you can instruct the WARP client to resolve all requests for `myorg.privatecorp` through an internal resolver at `10.0.0.25` rather than attempting to resolve this publicly. - - Alternatively, [create a resolver policy](/cloudflare-one/policies/gateway/resolver-policies/#create-a-resolver-policy) that points to the internal DNS resolver. + - Alternatively, [create a resolver policy](/cloudflare-one/traffic-policies/resolver-policies/#create-a-resolver-policy) that points to the internal DNS resolver. -4. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy) for TCP and UDP. +4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP and UDP. 5. Finally, ensure that your tunnel uses QUIC as the default [transport protocol](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol). This will enable `cloudflared` to proxy UDP-based traffic which is required in most cases to resolve DNS queries. @@ -62,7 +62,7 @@ Use the following troubleshooting strategies if you are running into issues whil - Ensure that end-user devices are enrolled into WARP by visiting [https://help.teams.cloudflare.com](https://help.teams.cloudflare.com). -- Double-check the [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) for your [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/). Ensure that a more global Block or Allow policy will not supersede application-specific policies. +- Double-check the [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) for your [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/). Ensure that a more global Block or Allow policy will not supersede application-specific policies. - Check your [Gateway network logs](/cloudflare-one/insights/logs/gateway-logs/#network-logs) to see whether your UDP DNS resolutions are being allowed or blocked. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/index.mdx index 4cd397491abb97..63b05fac82648a 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/index.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/index.mdx @@ -9,7 +9,7 @@ With Cloudflare Zero Trust, you can connect private networks and the services ru To reach private network IPs, end users must connect their device to Cloudflare and enroll in your Zero Trust organization. The most common method is to install the [WARP client](/cloudflare-one/team-and-resources/devices/warp/) on their device, or you can onboard their network traffic to Cloudflare using our [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) or [Magic WAN](/magic-wan/zero-trust/cloudflare-tunnel/). -Administrators can optionally set [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) to control access to services based on user identity and device posture. +Administrators can optionally set [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to control access to services based on user identity and device posture. ## Connectors diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-site.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-site.mdx index ff77c8e82d110e..ac7cf332c44906 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-site.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-site.mdx @@ -72,7 +72,7 @@ If you would like to filter private DNS queries using Cloudflare Gateway, check - Initial resolved IP CGNAT range: -When you resolve DNS queries from WARP Connector through Gateway, Gateway will log the queries with the private source IP. You can use the private source IP to create [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) for queries intended for [internal DNS records](/cloudflare-one/policies/gateway/resolver-policies/#internal-dns). +When you resolve DNS queries from WARP Connector through Gateway, Gateway will log the queries with the private source IP. You can use the private source IP to create [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) for queries intended for [internal DNS records](/cloudflare-one/traffic-policies/resolver-policies/#internal-dns). ## 4. Route traffic from subnet to WARP Connector diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx index 9bc5476493ca8e..61638726be5cec 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx @@ -41,7 +41,7 @@ This will instruct WARP to begin proxying any traffic destined for a `100.96.0.0 ## Connect via WARP -Once enrolled, your users and services will be able to connect to the virtual IPs configured for TCP, UDP, or ICMP-based traffic. You can optionally create [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) to define the users and devices that can access the `100.96.0.0/12` IP space. +Once enrolled, your users and services will be able to connect to the virtual IPs configured for TCP, UDP, or ICMP-based traffic. You can optionally create [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to define the users and devices that can access the `100.96.0.0/12` IP space. ## Troubleshooting diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx index a31f9b39827753..c5b7b125f911ab 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx @@ -146,7 +146,7 @@ net.core.rmem_max = 2500000 ## `ping` and `traceroute` commands do not work. -To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`. For configuration instructions, refer to the [ICMP proxy documentation](/cloudflare-one/policies/gateway/proxy/#icmp). +To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through `cloudflared`. For configuration instructions, refer to the [ICMP proxy documentation](/cloudflare-one/traffic-policies/proxy/#icmp). ## Cloudflare Tunnel is buffering my streaming response instead of streaming it live. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx index 41c0e65732e867..0e3021cf74a012 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/grpc.mdx @@ -46,7 +46,7 @@ To establish a secure, outbound-only connection to Cloudflare: ## 4. (Recommended) Create a Gateway policy -You can configure [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) to either block or allow access to the gRPC server. The following example consists of two policies: the first allows gRPC connections from devices that pass [device posture checks](/cloudflare-one/identity/devices/), and the second blocks all other traffic. Make sure that the Allow policy has higher [priority](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence). +You can configure [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to either block or allow access to the gRPC server. The following example consists of two policies: the first allows gRPC connections from devices that pass [device posture checks](/cloudflare-one/identity/devices/), and the second blocks all other traffic. Make sure that the Allow policy has higher [priority](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). ### 1. Allow secured devices diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx index 5e0a148678efb5..6c1ad52186acb1 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx @@ -30,7 +30,7 @@ import { Tabs, TabItem, Badge, Render, APIRequest } from "~/components"; To connect your devices to Cloudflare: 1. [Deploy the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/) on your devices in Gateway with WARP mode. -2. [Enable the Gateway proxy for TCP](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy). +2. [Enable the Gateway proxy for TCP](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). 3. [Create device enrollment rules](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization. ## 3. Route server IPs through WARP @@ -135,7 +135,7 @@ To turn off SSH command logging, delete your uploaded public key: 3. Select **Remove key** to confirm. -Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to [Gateway Audit SSH](/cloudflare-one/policies/gateway/network-policies/ssh-logging/) policies. +Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to [Gateway Audit SSH](/cloudflare-one/traffic-policies/network-policies/ssh-logging/) policies. @@ -206,7 +206,7 @@ A user may be blocked by an Access policy from reaching your server because no e The Access infrastructure application (created in [step 5](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#5-add-an-infrastructure-application)) is the policy container for your SSH server. Cloudflare refers to your server that you connect to with SSH as a [target](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#4-add-a-target). -[Access policies](/cloudflare-one/policies/access/policy-management/) are the rules attached to this Access infrastructure application, determining who can connect and what UNIX usernames they can log in as on the server. Cloudflare will not create new users on the target. UNIX users must already be present on the server. +[Access policies](/cloudflare-one/access-controls/policies/policy-management/) are the rules attached to this Access infrastructure application, determining who can connect and what UNIX usernames they can log in as on the server. Cloudflare will not create new users on the target. UNIX users must already be present on the server. You were guided to create an Access policy for your target in [substep 9 of step 5: Add an infrastructure application](#5-add-an-infrastructure-application). @@ -238,7 +238,7 @@ You will need Cloudflare dashboard access and log view [permissions](/cloudflare 3. Review the **Decision**. If the **Decision** is `Access denied`, select the application and copy the name under App. - If the decision is `Access granted`, Access policies are not interfering with your connection attempts and your connection issue is due to the Cloudflare Tunnel ([step 2](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#2-check-target-machine-connection)), the SSH server ([step 3](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#3-confirm-user-existence-on-the-target-server)), or the `sshd_config` file ([step 4](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#4-debug-sshd_config-file-misconfiguration)). + If the decision is `Access granted`, Access policies are not interfering with your connection attempts and your connection issue is due to the Cloudflare Tunnel ([step 2](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#2-check-target-machine-connection)), the SSH server ([step 3](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#3-confirm-user-existence-on-the-target-server)), or the `sshd_config` file ([step 4](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#4-debug-sshd_config-file-misconfiguration)). 4. Go to **Access** > **Applications**. @@ -246,9 +246,9 @@ You will need Cloudflare dashboard access and log view [permissions](/cloudflare 6. Select **Configure**. -7. Go to [**Policies**](/cloudflare-one/policies/access/policy-management/#test-your-policies) to review what criteria may be blocking the user. +7. Go to [**Policies**](/cloudflare-one/access-controls/policies/policy-management/#test-your-policies) to review what criteria may be blocking the user. -By adding an Access [policy](/cloudflare-one/policies/access/) to allow the user, the connection issue should be resolved. After saving your policy changes, attempt to connect to the server. +By adding an Access [policy](/cloudflare-one/access-controls/policies/) to allow the user, the connection issue should be resolved. After saving your policy changes, attempt to connect to the server. If you are still having connection issues after auditing your Access policies, review tunnel health in the following step. @@ -261,7 +261,7 @@ To check the status of your tunnel: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Routes**. 2. Search your IP to find the tunnel associated with the IP. - This IP will be visible in the `warp-cli target list` output in [the previous step](#1-review-access-policies). If you are an admin, you can also go to **Networks** > **Targets** and find the IP next to your Hostname. + This IP will be visible in the `warp-cli target list` output in [the previous step](#1-review-access-policies). If you are an admin, you can also go to **Networks** > **Targets** and find the IP next to your Hostname. 3. Copy the tunnel name. 4. Go to **Networks** > **Tunnels** and search by your tunnel name. @@ -444,15 +444,15 @@ These troubleshooting steps could result in you being locked out of your SSH ser 1. Back up the existing `sshd_config` file. - ```sh - mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak - ``` + ```sh + mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak + ``` 2. Create a new `sshd_config` file. - ```sh - vi /etc/ssh/sshd_config - ``` + ```sh + vi /etc/ssh/sshd_config + ``` 3. Enter insert mode by pressing the `i` key on your keyboard. @@ -462,10 +462,10 @@ These troubleshooting steps could result in you being locked out of your SSH ser 6. Enter `:x` to save and exit. 7. [Reload](#reload-your-ssh-server) your SSH server. - :::caution[Do not restart] - Restarting your `sshd` service will result in the termination of your current SSH connection. Make sure to reload instead of restarting to avoid terminating all currently open SSH sessions. - ::: + :::caution[Do not restart] + Restarting your `sshd` service will result in the termination of your current SSH connection. Make sure to reload instead of restarting to avoid terminating all currently open SSH sessions. + ::: - + -By completing all four troubleshooting steps, you should have resolved any connection issues caused by misconfiguration of the SSH server. If issues persist, [recheck `sshd` logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#review-your-sshd-logs). The example [`sshd_config` shared above](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#review-your-sshd_config-file-for-misconfigurations) enables debug logging and may expose more specific issues. \ No newline at end of file +By completing all four troubleshooting steps, you should have resolved any connection issues caused by misconfiguration of the SSH server. If issues persist, [recheck `sshd` logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#review-your-sshd-logs). The example [`sshd_config` shared above](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#review-your-sshd_config-file-for-misconfigurations) enables debug logging and may expose more specific issues. diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/index.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/index.mdx deleted file mode 100644 index a28504cb808071..00000000000000 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/index.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -pcx_content_type: how-to -title: DLP profiles -sidebar: - order: 3 - label: Configure DLP profiles ---- - -import { Render } from "~/components"; - -A DLP profile is a collection of regular expressions and [detection entries](/cloudflare-one/policies/data-loss-prevention/detection-entries/) that define the data patterns you want to detect. Cloudflare DLP provides predefined profiles for common detections, or you can build custom DLP profiles specific to your data, organization, and risk tolerance. - -## Configure a predefined profile - - - -You can now use this profile in a [DLP policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) or [CASB integration](/cloudflare-one/applications/casb/casb-dlp/). - -## Build a custom profile - - - -You can now use this profile in a [DLP policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) or [CASB integration](/cloudflare-one/applications/casb/casb-dlp/). diff --git a/src/content/docs/cloudflare-one/policies/index.mdx b/src/content/docs/cloudflare-one/policies/index.mdx deleted file mode 100644 index e0bc9b76c45183..00000000000000 --- a/src/content/docs/cloudflare-one/policies/index.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -pcx_content_type: navigation -title: Policies -sidebar: - order: 7 -head: [] -description: A policy is a set of rules that regulate network activity, such as - who logs in to your applications or which websites your users can reach. ---- - -import { GlossaryTooltip } from "~/components"; - -With Cloudflare Zero Trust, you can create: - -- [**Secure Web Gateway**](/cloudflare-one/policies/gateway/) policies to inspect outbound traffic to the Internet with Cloudflare Gateway. -- [**Access**](/cloudflare-one/policies/access/) policies to secure inbound traffic to your applications with Cloudflare Access. -- [**Browser Isolation**](/cloudflare-one/policies/browser-isolation/) policies to protect your organization's devices from threats on the Internet and prevent data loss by loading requests in an isolated browser. -- [**Data Loss Prevention**](/cloudflare-one/policies/data-loss-prevention/) policies to detect and secure your organization's sensitive data in web traffic and SaaS applications. diff --git a/src/content/docs/cloudflare-one/reference-architecture.mdx b/src/content/docs/cloudflare-one/reference-architecture.mdx index 9b80b800a9417d..1d9f0658143d8f 100644 --- a/src/content/docs/cloudflare-one/reference-architecture.mdx +++ b/src/content/docs/cloudflare-one/reference-architecture.mdx @@ -3,6 +3,6 @@ pcx_content_type: navigation title: Reference architecture external_link: /reference-architecture/architectures/sase/ sidebar: - order: 10 + order: 12 --- diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/accessibility.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/accessibility.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/browser-isolation/accessibility.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/accessibility.mdx diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/extensions.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/extensions.mdx similarity index 96% rename from src/content/docs/cloudflare-one/policies/browser-isolation/extensions.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/extensions.mdx index 128433a5a8c40e..bfbc07e5fdecee 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/extensions.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/extensions.mdx @@ -19,7 +19,7 @@ This capability allows extending tools that require DOM access (such as password This step is not required when browsing via Clientless Web Isolation. You can access the Chrome Web Store at `https://.cloudflareaccess.com/browser/https://chromewebstore.google.com/`. ::: -Installing extensions requires Chrome Web Store isolation. Create an [HTTP policy](/cloudflare-one/policies/gateway/http-policies/) to isolate the Chrome Web Store (chromewebstore.google.com). +Installing extensions requires Chrome Web Store isolation. Create an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to isolate the Chrome Web Store (chromewebstore.google.com). ### Install an extension diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/index.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx similarity index 86% rename from src/content/docs/cloudflare-one/policies/browser-isolation/index.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx index b6ea7bef4d5ce4..2853bb4e0fceee 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/index.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx @@ -1,13 +1,13 @@ --- pcx_content_type: concept -title: Browser Isolation +title: Remote browser isolation sidebar: - order: 5 + order: 11 --- import { Render } from "~/components"; -Cloudflare Browser Isolation complements the [Secure Web Gateway](/cloudflare-one/policies/gateway/) and [Zero Trust Network Access](/cloudflare-one/networks/connectors/cloudflare-tunnel/) solutions by executing active webpage content in a secure isolated browser. Executing active content remotely from the endpoint protects users from zero-day attacks and malware. In addition to protecting endpoints, Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway [HTTP](/cloudflare-one/policies/gateway/http-policies/) and [DNS](/cloudflare-one/policies/gateway/dns-policies/) policies. +Cloudflare Browser Isolation complements the [Secure Web Gateway](/cloudflare-one/traffic-policies/) and [Zero Trust Network Access](/cloudflare-one/networks/connectors/cloudflare-tunnel/) solutions by executing active webpage content in a secure isolated browser. Executing active content remotely from the endpoint protects users from zero-day attacks and malware. In addition to protecting endpoints, Browser Isolation also protects users from phishing attacks by preventing user input on risky websites and controlling data transmission to sensitive web applications. You can further filter isolated traffic with Gateway [HTTP](/cloudflare-one/traffic-policies/http-policies/) and [DNS](/cloudflare-one/traffic-policies/dns-policies/) policies. Remote browsing is invisible to the user who continues to use their browser normally without changing their preferred browser and habits. Every open tab and window is automatically isolated. When the user closes the isolated browser, their session is automatically deleted. diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/isolation-policies.mdx similarity index 90% rename from src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/isolation-policies.mdx index eff9234b733eeb..326bae3d27cec5 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/isolation-policies.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/isolation-policies.mdx @@ -62,7 +62,7 @@ The following optional settings appear in the Gateway HTTP policy builder when y ``` - _Allow_: (Default) Users can copy content from an isolated website to their local clipboard. -- _Allow only within isolated browser_: Users can only copy content from an isolated website to the remote clipboard. Users cannot copy content out of the remote browser to the local clipboard. You can use this setting alongside [**Paste (from client to remote)**: _Allow only within isolated browser_](/cloudflare-one/policies/browser-isolation/isolation-policies/#paste-from-client-to-remote) to only allow copy-pasting between isolated websites. +- _Allow only within isolated browser_: Users can only copy content from an isolated website to the remote clipboard. Users cannot copy content out of the remote browser to the local clipboard. You can use this setting alongside [**Paste (from client to remote)**: _Allow only within isolated browser_](/cloudflare-one/remote-browser-isolation/isolation-policies/#paste-from-client-to-remote) to only allow copy-pasting between isolated websites. - _Do not allow_: Prohibits users from copying content from an isolated website. ### Paste (from client to remote) @@ -82,7 +82,7 @@ The following optional settings appear in the Gateway HTTP policy builder when y ``` - _Allow_: (Default) Users can paste content from their local clipboard to an isolated website. -- _Allow only within isolated browser_: Users can only paste content from the remote clipboard to an isolated website. Users cannot paste content from their local clipboard to the remote browser. You can use this setting alongside [**Copy (from remote to client)**: _Allow only within isolated browser_](/cloudflare-one/policies/browser-isolation/isolation-policies/#copy-from-remote-to-client) to only allow copy-pasting between isolated websites. +- _Allow only within isolated browser_: Users can only paste content from the remote clipboard to an isolated website. Users cannot paste content from their local clipboard to the remote browser. You can use this setting alongside [**Copy (from remote to client)**: _Allow only within isolated browser_](/cloudflare-one/remote-browser-isolation/isolation-policies/#copy-from-remote-to-client) to only allow copy-pasting between isolated websites. - _Do not allow_: Prohibits users from pasting content into an isolated website. ### File downloads @@ -92,7 +92,7 @@ The following optional settings appear in the Gateway HTTP policy builder when y - _View in remote browser_: Users can open and view files in an isolated environment. :::note -This option does not prevent files from being downloaded into the remote browser. To prevent files being downloaded into the remote browser, use HTTP Policies to block by [Download Mime Type](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-mime-type). +This option does not prevent files from being downloaded into the remote browser. To prevent files being downloaded into the remote browser, use HTTP Policies to block by [Download Mime Type](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-mime-type). ::: ### File uploads @@ -101,7 +101,7 @@ This option does not prevent files from being downloaded into the remote browser - _Do not allow_: Prohibits users from uploading files from their local machine into an isolated website. :::note -This option does not prevent files being uploaded to websites from third-party cloud file managers or files downloaded into the remote browser download bar from other isolated websites. To prevent files being uploaded from the remote browser into an isolated website, use HTTP Policies to block by [Upload Mime Type](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-mime-type). +This option does not prevent files being uploaded to websites from third-party cloud file managers or files downloaded into the remote browser download bar from other isolated websites. To prevent files being uploaded from the remote browser into an isolated website, use HTTP Policies to block by [Upload Mime Type](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-mime-type). ::: ### Keyboard @@ -120,7 +120,7 @@ Mouse input remains available to allow users to browse a website by following hy ## Custom block dialog -With custom block dialogs, you can host a custom block page when users are blocked from taking specific actions, like [copying](/cloudflare-one/policies/browser-isolation/isolation-policies/#copy-from-remote-to-client), [pasting](/cloudflare-one/policies/browser-isolation/isolation-policies/#paste-from-client-to-remote), [downloading](/cloudflare-one/policies/browser-isolation/isolation-policies/#file-downloads), [uploading](/cloudflare-one/policies/browser-isolation/isolation-policies/#file-uploads), [performing keyboard inputs](/cloudflare-one/policies/browser-isolation/isolation-policies/#keyboard), or [printing](/cloudflare-one/policies/browser-isolation/isolation-policies/#printing), within an isolated browser session. +With custom block dialogs, you can host a custom block page when users are blocked from taking specific actions, like [copying](/cloudflare-one/remote-browser-isolation/isolation-policies/#copy-from-remote-to-client), [pasting](/cloudflare-one/remote-browser-isolation/isolation-policies/#paste-from-client-to-remote), [downloading](/cloudflare-one/remote-browser-isolation/isolation-policies/#file-downloads), [uploading](/cloudflare-one/remote-browser-isolation/isolation-policies/#file-uploads), [performing keyboard inputs](/cloudflare-one/remote-browser-isolation/isolation-policies/#keyboard), or [printing](/cloudflare-one/remote-browser-isolation/isolation-policies/#printing), within an isolated browser session. Administrators can configure custom block dialogs to explain the reason for the block, and guide the users on how to resolve their issue using the provided query parameters: diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/known-limitations.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx similarity index 79% rename from src/content/docs/cloudflare-one/policies/browser-isolation/known-limitations.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx index 7a208ba945cb58..0df76131ae845e 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/known-limitations.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx @@ -52,9 +52,9 @@ Browser Isolation is not supported in virtualized environments (VMs). Certain selectors for Gateway HTTP policies bypass Browser Isolation, including: -- [Destination Continent IP Geolocation](/cloudflare-one/policies/gateway/http-policies/#destination-continent) -- [Destination Country IP Geolocation](/cloudflare-one/policies/gateway/http-policies/#destination-country) -- [Destination IP](/cloudflare-one/policies/gateway/http-policies/#destination-ip) +- [Destination Continent IP Geolocation](/cloudflare-one/traffic-policies/http-policies/#destination-continent) +- [Destination Country IP Geolocation](/cloudflare-one/traffic-policies/http-policies/#destination-country) +- [Destination IP](/cloudflare-one/traffic-policies/http-policies/#destination-ip) You cannot use these selectors to isolate traffic and isolation matches for these selectors will not appear in your Gateway logs. Additionally, you cannot apply other policies based on these selectors while in isolation. For example, if you have a Block policy that matches traffic based on destination IP, Gateway will not block the matching traffic if it is already isolated by an Isolate policy. @@ -64,7 +64,7 @@ When a user downloads a file within the remote browser, the file is held in memo ## Multifactor authentication -[Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) does not support Yubikey or WebAuthN. These authentication technologies require the isolated website to use the same domain name as the non-isolated website. Therefore, they will not work with prefixed Clientless Web Isolation URLs but will work normally for [in-line deployments](/cloudflare-one/policies/browser-isolation/setup/) such as [isolated Access applications](/cloudflare-one/policies/access/isolate-application/). +[Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) does not support Yubikey or WebAuthN. These authentication technologies require the isolated website to use the same domain name as the non-isolated website. Therefore, they will not work with prefixed Clientless Web Isolation URLs but will work normally for [in-line deployments](/cloudflare-one/remote-browser-isolation/setup/) such as [isolated Access applications](/cloudflare-one/access-controls/policies/isolate-application/). ## SAML applications @@ -72,10 +72,10 @@ Cloudflare Remote Browser Isolation now [supports SAML applications that use HTT You no longer need to isolate both the Identity Provider (IdP) and Service Provider (SP), or switch to HTTP-Redirect bindings, to use Browser Isolation with POST-based SSO. Users can log in to internal or SaaS applications in the isolated browser securely and seamlessly. -[Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) may still be preferred in some deployment models. Clientless Web Isolation implicitly isolates all traffic (both IdP and SP) and supports HTTP-POST SAML bindings. +[Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) may still be preferred in some deployment models. Clientless Web Isolation implicitly isolates all traffic (both IdP and SP) and supports HTTP-POST SAML bindings. ## Browser Isolation is not compatible with private IPs on non-`443` ports Browser Isolation is not compatible with [self-hosted private applications](/cloudflare-one/applications/non-http/self-hosted-private-app/) that use private IP addresses on ports other than `443`. Trying to access self-hosted applications defined by private IPs on ports other than `443` will result in a Gateway block page. -To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](/cloudflare-one/applications/non-http/legacy-private-network-app/) instead. \ No newline at end of file +To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](/cloudflare-one/applications/non-http/legacy-private-network-app/) instead. diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/network-dependencies.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/network-dependencies.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/browser-isolation/network-dependencies.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/network-dependencies.mdx diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx similarity index 91% rename from src/content/docs/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx index 5dc6479adcc1ad..109f5d39110d86 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx @@ -13,11 +13,11 @@ Clientless Web Isolation allows users to securely browse high risk or sensitive -3. To configure permissions, in **Settings** > **Browser Isolation** > select **Manage** next to Permissions. You can add authentication methods and [rules](/cloudflare-one/policies/access/) to control who can access the remote browser. +3. To configure permissions, in **Settings** > **Browser Isolation** > select **Manage** next to Permissions. You can add authentication methods and [rules](/cloudflare-one/access-controls/policies/) to control who can access the remote browser. 4. Under **Policies** > Access Policies > select **Create new policy**. -5. Name your policy and define who will have access to your isolated application. Refer to the [Access policy documentation](/cloudflare-one/policies/access/#actions) to construct your policy. +5. Name your policy and define who will have access to your isolated application. Refer to the [Access policy documentation](/cloudflare-one/access-controls/policies/#actions) to construct your policy. 6. Select **Save**. @@ -37,7 +37,7 @@ To open links using Browser Isolation: ## Filter DNS queries -Gateway filters and resolves DNS queries for isolated sessions via [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). Enterprise users can resolve domains available only through private resolvers by creating [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/). +Gateway filters and resolves DNS queries for isolated sessions via [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). Enterprise users can resolve domains available only through private resolvers by creating [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/). Gateway DNS and resolver policies will always apply to Clientless Web Isolation traffic, regardless of device configuration. @@ -57,7 +57,7 @@ If `` is not provided, users are presented with a Cloudflare Zero Trust lan ### Allow or block websites -When users visit a website through the [Clientless Web Isolation URL](#use-the-remote-browser), the traffic passes through Cloudflare Gateway. This allows you to [apply HTTP policies](/cloudflare-one/policies/gateway/http-policies/) to control what websites the remote browser can connect to, even if the user's device does not have WARP installed. +When users visit a website through the [Clientless Web Isolation URL](#use-the-remote-browser), the traffic passes through Cloudflare Gateway. This allows you to [apply HTTP policies](/cloudflare-one/traffic-policies/http-policies/) to control what websites the remote browser can connect to, even if the user's device does not have WARP installed. For example, if you use a third-party Secure Web Gateway to block `example.com`, users can still access the page in the remote browser by visiting `https://.cloudflareaccess.com/browser/https://www.example.com/`. To block `https://.cloudflareaccess.com/browser/https://www.example.com/`, create a Cloudflare Gateway HTTP policy to block `example.com`: @@ -67,7 +67,7 @@ For example, if you use a third-party Secure Web Gateway to block `example.com`, ### Bypass TLS decryption -If [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) is turned on, Gateway will decrypt all sites accessed through the Clientless Web Isolation URL. To connect to sites that are incompatible with TLS decryption, you will need to add a Do Not Inspect HTTP policy for the application or domain. +If [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on, Gateway will decrypt all sites accessed through the Clientless Web Isolation URL. To connect to sites that are incompatible with TLS decryption, you will need to add a Do Not Inspect HTTP policy for the application or domain. | Selector | Operator | Value | Action | | -------- | -------- | ------------ | -------------- | @@ -75,7 +75,7 @@ If [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryptio :::note -Clientless Web Isolation can function without TLS decryption enabled. However, TLS decryption is required to apply [HTTP policies](/cloudflare-one/policies/gateway/http-policies/) to Clientless Web Isolation traffic. +Clientless Web Isolation can function without TLS decryption enabled. However, TLS decryption is required to apply [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) to Clientless Web Isolation traffic. ::: @@ -92,7 +92,7 @@ All users with access to your remote browser can access your Cloudflare Tunnel a ### Disable remote browser controls -You can configure [remote browser controls](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. These settings display in the Gateway [HTTP policy builder](/cloudflare-one/policies/gateway/http-policies/) when you select the Isolate action. +You can configure [remote browser controls](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. These settings display in the Gateway [HTTP policy builder](/cloudflare-one/traffic-policies/http-policies/) when you select the Isolate action. ### Sync cookies between local and remote browser diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/setup/index.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx similarity index 52% rename from src/content/docs/cloudflare-one/policies/browser-isolation/setup/index.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx index 6405087c7687a8..65fd8261563001 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/setup/index.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx @@ -6,19 +6,19 @@ sidebar: label: Get started --- -Browser Isolation is enabled through [Secure Web Gateway HTTP policies](/cloudflare-one/policies/gateway/http-policies/). By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies. +Browser Isolation is enabled through [Secure Web Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/). By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies. ## 1. Connect devices to Cloudflare Setup instructions vary depending on how you want to connect your devices to Cloudflare. Refer to the links below to view the setup guide for each deployment option. -| Connection | Mode | Description | -| ----------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------------------------------------------------------------- | -| [Gateway with WARP](/cloudflare-one/policies/gateway/initial-setup/http/) | In-line | Apply identity-based HTTP policies to traffic proxied through the WARP client. | -| [Access](/cloudflare-one/policies/access/isolate-application/) | In-line | Apply identity-based HTTP policies to Access applications that are rendered in a remote browser. | -| [Gateway proxy endpoint](/cloudflare-one/policies/browser-isolation/setup/non-identity/) | In-line | Apply non-identity HTTP policies to traffic forwarded to a proxy endpoint. | -| [Magic WAN](/cloudflare-one/policies/browser-isolation/setup/non-identity/) | In-line | Apply non-identity HTTP policies to traffic connected through a GRE or IPsec tunnel. | -| [Clientless remote browser](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) | Prefixed URL | Render web pages in a remote browser when users go to `https://.cloudflareaccess.com/browser/`. | +| Connection | Mode | Description | +| --------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------------------------------------------------------------- | +| [Gateway with WARP](/cloudflare-one/traffic-policies/initial-setup/http/) | In-line | Apply identity-based HTTP policies to traffic proxied through the WARP client. | +| [Access](/cloudflare-one/access-controls/policies/isolate-application/) | In-line | Apply identity-based HTTP policies to Access applications that are rendered in a remote browser. | +| [Gateway proxy endpoint](/cloudflare-one/remote-browser-isolation/setup/non-identity/) | In-line | Apply non-identity HTTP policies to traffic forwarded to a proxy endpoint. | +| [Magic WAN](/cloudflare-one/remote-browser-isolation/setup/non-identity/) | In-line | Apply non-identity HTTP policies to traffic connected through a GRE or IPsec tunnel. | +| [Clientless remote browser](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) | Prefixed URL | Render web pages in a remote browser when users go to `https://.cloudflareaccess.com/browser/`. | ## 2. Build an Isolation policy @@ -26,9 +26,9 @@ To configure Browser Isolation policies: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies** > **HTTP**. 2. Select **Add a policy** and enter a name for the policy. -3. Use the HTTP policy [selectors](/cloudflare-one/policies/gateway/http-policies/#selectors) and [operators](/cloudflare-one/policies/gateway/http-policies/#comparison-operators) to specify the websites or content you want to isolate. -4. For **Action**, choose either [_Isolate_](/cloudflare-one/policies/browser-isolation/isolation-policies/#isolate) or [_Do not Isolate_](/cloudflare-one/policies/browser-isolation/isolation-policies/#do-not-isolate). -5. (Optional) Configure [settings](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings) for an Isolate policy. +3. Use the HTTP policy [selectors](/cloudflare-one/traffic-policies/http-policies/#selectors) and [operators](/cloudflare-one/traffic-policies/http-policies/#comparison-operators) to specify the websites or content you want to isolate. +4. For **Action**, choose either [_Isolate_](/cloudflare-one/remote-browser-isolation/isolation-policies/#isolate) or [_Do not Isolate_](/cloudflare-one/remote-browser-isolation/isolation-policies/#do-not-isolate). +5. (Optional) Configure [settings](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) for an Isolate policy. 6. Select **Create policy**. Next, [verify that your policy is working](#3-check-if-a-web-page-is-isolated). diff --git a/src/content/docs/cloudflare-one/policies/browser-isolation/setup/non-identity.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx similarity index 80% rename from src/content/docs/cloudflare-one/policies/browser-isolation/setup/non-identity.mdx rename to src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx index f1dec193c94cd0..472b00fd774761 100644 --- a/src/content/docs/cloudflare-one/policies/browser-isolation/setup/non-identity.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx @@ -5,11 +5,11 @@ sidebar: order: 5 --- -With Cloudflare Zero Trust, you can isolate HTTP traffic from on-ramps such as [proxy endpoints](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/). Since these on-ramps do not require users to log in to Cloudflare WARP, [identity-based policies](/cloudflare-one/policies/gateway/identity-selectors/) are not supported. +With Cloudflare Zero Trust, you can isolate HTTP traffic from on-ramps such as [proxy endpoints](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/). Since these on-ramps do not require users to log in to Cloudflare WARP, [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) are not supported. :::note -If you want to apply Isolate policies based on user identity, you will need to either install the [WARP client](/cloudflare-one/team-and-resources/devices/warp/) or manually redirect users to the [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) URL. +If you want to apply Isolate policies based on user identity, you will need to either install the [WARP client](/cloudflare-one/team-and-resources/devices/warp/) or manually redirect users to the [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL. ::: ## Set up non-identity browser isolation @@ -21,4 +21,4 @@ If you want to apply Isolate policies based on user identity, you will need to e 3. Enable non-identity browser isolation: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Browser Isolation**. 2. Turn on **Non-identity on-ramp support**. -4. Build a non-identity [HTTP policy](/cloudflare-one/policies/browser-isolation/isolation-policies/) to isolate websites in a remote browser. +4. Build a non-identity [HTTP policy](/cloudflare-one/remote-browser-isolation/isolation-policies/) to isolate websites in a remote browser. diff --git a/src/content/docs/cloudflare-one/roles-permissions.mdx b/src/content/docs/cloudflare-one/roles-permissions.mdx index 12bad3a6c62301..52120ca2e163cd 100644 --- a/src/content/docs/cloudflare-one/roles-permissions.mdx +++ b/src/content/docs/cloudflare-one/roles-permissions.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Roles and permissions sidebar: - order: 13 + order: 14 --- import { Render } from "~/components"; @@ -52,4 +52,4 @@ For more information on Email Security roles, refer to [Account-scoped roles](/f - **Email Security Analyst**: Has analyst access. Can take action on emails and read emails. - **Email Security Reporting**: Can read metrics. - **Email Security Read Only**: Can read all information, but cannot take action on anything. -- **Email Security Policy Admin**: Can read all settings, but only write [allow policies](/cloudflare-one/email-security/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/detection-settings/blocked-senders/). \ No newline at end of file +- **Email Security Policy Admin**: Can read all settings, but only write [allow policies](/cloudflare-one/email-security/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/detection-settings/blocked-senders/). diff --git a/src/content/docs/cloudflare-one/setup.mdx b/src/content/docs/cloudflare-one/setup.mdx index ba5308a3e3f924..c6415c311a2af6 100644 --- a/src/content/docs/cloudflare-one/setup.mdx +++ b/src/content/docs/cloudflare-one/setup.mdx @@ -40,4 +40,4 @@ If you want to enable security features such as Browser Isolation, HTTP filterin Your devices are now connected to Cloudflare Zero Trust through the WARP client. You can go to **My Team** > **Devices** to find a list of your enrolled devices, when they were last seen, and the WARP client version they are running. -Next, [enforce security policies](/cloudflare-one/policies/) on your traffic and access requests. +Next, [enforce security policies](/cloudflare-one/traffic-policies/) on your traffic and access requests. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx index 07f6711bbb6139..395f4b02932797 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx @@ -275,7 +275,7 @@ curl --silent "https://.cloudflare-gateway.com/dns-query?name=exampl --header "CF-Authorization: " | jq ``` -If the site is blocked and you have turned on the [block page](/cloudflare-one/policies/gateway/block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`. +If the site is blocked and you have turned on the [block page](/cloudflare-one/traffic-policies/block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
@@ -306,4 +306,4 @@ If the site is blocked and you have turned on the [block page](/cloudflare-one/p
-You can verify that the request was associated with the correct user email by checking your [Gateway DNS logs](/cloudflare-one/insights/logs/gateway-logs/). To filter these requests, build a DNS policy using any of the Gateway [identity-based selectors](/cloudflare-one/policies/gateway/identity-selectors/). +You can verify that the request was associated with the correct user email by checking your [Gateway DNS logs](/cloudflare-one/insights/logs/gateway-logs/). To filter these requests, build a DNS policy using any of the Gateway [identity-based selectors](/cloudflare-one/traffic-policies/identity-selectors/). diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips.mdx index 95a81c447de0a6..391a497480f4f1 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips.mdx @@ -83,8 +83,8 @@ For example, for the DoH hostname `https://65y9p2vm1u.cloudflare-gateway.com/dns By default, all queries from a configured DNS location will be sent to its DNS resolver IP address to be inspected by Gateway. You can configure Gateway to only filter queries originating from specific networks within a location: -1. [Create an IP list](/cloudflare-one/policies/gateway/lists/) with the IPv4 and/or IPv6 addresses that your organization will source queries from. -2. Add a [Source IP](/cloudflare-one/policies/gateway/dns-policies/#source-ip) condition to your DNS policies. +1. [Create an IP list](/cloudflare-one/traffic-policies/lists/) with the IPv4 and/or IPv6 addresses that your organization will source queries from. +2. Add a [Source IP](/cloudflare-one/traffic-policies/dns-policies/#source-ip) condition to your DNS policies. For example, to block security threats for specific networks, you could create the following policy: diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/locations/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/locations/index.mdx index c8870a56d8f6f2..3c4ad74c082761 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/locations/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/locations/index.mdx @@ -15,7 +15,7 @@ import { GlossaryDefinition, Render } from "~/components"; 10. Change the DNS resolvers on your router, browser, or OS by following the setup instructions in the UI. 11. Select **Go to DNS Location**. Your location will appear in your list of locations. -You can now apply [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) to your location using the [Location selector](/cloudflare-one/policies/gateway/dns-policies/#location). +You can now apply [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) to your location using the [Location selector](/cloudflare-one/traffic-policies/dns-policies/#location). ## DNS endpoints @@ -52,7 +52,7 @@ Gateway requires a DoH endpoint for default DNS locations. For more information, Secure DNS locations provide additional protection against malicious domains for use in services such as [protective DNS (PDNS)](/reference-architecture/diagrams/sase/gateway-for-protective-dns/). For a DNS location to be considered secure, Gateway requires that: - Your IPv4 and IPv6 endpoints use your [BYOIP addresses](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) (if any). -- [Source network filtering](/cloudflare-one/policies/gateway/network-policies/) is configured for your IPv4, IPv6, and DoT endpoints. +- [Source network filtering](/cloudflare-one/traffic-policies/network-policies/) is configured for your IPv4, IPv6, and DoT endpoints. - Source network filtering or token authentication are configured for your DoH endpoints. - Any enabled endpoints for a DNS location meet security permissions. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx index a950db15a30527..14d6c1e14b4722 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx @@ -9,7 +9,7 @@ If you are unable to install the WARP client on your devices (for example, Windo - **[Gateway DNS policies](/cloudflare-one/team-and-resources/devices/agentless/dns/)** - **[Gateway HTTP policies](/cloudflare-one/team-and-resources/devices/agentless/pac-files/)** without user identity and device posture -- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and for [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections -- **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/) +- **[Access policies](/cloudflare-one/access-controls/policies/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and for [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections +- **[Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/)** via an [Access policy](/cloudflare-one/access-controls/policies/isolate-application/), [prefixed URLs](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/remote-browser-isolation/setup/non-identity/) - **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/)** - **[Data Loss Prevention (DLP)](/cloudflare-one/applications/casb/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/pac-files.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/pac-files.mdx index a86431558358e0..f1afdbb3916cc1 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/pac-files.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/pac-files.mdx @@ -116,7 +116,7 @@ https://.proxy.cloudflare-gateway.com ## 2. Test your proxy server -1. In [Zero Trust](https://one.dash.cloudflare.com/), create an [HTTP policy](/cloudflare-one/policies/gateway/http-policies/) for testing purposes. For example: +1. In [Zero Trust](https://one.dash.cloudflare.com/), create an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) for testing purposes. For example: | Selector | Operator | Value | Action | | -------- | -------- | ------------- | ------ | @@ -194,7 +194,7 @@ Safari relies on your operating system's proxy server settings. To configure you To test your configuration, you can test any [supported HTTP policy](#limitations), such as the example policy created in [Step 2](#2-test-your-proxy-server). When you go to `https://example.com` in your browser, you should see the Gateway block page. -You can now use the Proxy Endpoint selector in [network](/cloudflare-one/policies/gateway/network-policies/#proxy-endpoint) and [HTTP](/cloudflare-one/policies/gateway/http-policies/#proxy-endpoint) policies to filter traffic proxied via PAC files. +You can now use the Proxy Endpoint selector in [network](/cloudflare-one/traffic-policies/network-policies/#proxy-endpoint) and [HTTP](/cloudflare-one/traffic-policies/http-policies/#proxy-endpoint) policies to filter traffic proxied via PAC files. ## Configure firewall @@ -312,9 +312,9 @@ To ensure responses are allowed through your firewall, add an inbound rule to al ### Traffic limitations -The agentless HTTP proxy does not support [identity-based policies](/cloudflare-one/policies/gateway/identity-selectors/) or mTLS authentication. +The agentless HTTP proxy does not support [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) or mTLS authentication. -To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/policies/gateway/http-policies/http3/#enable-http3-inspection). +To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). ### Gateway DNS and resolver policies diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx index 29306e0dd09452..48e863f21e39b4 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx @@ -29,7 +29,7 @@ import { Details, Render } from "~/components"; The [WARP client](/cloudflare-one/team-and-resources/devices/warp/) can automatically install a Cloudflare certificate or [custom root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). -The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/policies/gateway/block-page/), and more. +The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/traffic-policies/block-page/), and more. ## Install a certificate using WARP diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx index 45210c7e166891..dfa6ff72f0ca23 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx @@ -14,14 +14,14 @@ import { Render, Tabs, TabItem, APIRequest } from "~/components"; Only available on Enterprise plans. ::: -Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/block-page/). +Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/traffic-policies/block-page/). You can upload up to five custom root certificates. If your organization requires more than five certificates, contact your account team. :::caution Custom certificates are limited to use between your users and the Gateway proxy. Gateway connects to origin servers using publicly trusted certificates, similar to how a browser validates secure websites. -If your users need to connect to self-signed origin servers, create an HTTP Allow policy for the origin server with the [untrusted certificate action](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) set to _Pass through_. +If your users need to connect to self-signed origin servers, create an HTTP Allow policy for the origin server with the [untrusted certificate action](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) set to _Pass through_. ::: ## Generate a custom root CA diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx index eea98ef484297e..99816e32fa5403 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx @@ -7,7 +7,7 @@ sidebar: import { Tabs, TabItem, APIRequest } from "~/components"; -Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. +Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/remote-browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. Zero Trust [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx index b073bad6b27f9f..6c010e49aeab9e 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx @@ -301,7 +301,7 @@ Some packages, development tools, and other applications provide options to trus All of the applications below first require downloading a Cloudflare certificate with the instructions above. On macOS, the default path to the system keychain database file is `/Library/Keychains/System.keychain`. On Windows, the default path is `\Cert:\CurrentUser\Root`. :::note -Some applications require the use of a publicly trusted certificate — they do not trust the system certificate, nor do they have a configurable private store. For these applications to function, you must add a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for the domains or IPs that the application relies on. +Some applications require the use of a publicly trusted certificate — they do not trust the system certificate, nor do they have a configurable private store. For these applications to function, you must add a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for the domains or IPs that the application relies on. ::: ### Browsers diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles.mdx index ef4bad1e9ff82b..72895aee4bc630 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles.mdx @@ -16,7 +16,7 @@ import { Render, TabItem, Tabs, APIRequest } from "~/components"; 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. 2. In the **Profile settings** card, select **Create profile**. This will make a copy of the **Default** profile. 3. Enter any name for the profile. -4. Create rules to define the devices that will use this profile. Learn more about the available [Selectors](#selectors), [Operators](/cloudflare-one/policies/gateway/network-policies/#comparison-operators), and [Values](/cloudflare-one/policies/gateway/network-policies/#value). +4. Create rules to define the devices that will use this profile. Learn more about the available [Selectors](#selectors), [Operators](/cloudflare-one/traffic-policies/network-policies/#comparison-operators), and [Values](/cloudflare-one/traffic-policies/network-policies/#value). 5. Configure [WARP settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#device-settings) for these devices. :::note @@ -148,7 +148,7 @@ Apply a device profile based on the user's email. ### User group emails -Apply a device profile based on an [IdP group](/cloudflare-one/policies/gateway/identity-selectors/#idp-groups-in-gateway) email address of which the user is configured as a member in the IdP. +Apply a device profile based on an [IdP group](/cloudflare-one/traffic-policies/identity-selectors/#idp-groups-in-gateway) email address of which the user is configured as a member in the IdP. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/index.mdx index 9528bbb949fab1..f899efa58c7a78 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/index.mdx @@ -9,7 +9,7 @@ import { GlossaryTooltip } from "~/components"; When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's [public DNS resolver](/1.1.1.1/). -Cloudflare recommends Enterprise users configure [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) to resolve traffic with custom resolvers. WARP will send private DNS queries to Gateway, then Gateway will send the queries to custom resolvers based on matching policies. +Cloudflare recommends Enterprise users configure [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) to resolve traffic with custom resolvers. WARP will send private DNS queries to Gateway, then Gateway will send the queries to custom resolvers based on matching policies. Additionally, there are three options you can configure to exclude traffic from WARP: @@ -67,7 +67,7 @@ flowchart TD #### Routing features (how queries are handled) - [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) - [Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) -- [Gateway Resolver Policies](/cloudflare-one/policies/gateway/resolver-policies/) +- [Gateway Resolver Policies](/cloudflare-one/traffic-policies/resolver-policies/) #### Resolvers (where queries are resolved) - [Internal DNS](/dns/internal-dns/) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains.mdx index c8d84ad9879601..945c860e969e7a 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains.mdx @@ -15,7 +15,7 @@ You can add additional domains to the Local Domain Fallback list and specify a D Local Domain Fallback only applies to devices running the WARP client. -Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first. +Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx index 3f4bacc1514481..e4606ede02ef59 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx @@ -43,13 +43,13 @@ If you are using Split Tunnels in Include mode, you must include the following d - The IdP used to authenticate to Cloudflare Zero Trust - `.cloudflareaccess.com` - The application protected by the Access or Gateway policy -- `edge.browser.run` if using [Browser Isolation](/cloudflare-one/policies/browser-isolation/) +- `edge.browser.run` if using [Browser Isolation](/cloudflare-one/remote-browser-isolation/) ### Cloudflare Zero Trust IP addresses #### Block page -If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) with the [block page](/cloudflare-one/policies/gateway/block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: +If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) with the [block page](/cloudflare-one/traffic-policies/block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: - `162.159.36.12` - `162.159.46.12` @@ -67,7 +67,7 @@ Domain-based split tunneling has a few ramifications you should be aware of befo - Routes excluded or included from WARP and Gateway visibility may change day to day, and may be different for each user depending on where they are. - You may inadvertently exclude or include additional hostnames that happen to share an IP address. This commonly occurs if you add a domain hosted by a CDN or large Internet provider such as Cloudflare, AWS, or Azure. For example, if you wanted to exclude a VPN hosted on AWS, do not add `*.amazonaws.com` as that will open up your devices to all traffic on AWS. Instead, add the specific VPN endpoint (`*.cvpn-endpoint-.prod.clientvpn.us-west-2.amazonaws.com`). -- Most services are a collection of hostnames. Until Split Tunnels mode supports [App Types](/cloudflare-one/policies/gateway/application-app-types/), you will need to manually add all domains used by a particular app or service. +- Most services are a collection of hostnames. Until Split Tunnels mode supports [App Types](/cloudflare-one/traffic-policies/application-app-types/), you will need to manually add all domains used by a particular app or service. - WARP must handle the DNS lookup request for the domain. If a DNS result has been previously cached by the operating system or otherwise intercepted (for example, via your browser's secure DNS settings), the IP address will not be dynamically added to your Split Tunnel. ### Valid domains diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx index 59fb2399cf626e..2e9d0af9101160 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx @@ -3,15 +3,14 @@ pcx_content_type: how-to title: Enable Device Information Only sidebar: order: 2 - --- -import { TabItem, Tabs, Details, Width, APIRequest } from "~/components" +import { TabItem, Tabs, Details, Width, APIRequest } from "~/components";
| System | Availability | -| ---------| -------------| +| -------- | ------------ | | Windows | ✅ | | macOS | ✅ | | Linux | ✅ | @@ -28,18 +27,18 @@ Device Information Only mode allows you to enforce device posture rules when a u Using the API, enable client certificate provisioning for [your zone](/fundamentals/account/find-account-and-zone-ids/): ## 2. Configure the WARP client 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. -2. Under **Profile settings** card, choose a [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) and select **Configure**. +2. Under **Profile settings** card, choose a [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) and select **Configure**. 3. For **Service mode**, select **Device Information Only**. @@ -49,62 +48,61 @@ Using the API, enable client certificate provisioning for [your zone](/fundament ## 3. (Optional) Verify the client certificate -1. To view the client certificates installed on the device: - - +1. To view the client certificates installed on the device: - 1. Open the **Start** menu and select **Run**. - 2. Enter `certlm.msc`. - 3. Go to **Personal** > **Certificates**. + - + 1. Open the **Start** menu and select **Run**. + 2. Enter `certlm.msc`. + 3. Go to **Personal** > **Certificates**. - 1. Open **Keychain Access**. - 2. Go to **System** > **My Certificates**. + - + 1. Open **Keychain Access**. + 2. Go to **System** > **My Certificates**. - + - Open a terminal window and run the following command: + - ```sh - $ certutil -L -d sql:/etc/pki/nssdb - ``` + Open a terminal window and run the following command: - + ```sh + $ certutil -L -d sql:/etc/pki/nssdb + ``` - + - Go to **Settings** > **General** > **About** > **Certificate Trust Settings**. + - + Go to **Settings** > **General** > **About** > **Certificate Trust Settings**. - + - The location of the client certificate may vary depending on the Android device. + - - **Samsung**: Go to **Settings** > **Security** > **Other security settings** > **View security certificates**. - - **Google Pixel**: Go to **Security** > **Advanced settings** > **Encryption & credentials** > **Credential storage**. + The location of the client certificate may vary depending on the Android device. - + - **Samsung**: Go to **Settings** > **Security** > **Other security settings** > **View security certificates**. + - **Google Pixel**: Go to **Security** > **Advanced settings** > **Encryption & credentials** > **Credential storage**. - + - Go to **Settings** > **Apps** > **Google Play Store** > **Manage Android Preferences** > **Security** > **Credentials**. + - - + Go to **Settings** > **Apps** > **Google Play Store** > **Manage Android Preferences** > **Security** > **Credentials**. - The client certificate name should match the **Device ID** in your WARP client **Preferences**. + + -2. To verify the client certificate in your Cloudflare account: + The client certificate name should match the **Device ID** in your WARP client **Preferences**. - 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), select the zone for which you enabled client certificates. - 2. Go to **SSL/TLS** > **Client Certificates**. +2. To verify the client certificate in your Cloudflare account: + 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), select the zone for which you enabled client certificates. + 2. Go to **SSL/TLS** > **Client Certificates**. - The certificate name is the WARP enrollment **Device ID**. - ![Example client certificate in the Cloudflare dashboard](~/assets/images/cloudflare-one/connections/device-information-only-cert.png) + The certificate name is the WARP enrollment **Device ID**. + ![Example client certificate in the Cloudflare dashboard](~/assets/images/cloudflare-one/connections/device-information-only-cert.png) ## 4. Enforce the client certificate @@ -114,18 +112,19 @@ To block traffic from devices that do not have a valid client certificate: 2. Under **Hosts**, select **Edit** and enter the hostname of your Access application (for example, `app.mycompany.com`). This enables mTLS authentication for the application. 3. Select **Create mTLS rule**. 4. Create a WAF custom rule that checks all requests to your application for a valid client certificate: - | Field | Operator | Value | Logic | Action | - | ----- | -------- | ----- | ----- | ------ | - | Client Certificate | equals | Off | And | Block | - | Hostname | equals | `app.mycompany.com` | | | + | Field | Operator | Value | Logic | Action | + | ----- | -------- | ----- | ----- | ------ | + | Client Certificate | equals | Off | And | Block | + | Hostname | equals | `app.mycompany.com` | | | 5. Select **Deploy**. -Device Information Only mode is now enabled on the device. To start enforcing device posture, set up a [WARP client check](/cloudflare-one/identity/devices/warp-client-checks/) and add a *Require* device posture rule to your [Access policy](/cloudflare-one/policies/access/). When the device connects to the Access application for the first time, the browser will ask to use the client certificate installed by WARP. +Device Information Only mode is now enabled on the device. To start enforcing device posture, set up a [WARP client check](/cloudflare-one/identity/devices/warp-client-checks/) and add a _Require_ device posture rule to your [Access policy](/cloudflare-one/access-controls/policies/). When the device connects to the Access application for the first time, the browser will ask to use the client certificate installed by WARP. -![Browser prompts for client certificate](~/assets/images/cloudflare-one/connections/device-information-only-browser.png) + ![Browser prompts for client + certificate](~/assets/images/cloudflare-one/connections/device-information-only-browser.png) ## Limitations -Device Information mode is not compatible with the [Windows pre-login](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin/) feature. The user must be logged into Windows because WARP needs to [install a certificate](#3-optional-verify-the-client-certificate) in the user store. \ No newline at end of file +Device Information mode is not compatible with the [Windows pre-login](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin/) feature. The user must be logged into Windows because WARP needs to [install a certificate](#3-optional-verify-the-client-certificate) in the user store. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/index.mdx index 6d0e1c97329e2c..77251121c7822f 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/index.mdx @@ -58,16 +58,16 @@ Proxy mode is best suited for organizations that want to filter traffic directed This mode is best suited for organizations that only want to enforce [WARP client device posture checks](/cloudflare-one/identity/devices/warp-client-checks/) for zones in your account. DNS, Network and HTTP traffic is handled by the default mechanisms on your devices. To setup Device Information Only mode, refer to the [dedicated page](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only/). -| DNS filtering | Network filtering | HTTP filtering | Features enabled | -| ------------- | ----------------- | -------------- | --------------------------------------------------------------------------- | -| No | No | No | Device posture rules in [Access policies](/cloudflare-one/policies/access/) | +| DNS filtering | Network filtering | HTTP filtering | Features enabled | +| ------------- | ----------------- | -------------- | ------------------------------------------------------------------------------------ | +| No | No | No | Device posture rules in [Access policies](/cloudflare-one/access-controls/policies/) | ## WARP modes comparison Each WARP mode offers a different set of Zero Trust features. -| WARP Mode | DNS Filtering | Network Filtering | HTTP Filtering | Service mode (displayed in `warp-cli settings`) | -| -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------- | -------------- | ----------------------------------------------- | +| WARP Mode | DNS Filtering | Network Filtering | HTTP Filtering | Service mode (displayed in `warp-cli settings`) | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------- | -------------- | ----------------------------------------------- | | [**Gateway with WARP (default)**](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-warp-default) | ✅ | ✅ | ✅ | `WarpWithDnsOverHttps` | | [**Gateway with DoH**](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) | ✅ | ❌ | ❌ | `DnsOverHttps` | | [**Secure Web Gateway without DNS filtering**](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) | ❌ | ✅ | ✅ | `TunnelOnly` | diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx index b903c38ca707b7..8101e6b762d74f 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters.mdx @@ -19,7 +19,7 @@ Most of the parameters listed below are also configurable in Zero Trust under ** ## Required for full Cloudflare Zero Trust features -For the majority of Cloudflare Zero Trust features to work, you need to specify a team name. Examples of Cloudflare Zero Trust features which depend on the team name are [HTTP policies](/cloudflare-one/policies/gateway/http-policies/), [Browser Isolation](/cloudflare-one/policies/browser-isolation/), and [device posture](/cloudflare-one/identity/devices/). +For the majority of Cloudflare Zero Trust features to work, you need to specify a team name. Examples of Cloudflare Zero Trust features which depend on the team name are [HTTP policies](/cloudflare-one/traffic-policies/http-policies/), [Browser Isolation](/cloudflare-one/remote-browser-isolation/), and [device posture](/cloudflare-one/identity/devices/). ### `organization` diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/partners/kandji.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/partners/kandji.mdx index 158812857116f0..558300b7970f32 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/partners/kandji.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/partners/kandji.mdx @@ -232,4 +232,4 @@ exit 0 ## TLS decryption -The Kandji macOS agent uses certificate pinning, which is incompatible with [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). If Gateway TLS decryption is [turned on](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption), you must create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/common-policies/#skip-inspection-for-groups-of-applications) to exempt Kandji from SSL/TLS inspection. For more information, refer to the [Kandji documentation](https://support.kandji.io/kb/using-kandji-on-enterprise-networks#SSL/TLS-Inspection). +The Kandji macOS agent uses certificate pinning, which is incompatible with [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). If Gateway TLS decryption is [turned on](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), you must create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/common-policies/#skip-inspection-for-groups-of-applications) to exempt Kandji from SSL/TLS inspection. For more information, refer to the [Kandji documentation](https://support.kandji.io/kb/using-kandji-on-enterprise-networks#SSL/TLS-Inspection). diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin.mdx index 1afd09f42fb5be..54620a1ba6b2af 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin.mdx @@ -44,7 +44,7 @@ In your [device enrollment permissions](/cloudflare-one/team-and-resources/devic ## 2. (Optional) Restrict access during pre-login -Devices enrolled via a service token are identified by the email address `non_identity@.cloudflareaccess.com`. Using this email address, you can apply specific [device profile settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) and [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) during the pre-login state. For example, you could provide access to only those resources necessary to complete the Windows login and/or device management activities. +Devices enrolled via a service token are identified by the email address `non_identity@.cloudflareaccess.com`. Using this email address, you can apply specific [device profile settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) and [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) during the pre-login state. For example, you could provide access to only those resources necessary to complete the Windows login and/or device management activities.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/download-warp/cloudflare-one-agent-migration.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/download-warp/cloudflare-one-agent-migration.mdx index d7e937407169df..9f0d9e1ab54033 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/download-warp/cloudflare-one-agent-migration.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/download-warp/cloudflare-one-agent-migration.mdx @@ -30,7 +30,7 @@ If you downloaded and installed the 1.1.1.1 app manually, here are the recommend 1. Update the **1.1.1.1** app to version 6.29 or above. The update ensures that 1.1.1.1 can [co-exist](#what-to-do-with-the-old-app) with the new Cloudflare One Agent app. -2. If you have enabled [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), ensure that you have a [Do Not Inspect policy](/cloudflare-one/policies/gateway/initial-setup/http/) in place for the following applications: +2. If you have enabled [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), ensure that you have a [Do Not Inspect policy](/cloudflare-one/traffic-policies/initial-setup/http/) in place for the following applications: * *Google Services (Do Not Inspect)* * *Google Play Store (Do Not Inspect)* diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/index.mdx index db40d449a38717..368a9391dae297 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/index.mdx @@ -12,7 +12,7 @@ import { Render, Stream } from "~/components" ## About Cloudflare WARP -The Cloudflare WARP client allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare's global network, where [Cloudflare Gateway](/cloudflare-one/policies/gateway/) can apply advanced web filtering. The WARP client also makes it possible to apply advanced [Zero Trust policies](/cloudflare-one/identity/devices/) that check for a device's health before it connects to corporate applications. +The Cloudflare WARP client allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare's global network, where [Cloudflare Gateway](/cloudflare-one/traffic-policies/) can apply advanced web filtering. The WARP client also makes it possible to apply advanced [Zero Trust policies](/cloudflare-one/identity/devices/) that check for a device's health before it connects to corporate applications. ## How WARP works @@ -48,14 +48,14 @@ For more information on how the WARP client routes traffic, refer to the [WARP a Deploying the WARP client significantly enhances your organization's security and visibility within Cloudflare Zero Trust: -- **Unified security policies everywhere**: With the WARP client deployed in the Gateway with WARP mode, [Gateway policies](/cloudflare-one/policies/gateway/) are not location-dependent — they can be enforced anywhere. +- **Unified security policies everywhere**: With the WARP client deployed in the Gateway with WARP mode, [Gateway policies](/cloudflare-one/traffic-policies/) are not location-dependent — they can be enforced anywhere. - **Advanced web filtering and threat protection**: Activate Gateway features for your device traffic, including: - - [Anti-Virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) - - [HTTP filtering](/cloudflare-one/policies/gateway/http-policies/) - - [Browser Isolation](/cloudflare-one/policies/gateway/http-policies/#isolate) - - [Identity-based policies](/cloudflare-one/policies/gateway/network-policies/) + - [Anti-Virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) + - [HTTP filtering](/cloudflare-one/traffic-policies/http-policies/) + - [Browser Isolation](/cloudflare-one/traffic-policies/http-policies/#isolate) + - [Identity-based policies](/cloudflare-one/traffic-policies/network-policies/) - **Application and device-specific insights**: With WARP installed on your corporate devices, you can view detailed application and user-level activity on the [Zero Trust Shadow IT Discovery](/cloudflare-one/insights/analytics/shadow-it-discovery/) page, while also monitoring device and network performance with [Digital Experience Monitoring (DEX)](/cloudflare-one/insights/dex/) to proactively detect and resolve issues. @@ -71,4 +71,4 @@ WARP offers flexible [operating modes](/cloudflare-one/team-and-resources/device - Review the [first-time setup](/cloudflare-one/team-and-resources/devices/warp/set-up-warp/) guide to [install](/cloudflare-one/team-and-resources/devices/warp/download-warp/) and [deploy](/cloudflare-one/team-and-resources/devices/warp/deployment/) the WARP client on your corporate devices. - Review possible [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) and [settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/) to best suit your organization's needs. -- Explore [Cloudflare Gateway](/cloudflare-one/policies/gateway/) to enforce advanced DNS, network, HTTP, and egress policies with WARP. +- Explore [Cloudflare Gateway](/cloudflare-one/traffic-policies/) to enforce advanced DNS, network, HTTP, and egress policies with WARP. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/set-up-warp.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/set-up-warp.mdx index 61920ec180b43e..9cae527105fa11 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/set-up-warp.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/set-up-warp.mdx @@ -42,7 +42,7 @@ Choose one of the [different ways](/cloudflare-one/team-and-resources/devices/wa Once the WARP client is installed on the device, [log in to your Zero Trust organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/). If you have already set up an identity provider in Cloudflare Access, the user will be prompted to authenticate using this method. If you have not set up an identity provider, the user can authenticate with a [one-time pin](/cloudflare-one/integrations/identity-providers/one-time-pin/) which is enabled by default. -Next, build [Secure Web Gateway policies](/cloudflare-one/policies/gateway/) to filter DNS, HTTP, and Network traffic on your devices. +Next, build [Secure Web Gateway policies](/cloudflare-one/traffic-policies/) to filter DNS, HTTP, and Network traffic on your devices. ## Gateway with DoH @@ -70,4 +70,4 @@ The WARP client will direct DoH queries to a default DNS endpoint when enrolled Choose one of the [different ways](/cloudflare-one/team-and-resources/devices/warp/deployment/) to deploy the WARP client, depending on what works best for your organization. -Next, create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) to control how DNS queries from your devices get resolved. +Next, create [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) to control how DNS queries from your devices get resolved. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/common-issues.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/common-issues.mdx index a240d764f09a4c..da3fc4db484fc0 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/common-issues.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/common-issues.mdx @@ -120,7 +120,7 @@ A misconfigured Gateway firewall policy can result in traffic to some or all sit ### The device does not have a root certificate installed -Installing and trusting a [root CA](/cloudflare-one/team-and-resources/devices/user-side-certificates/) is a necessary step to enable advanced security features such as Browser Isolation, [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), AV scanning, and device posture. +Installing and trusting a [root CA](/cloudflare-one/team-and-resources/devices/user-side-certificates/) is a necessary step to enable advanced security features such as Browser Isolation, [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), AV scanning, and device posture. If the root CA is not installed on the device, you will see untrusted certificate warnings on every website. Example warnings include `Certificate not trusted`, `Not trusted identity` or `SSL Error`. @@ -159,7 +159,7 @@ Below are the most common reasons why turning on WARP blocks a specific applicat ### TLS Decryption is enabled and the app or site does certificate pinning -Some applications do not support SSL inspection or are otherwise [incompatible with TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). Gateway provides a [list of applications known to perform certificate pinning](/cloudflare-one/policies/gateway/application-app-types/#do-not-inspect-applications). +Some applications do not support SSL inspection or are otherwise [incompatible with TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). Gateway provides a [list of applications known to perform certificate pinning](/cloudflare-one/traffic-policies/application-app-types/#do-not-inspect-applications). #### Solution (if the app has a private certificate store) @@ -169,7 +169,7 @@ Refer to [our instructions](/cloudflare-one/team-and-resources/devices/user-side #### Solution (last resort) -If you cannot install the certificate on the application, create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) to exclude the application from Gateway inspection. +If you cannot install the certificate on the application, create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to exclude the application from Gateway inspection. ### A Gateway firewall policy is blocking the app or site diff --git a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx b/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx similarity index 95% rename from src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx rename to src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx index 75bcd0e88fa740..9fda356aae1faa 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx @@ -50,7 +50,7 @@ Gateway sorts applications into the following app type groups: | Social Networking | Social networking applications | | Sports | Sports streaming and news applications | | Video Streaming | Video streaming applications | -| [Do Not Inspect](#do-not-inspect-applications) | Applications incompatible with the TLS certificate required by the [Gateway proxy](/cloudflare-one/policies/gateway/proxy/) | +| [Do Not Inspect](#do-not-inspect-applications) | Applications incompatible with the TLS certificate required by the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) | ## Application hostnames @@ -68,11 +68,11 @@ To ensure effective application behavior, Gateway only uses support hostnames in ## Application controls -When you use the [_Application_ selector](/cloudflare-one/policies/gateway/http-policies/#granular-controls) in an HTTP policy with the _is_ operator, you can choose specific actions and operations to match application traffic. Supported applications and operations include: +When you use the [_Application_ selector](/cloudflare-one/traffic-policies/http-policies/#granular-controls) in an HTTP policy with the _is_ operator, you can choose specific actions and operations to match application traffic. Supported applications and operations include: -For more information, refer to [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/granular-controls/). +For more information, refer to [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/granular-controls/). ## Usage @@ -80,11 +80,11 @@ For more information, refer to [Application Granular Controls](/cloudflare-one/p Overlapping hostnames are most common for vendors with many applications, such as Google or Meta. When you use the Application selector in Gateway policies, actions taken by Gateway will be limited to the specific application defined. Gateway will also log other applications that use the same hostnames, but it will not take action unless the application was matched by the policy. For example, both the Facebook and Facebook Messenger apps use the `chat-e2ee.facebook.com` hostname. When evaluating traffic to the Facebook Messenger app, Gateway will only take action on Facebook Messenger traffic but may log both the Facebook and Facebook Messenger apps. -To ensure Gateway evaluates traffic with your desired precedence, order your most specific policies with the highest priority according to [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#priority-within-a-policy-builder). +To ensure Gateway evaluates traffic with your desired precedence, order your most specific policies with the highest priority according to [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#priority-within-a-policy-builder). ### Do Not Inspect applications -Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected. +Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected. When managing applications with the [Application Library](/cloudflare-one/applications/app-library/), Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group _Google Drive (Do Not Inspect)_ under **Google Drive**. @@ -94,7 +94,7 @@ Instead of creating a Do Not Inspect policy for an application, you may be able #### TLS decryption limitations -Applications can be incompatible with [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) for various reasons: +Applications can be incompatible with [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) for various reasons: - @@ -49,7 +49,7 @@ To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/z ## Block security threats -Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. +Block [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. @@ -389,7 +389,7 @@ SafeSearch is a feature of search engines that helps you filter explicit or offe Filter DNS queries to allow only specific users access. -The following example includes two policies. The first policy allows the specified group, while the second policy blocks all other users. To ensure the policies are evaluated properly, place the Allow policy above the Block policy. For more information, refer to the [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence). +The following example includes two policies. The first policy allows the specified group, while the second policy blocks all other users. To ensure the policies are evaluated properly, place the Allow policy above the Block policy. For more information, refer to the [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). ### 1. Allow a group @@ -453,7 +453,7 @@ The following example includes two policies. The first policy allows the specifi ## Control IP version -Enterprise users can pair these policies with an [egress policy](/cloudflare-one/policies/gateway/egress-policies/) to control which IP version is used to egress to the origin server. +Enterprise users can pair these policies with an [egress policy](/cloudflare-one/traffic-policies/egress-policies/) to control which IP version is used to egress to the origin server. Optionally, you can use the Domain selector to control the IP version for specific sites. diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx similarity index 99% rename from src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx index f134d0497a3d82..fd08902c6afd16 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx @@ -141,7 +141,7 @@ Policies with Block actions block DNS queries to reach destinations you specify #### Custom block page -When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/policies/gateway/block-page/). +When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/traffic-policies/block-page/). If the block page is turned off for a policy, Gateway will respond to queries blocked at the DNS level with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. The browser will display its default connection error page. @@ -426,7 +426,7 @@ Use this selector to filter based on the IP addresses that the query resolves to ### Request Context Categories -Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. Gateway includes request context with the OPT code `65050`. +Use this selector to match a dynamic list of [category IDs](/cloudflare-one/traffic-policies/domain-categories/#category-and-subcategory-ids) sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. Gateway includes request context with the OPT code `65050`. | UI name | API example | Evaluation phase | | -------------------------- | ------------------------------------------- | --------------------- | diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx similarity index 95% rename from src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx rename to src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx index e0041a7d2f18f5..b31203d9b45d0a 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx @@ -23,7 +23,7 @@ For example, if you created a policy to block `example.com`, you can do the foll 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**. -3. If the [block page](/cloudflare-one/policies/gateway/block-page/) is turned off for the policy, you should see `REFUSED` in the answer section: +3. If the [block page](/cloudflare-one/traffic-policies/block-page/) is turned off for the policy, you should see `REFUSED` in the answer section: ```sh dig example.com @@ -46,7 +46,7 @@ For example, if you created a policy to block `example.com`, you can do the foll ;; MSG SIZE rcvd: 29 ``` - If the [block page](/cloudflare-one/policies/gateway/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers: + If the [block page](/cloudflare-one/traffic-policies/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers: ```sh null dig example.com @@ -77,7 +77,7 @@ For example, if you created a policy to block `example.com`, you can do the foll ### Test a security or content category -If you are blocking a [security category](/cloudflare-one/policies/gateway/dns-policies/#security-categories) or a [content category](/cloudflare-one/policies/gateway/dns-policies/#content-categories), you can test that the policy is working by using the [test domain](#common-test-domains) associated with each category. +If you are blocking a [security category](/cloudflare-one/traffic-policies/dns-policies/#security-categories) or a [content category](/cloudflare-one/traffic-policies/dns-policies/#content-categories), you can test that the policy is working by using the [test domain](#common-test-domains) associated with each category. Once you have configured your Gateway policy to block the category, the test domain will show a block page when you attempt to visit the domain in your browser, or will return `REFUSED` when you perform `dig` using the command-line interface. diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/timed-policies.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/gateway/dns-policies/timed-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/dns-policies/timed-policies.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx b/src/content/docs/cloudflare-one/traffic-policies/domain-categories.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx rename to src/content/docs/cloudflare-one/traffic-policies/domain-categories.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx similarity index 94% rename from src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx rename to src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx index be97a31905e610..09b5beb09c610b 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx @@ -25,7 +25,7 @@ To start routing traffic through dedicated egress IPs: 4. Select **TCP**. 5. (Optional) Select **UDP**. This will allow HTTP/3 traffic to egress with your dedicated IPs. -Dedicated egress IPs are now turned on for all network and HTTP traffic proxied by Gateway. To selectively turn on dedicated egress IPs for a subset of your traffic, refer to [egress policies](/cloudflare-one/policies/gateway/egress-policies/). +Dedicated egress IPs are now turned on for all network and HTTP traffic proxied by Gateway. To selectively turn on dedicated egress IPs for a subset of your traffic, refer to [egress policies](/cloudflare-one/traffic-policies/egress-policies/). ## Verify egress IPs @@ -44,7 +44,7 @@ When testing against another origin, you may see either an IPv4 or IPv6 address. Enterprise users can use their own authority-provided IPv4 and IPv6 addresses as dedicated egress IPs. Gateway supports bringing your own IPv4 and IPv6 addresses. To obtain an IPv6 range, refer to [American Registry for Internet Numbers (ARIN)](https://www.arin.net/resources/guide/ipv6/first_request/) or [Regional Internet Registry for Europe, Middle East and Central Asia (RIPE NCC)](https://www.ripe.net/manage-ips-and-asns/ipv6/request-ipv6/). -After you onboard your IP addresses, the IP addresses will appear when you create a [egress policy](/cloudflare-one/policies/gateway/egress-policies/) and choose **Use dedicated egress IPs (Cloudflare or BYOIP)** as the [egress method](/cloudflare-one/policies/gateway/egress-policies/#egress-methods). BYOIP dedicated egress IPs do not support [IP geolocation](#ip-geolocation). +After you onboard your IP addresses, the IP addresses will appear when you create a [egress policy](/cloudflare-one/traffic-policies/egress-policies/) and choose **Use dedicated egress IPs (Cloudflare or BYOIP)** as the [egress method](/cloudflare-one/traffic-policies/egress-policies/#egress-methods). BYOIP dedicated egress IPs do not support [IP geolocation](#ip-geolocation). For more information, refer to [Cloudflare BYOIP](/byoip/) or contact your account team. @@ -89,7 +89,7 @@ When creating egress policies with dedicated egress IPs, set your secondary IPv4 IP geolocation will take at least six weeks to update across databases. ::: -Your egress traffic will geolocate to the city selected in your [egress policies](/cloudflare-one/policies/gateway/egress-policies/). If the traffic does not match an egress policy, IP geolocation defaults to the closest dedicated egress location to the user. We recommend you create a [catch-all egress policy](/cloudflare-one/policies/gateway/egress-policies/#catch-all-policy) before dedicated egress IPs are assigned to your account. This will prevent incorrect geolocation for your users' traffic while geolocation databases update. +Your egress traffic will geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). If the traffic does not match an egress policy, IP geolocation defaults to the closest dedicated egress location to the user. We recommend you create a [catch-all egress policy](/cloudflare-one/traffic-policies/egress-policies/#catch-all-policy) before dedicated egress IPs are assigned to your account. This will prevent incorrect geolocation for your users' traffic while geolocation databases update. When you turn on dedicated egress IPs, Gateway will update third-party IP geolocation databases. Other websites, such as Google Search, will check these databases to geolocate a user's source IP. For example, if your users are in India, Google will direct them to the United States Google landing page instead of the India landing page until Google recognizes the updated IP geolocation. @@ -130,7 +130,7 @@ Regardless of egress location, the IP geolocation will match the assigned dedica #### IPv4 -To physically egress from a specific location, traffic must be proxied to Cloudflare via IPv4. The end user connects to the nearest Cloudflare data center, but Cloudflare will internally route their traffic to egress from the dedicated location configured in your [egress policies](/cloudflare-one/policies/gateway/egress-policies/). Therefore, the connected data center shown in the user's WARP client preferences may not match their actual egress location. +To physically egress from a specific location, traffic must be proxied to Cloudflare via IPv4. The end user connects to the nearest Cloudflare data center, but Cloudflare will internally route their traffic to egress from the dedicated location configured in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). Therefore, the connected data center shown in the user's WARP client preferences may not match their actual egress location. We are able to offer better IPv4 performance when users visit domains proxied by Cloudflare (also known as an [orange-clouded](/dns/proxy-status/) domain). In this scenario, IPv4 traffic will physically egress from the most performant data center in our network while still appearing to egress from your dedicated location. @@ -154,7 +154,7 @@ No, traffic will only egress from the data center where the egress IP is provisi Yes, your users will egress via their provisioned IP address. -### What happens when I use dedicated egress IPs with [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/)? +### What happens when I use dedicated egress IPs with [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/)? Your users will connect to the nearest data center, where the remote browser session will load. The remote browser will then egress via the data center with their provisioned egress IP. diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared.mdx similarity index 95% rename from src/content/docs/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared.mdx rename to src/content/docs/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared.mdx index 42faf2f65dd774..f17f096e01ba44 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared.mdx @@ -14,7 +14,7 @@ import { Render, Details, GlossaryTooltip } from "~/components"; product="cloudflare-one" /> -Cloudflare Tunnel can be used for source IP anchoring when you want to use existing egress IPs instead of purchasing [Cloudflare dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). Some third-party websites may have an Access Control List (ACL) that only allow connections from certain source IPs. If you already a non-Cloudflare IP on their allowlist (such an egress IP provided by an ISP or a cloud provider like AWS), you can configure `cloudflared` to anchor user traffic to the same IPs that you use today. +Cloudflare Tunnel can be used for source IP anchoring when you want to use existing egress IPs instead of purchasing [Cloudflare dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). Some third-party websites may have an Access Control List (ACL) that only allow connections from certain source IPs. If you already a non-Cloudflare IP on their allowlist (such an egress IP provided by an ISP or a cloud provider like AWS), you can configure `cloudflared` to anchor user traffic to the same IPs that you use today. For example, assume that your organization's banking service, `app.bank.com`, expects user traffic to come from an AWS IP. You can install `cloudflared` in your AWS environment and add a public hostname route pointing to `app.bank.com`. When users connect to `app.bank.com` using the WARP client, Gateway will apply your network policies and route the filtered traffic down the corresponding Cloudflare Tunnel to AWS. The traffic can then egress to the public Internet using your AWS egress IP. @@ -92,7 +92,7 @@ Your private network's CIDR block should also route through the WARP tunnel. For ## 4. (Optional) Configure network policies -You can build [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) to filter HTTPS traffic to your public hostname on port `443`. For example, suppose that you want to block all WARP users from accessing `app.bank.com` except for a specific set of users or groups. Additionally, those authorized users should only access `app.bank.com` using your AWS egress IP. You can accomplish this using two policies: the first allows specific users to reach `app.bank.com`, and the second blocks all other port `443` traffic to `app.bank.com`. +You can build [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/) to filter HTTPS traffic to your public hostname on port `443`. For example, suppose that you want to block all WARP users from accessing `app.bank.com` except for a specific set of users or groups. Additionally, those authorized users should only access `app.bank.com` using your AWS egress IP. You can accomplish this using two policies: the first allows specific users to reach `app.bank.com`, and the second blocks all other port `443` traffic to `app.bank.com`. 1. Allow company employees: @@ -103,7 +103,7 @@ You can build [Gateway network policies](/cloudflare-one/policies/gateway/networ | -------------- | -------- | ------------ | ------ | | SNI | in | `app.bank.com` | Block | -Gateway does not currently support hostname-based filtering for traffic on non-`443` ports. To block traffic to `app.bank.com` on all ports, you will need to use the [Destination IP](/cloudflare-one/policies/gateway/network-policies/#destination-ip) selector and specify the public IP space of `app.bank.com`. +Gateway does not currently support hostname-based filtering for traffic on non-`443` ports. To block traffic to `app.bank.com` on all ports, you will need to use the [Destination IP](/cloudflare-one/traffic-policies/network-policies/#destination-ip) selector and specify the public IP space of `app.bank.com`. ## 5. Test the connection diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/host-selectors.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx similarity index 86% rename from src/content/docs/cloudflare-one/policies/gateway/egress-policies/host-selectors.mdx rename to src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx index 6f5d54774a4dfa..9c0cc3993f4c3b 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/host-selectors.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx @@ -10,8 +10,8 @@ import { Tabs, TabItem, Details, APIRequest } from "~/components";
| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | -| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -| Gateway with WARP | Enterprise | +| ---------------------------------------------------------------------------------------- | ------------------------------------------------------------- | +| Gateway with WARP | Enterprise | | System | Availability | Minimum WARP version | | -------- | ------------ | -------------------- | @@ -24,7 +24,7 @@ import { Tabs, TabItem, Details, APIRequest } from "~/components";
-When Gateway receives a DNS query for hostname covered by the [Application](/cloudflare-one/policies/gateway/egress-policies/#application), [Content Categories](/cloudflare-one/policies/gateway/egress-policies/#content-categories), [Domain](/cloudflare-one/policies/gateway/egress-policies/#domain), and [Host](/cloudflare-one/policies/gateway/egress-policies/#host) selectors in an Egress policy, Gateway initially resolves DNS to an IP in the `100.80.0.0/16` or `2606:4700:0cf1:4000::/64` range. This process allows Gateway to map a destination IP with a hostname at [layer 4](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) (where Gateway evaluates Egress policies). The destination IP for a hostname is not usually known at layer 4. Prior to evaluating Egress policies, the initially resolved IP is overwritten with the correct destination IP. +When Gateway receives a DNS query for hostname covered by the [Application](/cloudflare-one/traffic-policies/egress-policies/#application), [Content Categories](/cloudflare-one/traffic-policies/egress-policies/#content-categories), [Domain](/cloudflare-one/traffic-policies/egress-policies/#domain), and [Host](/cloudflare-one/traffic-policies/egress-policies/#host) selectors in an Egress policy, Gateway initially resolves DNS to an IP in the `100.80.0.0/16` or `2606:4700:0cf1:4000::/64` range. This process allows Gateway to map a destination IP with a hostname at [layer 4](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) (where Gateway evaluates Egress policies). The destination IP for a hostname is not usually known at layer 4. Prior to evaluating Egress policies, the initially resolved IP is overwritten with the correct destination IP. ![Example egress policy flow](~/assets/images/cloudflare-one/policies/host-selector-diagram.png) @@ -61,13 +61,13 @@ Use the [Patch Zero Trust account configuration](/api/resources/zero_trust/subre Traffic must be on-ramped to Gateway with the following methods: -| On-ramp method | Compatibility | -| ------------------------------------------------------------------------------------------ | ------------- | -| [WARP](/cloudflare-one/team-and-resources/devices/warp/) | ✅ | -| [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) | ✅ | -| [Browser Isolation](/cloudflare-one/policies/browser-isolation/) | ✅ | +| On-ramp method | Compatibility | +| --------------------------------------------------------------------------------------------------- | ------------- | +| [WARP](/cloudflare-one/team-and-resources/devices/warp/) | ✅ | +| [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) | ✅ | +| [Browser Isolation](/cloudflare-one/remote-browser-isolation/) | ✅ | | [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | ❌ | -| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/) | ❌ | +| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/) | ❌ | Unsupported traffic will be resolved with your default Gateway settings. If you use DNS locations to send a DNS query to Gateway with IPv4, IPv6, DoT, or DoH, Gateway will not return the initial resolved IP for supported traffic nor resolve unsupported traffic. diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/index.mdx similarity index 93% rename from src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/egress-policies/index.mdx index 374d6763934156..535c63ad03d002 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/index.mdx @@ -19,7 +19,7 @@ import { Only available on Enterprise plans. ::: -When your users connect to the Internet through Cloudflare Gateway, by default their traffic is assigned a source IP address that is shared across all Cloudflare WARP users. Enterprise users can purchase [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) to ensure that egress traffic from your organization is assigned a unique, static IP. These source IPs are dedicated to your account and can be used within allowlists on upstream services. +When your users connect to the Internet through Cloudflare Gateway, by default their traffic is assigned a source IP address that is shared across all Cloudflare WARP users. Enterprise users can purchase [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) to ensure that egress traffic from your organization is assigned a unique, static IP. These source IPs are dedicated to your account and can be used within allowlists on upstream services. Egress policies allow you to control which dedicated egress IP is used and when, based on attributes such as identity, IP address, and geolocation. Traffic that does not match an egress policy will default to using the most performant dedicated egress IP. @@ -33,7 +33,7 @@ When using either the default Cloudflare egress IPs or any dedicated egress IPs, ## Force IP version -To control whether only IPv4 or IPv6 is used to egress, ensure you are [filtering DNS traffic](/cloudflare-one/policies/gateway/initial-setup/dns/), then create a DNS policy to [block AAAA or A records](/cloudflare-one/policies/gateway/dns-policies/common-policies/#control-ip-version). +To control whether only IPv4 or IPv6 is used to egress, ensure you are [filtering DNS traffic](/cloudflare-one/traffic-policies/initial-setup/dns/), then create a DNS policy to [block AAAA or A records](/cloudflare-one/traffic-policies/dns-policies/common-policies/#control-ip-version). ## Example policies @@ -52,7 +52,7 @@ For the best performance, we recommend creating a catch-all policy to route all | --------------------- | -------- | -------- | ------------------------ | -------------------------------- | | Default egress policy | Protocol | in | `All options (Protocol)` | Cloudflare default egress method | -Since Gateway policies evaluate from [top to bottom](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) in the UI, be sure to place the catch-all policy at the bottom of the list. If you do not include a catch-all policy, all other traffic will attempt to use the closest dedicated egress IP location. To control which egress IP Gateway uses, create an egress policy. +Since Gateway policies evaluate from [top to bottom](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) in the UI, be sure to place the catch-all policy at the bottom of the list. If you do not include a catch-all policy, all other traffic will attempt to use the closest dedicated egress IP location. To control which egress IP Gateway uses, create an egress policy. ## Egress methods @@ -60,7 +60,7 @@ Choose one of the following options for your egress policy: - **Use default Cloudflare egress method** uses the default source IP range shared across all Zero Trust accounts. Ensures the most performant Internet experience as user traffic egresses from the nearest Cloudflare data center. -- **Use dedicated egress IPs (Cloudflare or BYOIP)** uses the primary IPv4 address and IPv6 range selected in the dropdown menus. You can optionally specify a secondary IPv4 address in a different data center. If the primary data center goes down, Gateway will egress from the secondary data center to avoid traffic drops during reroutes. There is no need for a secondary IPv6 because IPv6 traffic can egress from any Cloudflare data center. Dedicated egress IPs can be provided by either Cloudflare or [BYOIP](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). To learn more about IPv4 and IPv6 egress behavior, refer to [Egress locations](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#egress-location). +- **Use dedicated egress IPs (Cloudflare or BYOIP)** uses the primary IPv4 address and IPv6 range selected in the dropdown menus. You can optionally specify a secondary IPv4 address in a different data center. If the primary data center goes down, Gateway will egress from the secondary data center to avoid traffic drops during reroutes. There is no need for a secondary IPv6 because IPv6 traffic can egress from any Cloudflare data center. Dedicated egress IPs can be provided by either Cloudflare or [BYOIP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). To learn more about IPv4 and IPv6 egress behavior, refer to [Egress locations](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#egress-location). ## Selectors @@ -220,4 +220,4 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl ### Selector prerequisites -The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors require configuration changes in order to be operational. Before deploying policies with these selectors, refer to [Host selectors](/cloudflare-one/policies/gateway/egress-policies/host-selectors). +The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors require configuration changes in order to be operational. Before deploying policies with these selectors, refer to [Host selectors](/cloudflare-one/traffic-policies/egress-policies/host-selectors). diff --git a/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx similarity index 98% rename from src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx index 5bf248fee5a919..e6851dae411dca 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/global-policies.mdx @@ -9,7 +9,7 @@ Cloudflare Zero Trust applies a set of global policies to all accounts. Zero Trust logs prepend an identifier to global policy names. For example, matches for the global policy **Allow Zero Trust Services** will appear in your logs with the name **Global Policy - Allow Zero Trust Services**. -The following policies are sorted by [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) within each policy type. +The following policies are sorted by [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) within each policy type. ## DNS resolution policies @@ -58,9 +58,9 @@ Gateway enforces global DNS and resolver policies before any other policies. Thi | --------------------------------------------------- | -------------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------- | | Allow CF Network Error Logging L4 | `00000001-e4af-4b82-8f8c-c79c1d5d212e` | Hostname | `*.nel.cloudflare.com` | allow | Allows SNI domains for WARP registration. | | Allow CF Client | `00000001-8c3d-4e27-a01b-af8418000077` | Hostname | `*.cloudflareclient.com` and `*.fed.cloudflareclient.com` | allow | Allows Zero Trust client. | -| Allow Gateway Proxy PAC | `00000001-776e-438d-9856-987d7053762b` | Hostname | `*.cloudflare-gateway.com` and `*.fed.cloudflare-gateway.com` | allow | Allows Gateway proxy with [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/). | +| Allow Gateway Proxy PAC | `00000001-776e-438d-9856-987d7053762b` | Hostname | `*.cloudflare-gateway.com` and `*.fed.cloudflare-gateway.com` | allow | Allows Gateway proxy with [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/). | | Allow Zero Trust Services | `00000001-e1e8-421b-a0fe-895397489f28` | Hostname | `dash.teams.cloudflare.com`, `help.teams.cloudflare.com`, `blocked.teams.cloudflare.com`, `blocked.teams.fed.cloudflare.com`, `api.cloudflare.com`, `api.fed.cloudflare.com`, `cloudflarestatus.com`, `www.cloudflarestatus.com`, `one.dash.cloudflare.com`, `one.dash.fed.cloudflare.com`, `help.one.cloudflare.com`, `dash.cloudflare.com`, `dash.fed.cloudflare.com`, and `developers.cloudflare.com` | allow | Allows Cloudflare Zero Trust services. | -| Allow Access Apps L4 | `00000001-daa2-41e2-8a88-698af4066951` | Hostname | `*.cloudflareaccess.com` and `*.fed.cloudflareaccess.com` | allow | Allows [Cloudflare Access](/cloudflare-one/policies/access/) applications. | +| Allow Access Apps L4 | `00000001-daa2-41e2-8a88-698af4066951` | Hostname | `*.cloudflareaccess.com` and `*.fed.cloudflareaccess.com` | allow | Allows [Cloudflare Access](/cloudflare-one/access-controls/policies/) applications. | | Allow HTTP requests to browser-rendered Access Apps | `00000001-1f93-4476-8f92-9aa4407d1c5f` | Hostname | `*.zero-trust-apps.cfdata.org`, `*.zero-trust-apps-staging.cfdata.org`, `*.zero-trust-apps.fed.cfdata.org`, or `*.zero-trust-apps-staging.fed.cfdata.org` | allow | Allows Cloudflare Access terminal applications [rendered in a browser](/cloudflare-one/applications/non-http/browser-rendering/#ssh-and-vnc). | ## HTTP inspection policies @@ -68,7 +68,7 @@ Gateway enforces global DNS and resolver policies before any other policies. Thi | Name | ID | Criteria | Value | Action | Description | | -------------------------------------- | -------------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | Prevent Account Change Block | `00000001-d1f2-461a-8253-501c8d882a15` | Hostname | `*.cloudflareclient.com` and `*.fed.cloudflareclient.com`; not `notifications.cloudflareclient.com` or `notifications.fed.cloudflareclient.com` | bypass | Ensures users cannot accidentally block themselves from making account changes. | -| Bypass RBI Assets | `00000001-df61-4068-aa6c-0f684c3cd4e6` | Hostname | `*.content.browser.run` | bypass | Required for [Browser Isolation](/cloudflare-one/policies/browser-isolation/). | +| Bypass RBI Assets | `00000001-df61-4068-aa6c-0f684c3cd4e6` | Hostname | `*.content.browser.run` | bypass | Required for [Browser Isolation](/cloudflare-one/remote-browser-isolation/). | | Inspect RBI Urls | `00000001-3faa-4f59-98d4-0f6d6af4b6d0` | Hostname | `*.edge.browser.run` and `*.cloudflarebrowser.com` | bypass | Required for Browser Isolation. | | Allow Gateway Help Page | `00000001-8e9a-4429-b3c2-d267d0ce6114` | Hostname | `help.teams.cloudflare.com` and `help.one.cloudflare.com` | allow | Used by the WARP client to check if Gateway is on by inspecting the certificate and checking if it is properly installed on the client device. | | Bypass Gateway DNS | `00000001-d9c0-46b0-8704-2ea5b9d7bdfc` | Hostname | `*.cloudflare-gateway.com` and `*.fed.cloudflare-gateway.com` | bypass | Ensures requests to the `cloudflare-gateway.com` DNS endpoint will not be inspected. | @@ -81,6 +81,6 @@ Gateway enforces global DNS and resolver policies before any other policies. Thi | Bypass OCSP | `00000001-34ce-47c7-ad0f-199f46eba194` | Application | Online Certificate Status Protocol | bypass | Enables OCSP stapling. | | Allow Access Apps L7 | `00000001-8d6b-4951-8a18-3bbc9010976c` | Hostname | `*.cloudflareaccess.com` and `*.fed.cloudflareaccess.com` | allow | Allows Cloudflare Access applications. | | Prevent Block Page Loop | `00000001-48b1-4ade-93c1-f0f3759dc19c` | Hostname | `blocked.teams.cloudflare.com` and `blocked.teams.fed.cloudflare.com` | bypass | Prevents an infinite loop on the Gateway block page. | -| Always Blocked Categories | `00000001-bed5-462e-b0f1-2e2c3555e9f7` | Content Category | [Child Abuse category](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) | block | Blocks child abuse materials (CSAM). | +| Always Blocked Categories | `00000001-bed5-462e-b0f1-2e2c3555e9f7` | Content Category | [Child Abuse category](/cloudflare-one/traffic-policies/domain-categories/#category-and-subcategory-ids) | block | Blocks child abuse materials (CSAM). | | Don't Isolate RBI Help Pages | `00000001-1a18-431f-9c9d-bce431f1002a` | Hostname | `developers.cloudflare.com` and `help.cloudflarebrowser.com` | noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues. | | Don't AV Scan CF Speed | `00000001-c194-408f-87dd-9a366ce76e12` | Hostname | `speed.cloudflare.com` | noscan | Allows files transferred by the Cloudflare speed test. | diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/antivirus-scanning.mdx similarity index 97% rename from src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx rename to src/content/docs/cloudflare-one/traffic-policies/http-policies/antivirus-scanning.mdx index 55824863dc663e..ca46e6f7615bfc 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/antivirus-scanning.mdx @@ -9,7 +9,7 @@ import { Render, Details } from "~/components"; Cloudflare Gateway protects users as they browse the Internet. When users download or upload a file to an origin on the Internet, that file could potentially contain malicious code that may cause their device to perform undesired behavior. To prevent this, Cloudflare Gateway allows admins to turn on anti-virus (AV) scanning of files that are uploaded or downloaded by users as the file passes through Gateway. -In addition to scanning files, Gateway can quarantine files as your users download them. Quarantining files helps protect organizations from zero-day vulnerabilities not yet available in anti-virus databases. For more information, refer to [File sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/). +In addition to scanning files, Gateway can quarantine files as your users download them. Quarantining files helps protect organizations from zero-day vulnerabilities not yet available in anti-virus databases. For more information, refer to [File sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). ## Get started @@ -47,7 +47,7 @@ If a file does not trigger a scan based on the three methods above but also does ## Opt content out from scanning -When an admin turns on AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning using HTTP policies. All [HTTP selectors](/cloudflare-one/policies/gateway/http-policies/#selectors) can opt HTTP traffic out from AV scanning using the **Do Not Scan** action. When traffic matches a Do Not Scan policy, nothing is scanned, regardless of file size or whether the file type is supported or not. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, you can create the following policy: +When an admin turns on AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning using HTTP policies. All [HTTP selectors](/cloudflare-one/traffic-policies/http-policies/#selectors) can opt HTTP traffic out from AV scanning using the **Do Not Scan** action. When traffic matches a Do Not Scan policy, nothing is scanned, regardless of file size or whether the file type is supported or not. For example, to prevent AV scanning of files uploaded to or downloaded from `example.com`, you can create the following policy: | Selector | Operator | Value | Action | | -------- | ------------- | ------------- | ----------- | diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx similarity index 96% rename from src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx index 86f1c87cd58c01..59e600d60253c2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/common-policies.mdx @@ -12,7 +12,7 @@ import { Render, Tabs, TabItem, APIRequest } from "~/components"; The following policies are commonly used to secure HTTP traffic. -Refer to the [HTTP policies page](/cloudflare-one/policies/gateway/http-policies/) for a comprehensive list of other selectors, operators, and actions. +Refer to the [HTTP policies page](/cloudflare-one/traffic-policies/http-policies/) for a comprehensive list of other selectors, operators, and actions. ## Block sites @@ -133,9 +133,9 @@ Block content categories which go against your organization's acceptable use pol ## Skip inspection for groups of applications -Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy. +Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy. -Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/policies/gateway/order-of-enforcement/#http-policies). We recommend moving your Do Not Inspect policies to the top of the list to reduce confusion. +Gateway [evaluates Do Not Inspect policies first](/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies). We recommend moving your Do Not Inspect policies to the top of the list to reduce confusion. @@ -251,7 +251,7 @@ To get the UUIDs of your device posture checks, use the [List device posture rul ## Isolate high risk sites in remote browser -If you are using the [Browser Isolation add-on](/cloudflare-one/policies/browser-isolation/), refer to our list of [common Isolate policies](/cloudflare-one/policies/browser-isolation/isolation-policies/#common-policies). +If you are using the [Browser Isolation add-on](/cloudflare-one/remote-browser-isolation/), refer to our list of [common Isolate policies](/cloudflare-one/remote-browser-isolation/isolation-policies/#common-policies). ## Bypass inspection for self-signed certificates @@ -289,7 +289,7 @@ When accessing origin servers with certificates not signed by a public certifica -For more information on supported file types, refer to [Download and Upload File Types](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types). +For more information on supported file types, refer to [Download and Upload File Types](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types). ## Isolate or block shadow IT applications diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx similarity index 94% rename from src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx rename to src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx index 14f964a41cb647..8ff1958ed7a5d5 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx @@ -11,7 +11,7 @@ import { Render, Details } from "~/components"; Available as an add-on to Zero Trust Enterprise plans. For more information, contact your account team. ::: -In addition to [anti-virus (AV) scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. +In addition to [anti-virus (AV) scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. If AV scanning does not detect malware in a file download, Gateway will quarantine the file in the [sandbox](#sandbox-environment). If the file has not been downloaded before, Gateway will monitor any actions taken by the file and compare them to known malware patterns. During this process, Gateway will display an interstitial page in the user's browser. If the sandbox does not detect malicious activity, Gateway will release the file from quarantine and download it to your user's device. If the sandbox detects malicious activity, Gateway will block the download. For any subsequent downloads of the file, Gateway will remember and apply its allow/block decision. @@ -53,7 +53,7 @@ To begin quarantining downloaded files, turn on file sandboxing: 2. In **Firewall**, turn on **File sandboxing**. 3. (Optional) To block requests containing [non-scannable files](#non-scannable-files), select **Block requests for files that cannot be scanned**. -You can now create [Quarantine HTTP policies](/cloudflare-one/policies/gateway/http-policies/#quarantine) to determine what files to scan in the sandbox. +You can now create [Quarantine HTTP policies](/cloudflare-one/traffic-policies/http-policies/#quarantine) to determine what files to scan in the sandbox. ## Create test policy diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/granular-controls.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/granular-controls.mdx similarity index 82% rename from src/content/docs/cloudflare-one/policies/gateway/http-policies/granular-controls.mdx rename to src/content/docs/cloudflare-one/traffic-policies/http-policies/granular-controls.mdx index e6c10217e8cde6..4a3f9c167fe359 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/granular-controls.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/granular-controls.mdx @@ -7,17 +7,17 @@ sidebar: import { Render, Details, Tabs, TabItem, APIRequest } from "~/components"; -With Application Granular Controls, you can create [Gateway HTTP policies](/cloudflare-one/policies/gateway/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application. +With Application Granular Controls, you can create [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application. ## Prerequisites To use Application Granular Controls, you must: - Install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on your users' devices. -- Turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). -- Turn on the [Gateway proxy](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy). -- (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](/cloudflare-one/policies/gateway/http-policies/http3/#enable-http3-inspection). -- (Optional) To turn on [AI prompt logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content), create a [DLP payload encryption public key](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). +- Turn on [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). +- Turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy). +- (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). +- (Optional) To turn on [AI prompt logging](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content), create a [DLP payload encryption public key](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). ## Create a policy with Application Granular Controls @@ -62,7 +62,7 @@ Use the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresource -For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/). +For more information, refer to [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). ## Control definitions @@ -84,7 +84,7 @@ Operation Groups are groupings of operations defined by the application vendor. ### DLP payloads -You can use Application Granular Controls with [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) for operations that contain scannable content. This includes operations that contain the content of uploaded or downloaded files or AI prompts. For example, when a user performs a file upload, a sequence of API operations may result, such as setting up the file metadata, uploading the file content, and finalizing the upload. When applying DLP to your Zero Trust traffic, it can be helpful to specifically target an operation that contains file content. +You can use Application Granular Controls with [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) for operations that contain scannable content. This includes operations that contain the content of uploaded or downloaded files or AI prompts. For example, when a user performs a file upload, a sequence of API operations may result, such as setting up the file metadata, uploading the file content, and finalizing the upload. When applying DLP to your Zero Trust traffic, it can be helpful to specifically target an operation that contains file content. ## Application APIs diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx similarity index 89% rename from src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx rename to src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx index 21d95b484a1545..8aae3d965fa14c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/http3.mdx @@ -7,13 +7,13 @@ sidebar: import { Details } from "~/components"; -Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to be deployed and traffic to be proxied over UDP with [TLS version 1.3](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). +Gateway supports inspection of HTTP/3 traffic, which uses the QUIC protocol over UDP. HTTP/3 inspection requires a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to be deployed and traffic to be proxied over UDP with [TLS version 1.3](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). -Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/#http3-traffic). +Gateway applies HTTP policies to HTTP/3 traffic last. For more information, refer to the [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#http3-traffic). ## Enable HTTP/3 inspection -To enable HTTP/3 inspection, turn on the [Gateway proxy](/cloudflare-one/policies/gateway/proxy/) for UDP: +To enable HTTP/3 inspection, turn on the [Gateway proxy](/cloudflare-one/traffic-policies/proxy/) for UDP: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. 2. In **Firewall**, turn on **Proxy**. @@ -28,7 +28,7 @@ If the UDP proxy is turned on in Zero Trust, Google Chrome will cancel all HTTP/ ## Exempt HTTP/3 traffic from inspection -If you require HTTP/3 traffic with end-to-end encryption from the client to the origin while still using the Gateway proxy, you can create a [Do Not Inspect HTTP policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) to match the desired traffic. Using a Do Not Inspect policy allows HTTP/3 traffic to preserve proxy performance and end-to-end encryption by bypassing Gateway's TLS decryption and inspection. +If you require HTTP/3 traffic with end-to-end encryption from the client to the origin while still using the Gateway proxy, you can create a [Do Not Inspect HTTP policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to match the desired traffic. Using a Do Not Inspect policy allows HTTP/3 traffic to preserve proxy performance and end-to-end encryption by bypassing Gateway's TLS decryption and inspection. ## Force HTTP/2 traffic diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx similarity index 94% rename from src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx index d7f31642df1e11..cb592e8eb54ce6 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx @@ -11,7 +11,7 @@ import { Details, InlineBadge, Render } from "~/components"; To use HTTP policies, install a [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). ::: -HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and [optionally UDP](/cloudflare-one/policies/gateway/initial-setup/http/#1-connect-to-gateway)) traffic sent over ports 80 and 443. +HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and [optionally UDP](/cloudflare-one/traffic-policies/initial-setup/http/#1-connect-to-gateway)) traffic sent over ports 80 and 443. An HTTP policy consists of an **Action** as well as a logical expression that determines the scope of the policy. To build an expression, you need to choose a **Selector** and an **Operator**, and enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. @@ -56,7 +56,7 @@ The **Untrusted certificate action** determines how to handle insecure requests. | Option | Action | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | -| Block | Display [block page](/cloudflare-one/policies/gateway/block-page/) as set in Zero Trust. | +| Block | Display [block page](/cloudflare-one/traffic-policies/block-page/) as set in Zero Trust. | | Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. For more information on what statuses are bypassed, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website). | ### Block @@ -130,7 +130,7 @@ API value: `redirect` The Redirect action allows you to redirect matched HTTP requests to a different URL you specify. For example, if your users browse to the public web page of a SaaS app, you can redirect them to your own self-hosted instance, a single sign-on page, or an internal policy page. -To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page). +To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page). #### Policy settings @@ -186,7 +186,7 @@ API value: `isolate`
-The Isolate action serves matched traffic to users via [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/). For more information on this action, refer to [Isolation policies](/cloudflare-one/policies/browser-isolation/isolation-policies/#isolate). +The Isolate action serves matched traffic to users via [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/). For more information on this action, refer to [Isolation policies](/cloudflare-one/remote-browser-isolation/isolation-policies/#isolate). ### Do Not Inspect @@ -230,13 +230,13 @@ API value: `off` When you create a Do Not Inspect policy for a given hostname, application, or app type, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. -Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/policies/gateway/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). +Information contained within HTTPS encryption, such as the full requested URL, will not be visible if it bypasses Gateway inspection. However, you can still apply [network policies](/cloudflare-one/traffic-policies/network-policies/) to this traffic. For more information, refer to [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). ::: -Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indicator (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). +Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indicator (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a **Your connection is not private** warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). -All Do Not Inspect rules are evaluated first, before any Allow or Block rules, to determine if inspection should occur. For more information, refer to [Order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/#http-policies). +All Do Not Inspect rules are evaluated first, before any Allow or Block rules, to determine if inspection should occur. For more information, refer to [Order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/#http-policies). ### Do Not Isolate @@ -274,7 +274,7 @@ API value: `noisolate`
-The Do Not Isolate action turns off browser isolation for matched traffic. For more information on this action, refer to [Isolation policies](/cloudflare-one/policies/browser-isolation/isolation-policies/#do-not-isolate). +The Do Not Isolate action turns off browser isolation for matched traffic. For more information on this action, refer to [Isolation policies](/cloudflare-one/remote-browser-isolation/isolation-policies/#do-not-isolate). ### Do Not Scan @@ -370,7 +370,7 @@ API value: `quarantine`
-The Quarantine action sends files in matching requests to a file sandbox to scan for malware. Gateway will only quarantine files not previously seen in the file sandbox. For more information on this action, refer to [File sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/). +The Quarantine action sends files in matching requests to a file sandbox to scan for malware. Gateway will only quarantine files not previously seen in the file sandbox. For more information on this action, refer to [File sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). #### Sandbox file types @@ -430,7 +430,7 @@ When using the _is_ operator with the _Application_ selector, you can use Applic You can match traffic based on **Application Controls**, which group multiple user actions together, or **Operations**, which allow for granular control of supported API-level actions for an application. -For more information, refer to [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/granular-controls/). +For more information, refer to [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/granular-controls/). ### Body Phase @@ -613,7 +613,7 @@ These selectors depend on the `Content-Type` header being present in the request ### DLP Profile -Use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) to scan HTTP traffic for the presence of sensitive data such as personally identifiable information (PII) or source code. You must configure a [DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) before you can use this selector in a policy. +Use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) to scan HTTP traffic for the presence of sensitive data such as personally identifiable information (PII) or source code. You must configure a [DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/) before you can use this selector in a policy. | UI name | API example | | ----------- | -------------------------------------------------------------------- | diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/tenant-control.mdx similarity index 96% rename from src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx rename to src/content/docs/cloudflare-one/traffic-policies/http-policies/tenant-control.mdx index ed587f78b71bd9..064e2ec2c22124 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/tenant-control.mdx @@ -45,7 +45,7 @@ Depending on which SaaS application your organization needs access to, different ### Microsoft 365 -Microsoft 365 tenant control requires two policies. When you order your policies, make sure they follow [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence). +Microsoft 365 tenant control requires two policies. When you order your policies, make sure they follow [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence). | Precedence | Selector | Operator | Value | Action | Untrusted certificate action | | ---------- | -------- | -------- | ---------------- | ------ | ---------------------------- | @@ -131,7 +131,7 @@ You can include custom headers in an HTTP policy to allow your users through [Cl ## Use tenant control with Browser Isolation -You can configure [Browser Isolation](/cloudflare-one/policies/browser-isolation/) to send custom headers. This is useful for implementing tenant control for isolated SaaS applications or sending arbitrary custom request headers to isolated websites. +You can configure [Browser Isolation](/cloudflare-one/remote-browser-isolation/) to send custom headers. This is useful for implementing tenant control for isolated SaaS applications or sending arbitrary custom request headers to isolated websites. To use custom headers with Browser Isolation, create two HTTP policies targeting the same domain or application group. For example, you can create policies for [HTTPBin](https://httpbin.org/), an open-source site for testing HTTP requests: diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/tls-decryption.mdx similarity index 90% rename from src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx rename to src/content/docs/cloudflare-one/traffic-policies/http-policies/tls-decryption.mdx index 256b73ee9afca4..f1d9b5c70a4b30 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/tls-decryption.mdx @@ -18,7 +18,7 @@ Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/l When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/). -Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). +Cloudflare prevents traffic interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). To further control what data centers traffic egresses from, you can use [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3. @@ -49,7 +49,7 @@ Gateway does not support TLS decryption for applications which use: product="cloudflare-one" params={{ turnOnProcedure: - "you can turn on [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports)", + "you can turn on [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports)", }} /> @@ -60,10 +60,10 @@ Applications that use certificate pinning and mTLS authentication do not trust C If you try to perform TLS decryption on an application with an incompatible certificate configuration, the application may return an SSL or trust error and/or fail to load. To resolve this issue, you can: - Add a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to supported applications. -- Create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](/cloudflare-one/policies/gateway/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. Note that if you create a Do Not Inspect policy for an application or website, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. +- Create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](/cloudflare-one/traffic-policies/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. Note that if you create a Do Not Inspect policy for an application or website, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning. - Configure a [Split Tunnel](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) in Include mode to ensure Gateway will only inspect traffic destined for your IPs or domains. This is useful for organizations that deploy Zero Trust on users' personal devices or otherwise expect personal applications to be used. -Alternatively, to allow HTTP filtering while accessing a site with an insecure certificate, set your [Untrusted certificate action](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) to _Pass through_. +Alternatively, to allow HTTP filtering while accessing a site with an insecure certificate, set your [Untrusted certificate action](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) to _Pass through_. ### Google Chrome automatic HTTPS upgrades @@ -77,7 +77,7 @@ To disable automatic HTTPS upgrades for a URL across your Zero Trust organizatio 1. Deploy a [custom root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). -2. Create an [HTTP policy](/cloudflare-one/policies/gateway/http-policies/) to match the domain of the URL being automatically upgraded. For example: +2. Create an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to match the domain of the URL being automatically upgraded. For example: | Selector | Operator | Value | Action | | -------- | -------- | ------------- | ------ | @@ -87,7 +87,7 @@ To disable automatic HTTPS upgrades for a URL across your Zero Trust organizatio 4. Select **Create policy**. -The pass through policy will bypass insecure connection upgrades for any device connected to your Zero Trust organization. For more information, refer to [Untrusted certificates](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates). +The pass through policy will bypass insecure connection upgrades for any device connected to your Zero Trust organization. For more information, refer to [Untrusted certificates](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates). @@ -101,13 +101,13 @@ Chrome Enterprise users can turn off automatic HTTPS upgrades for all URLs with ### Mutual TLS (mTLS) -When decrypting TLS to inspect traffic, connections that use mutual TLS (mTLS) will fail because Gateway cannot return the necessary client certificate. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this traffic. +When decrypting TLS to inspect traffic, connections that use mutual TLS (mTLS) will fail because Gateway cannot return the necessary client certificate. To prevent connection failures, create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for this traffic. ### ESNI and ECH Websites that adhere to [ESNI or Encrypted Client Hello (ECH) standards](https://blog.cloudflare.com/encrypted-client-hello/) encrypt the Server Name Indicator (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. This is because Gateway relies on the SNI to match an HTTP request to a policy. If the ECH fails, browsers will retry the TLS handshake using the unencrypted SNI from the initial request. To avoid this behavior, you can disable ECH in your users' browsers. -You can still apply all [network policy filters](/cloudflare-one/policies/gateway/network-policies/#selectors) except for SNI and SNI Domain. To restrict ESNI and ECH traffic, an option is to filter out all port `80` and `443` traffic that does not include an SNI header. +You can still apply all [network policy filters](/cloudflare-one/traffic-policies/network-policies/#selectors) except for SNI and SNI Domain. To restrict ESNI and ECH traffic, an option is to filter out all port `80` and `443` traffic that does not include an SNI header. ## Post-quantum support @@ -129,7 +129,7 @@ By default, TLS decryption can use both TLS version 1.2 and 1.3. However, some e When FIPS compliance is enabled, Gateway will only choose [FIPS-compliant cipher suites](#cipher-suites) when connecting to the origin. If the origin does not support FIPS-compliant ciphers, the request will fail. -FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/policies/gateway/http-policies/http3/). To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/policies/gateway/http-policies/http3/#enable-http3-inspection). +FIPS-compliant traffic defaults to [HTTP/3](/cloudflare-one/traffic-policies/http-policies/http3/). To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection). ## FedRAMP compliance diff --git a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx b/src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx similarity index 97% rename from src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx rename to src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx index 1f47eef5c5c551..7be3c64904e80f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx @@ -88,7 +88,7 @@ Use this selector to create identity-based Gateway policies based on an IdP user :::note[Gateway groups vs. Access rule groups] -In Gateway, a **User Group** refers to a group in your IdP (for example, an Okta group). Gateway does not currently support applying DNS, HTTP, and Network policies to [Access rule groups](/cloudflare-one/policies/access/groups/). This is because Access rule groups may include criteria not available through the IdP, such as device location or IP address. +In Gateway, a **User Group** refers to a group in your IdP (for example, an Okta group). Gateway does not currently support applying DNS, HTTP, and Network policies to [Access rule groups](/cloudflare-one/access-controls/policies/groups/). This is because Access rule groups may include criteria not available through the IdP, such as device location or IP address. ::: diff --git a/src/content/docs/cloudflare-one/policies/gateway/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/index.mdx similarity index 82% rename from src/content/docs/cloudflare-one/policies/gateway/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/index.mdx index 0c468fd166ba24..0cd3225dfbbae0 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/index.mdx @@ -1,11 +1,8 @@ --- pcx_content_type: concept -title: Secure Web Gateway +title: Traffic policies sidebar: - order: 1 -head: - - tag: title - content: Gateway policies + order: 8 --- import { Render, Stream } from "~/components"; @@ -37,7 +34,7 @@ For each type of policy, we recommend the following workflow: 3. Set up basic security and compatibility policies (recommended for most use cases). 4. Customize your configuration to the unique needs of your organization. -To get started with specific Gateway filtering types, refer to the initial setup for [DNS](/cloudflare-one/policies/gateway/initial-setup/dns/), [Network](/cloudflare-one/policies/gateway/initial-setup/network/), and [HTTP](/cloudflare-one/policies/gateway/initial-setup/http/) policies. +To get started with specific Gateway filtering types, refer to the initial setup for [DNS](/cloudflare-one/traffic-policies/initial-setup/dns/), [Network](/cloudflare-one/traffic-policies/initial-setup/network/), and [HTTP](/cloudflare-one/traffic-policies/initial-setup/http/) policies. ### Select a policy type @@ -48,4 +45,4 @@ The recommended policy type depends on what kind of traffic you are trying to fi - To block malware and other security threats, create both DNS and HTTP policies. - To assign static IP addresses to your organization's egress traffic, create an egress policy. -Refer to the [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [egress](/cloudflare-one/policies/gateway/egress-policies/) configuration pages to see the available filtering options within each policy builder. +Refer to the [DNS](/cloudflare-one/traffic-policies/dns-policies/), [network](/cloudflare-one/traffic-policies/network-policies/), [HTTP](/cloudflare-one/traffic-policies/http-policies/), and [egress](/cloudflare-one/traffic-policies/egress-policies/) configuration pages to see the available filtering options within each policy builder. diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx similarity index 89% rename from src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx rename to src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx index 0fdac6c4bd3aa5..e81931215ad648 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx @@ -33,7 +33,7 @@ To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/block-page/), [install a Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. +3. (Optional) If you want to display a [custom block page](/cloudflare-one/traffic-policies/block-page/), [install a Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. ### Connect DNS locations @@ -70,7 +70,7 @@ To create a new DNS policy: 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): +5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories): -For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). ## 4. Add optional policies -Refer to our list of [common DNS policies](/cloudflare-one/policies/gateway/dns-policies/common-policies) for other policies you may want to create. +Refer to our list of [common DNS policies](/cloudflare-one/traffic-policies/dns-policies/common-policies) for other policies you may want to create. diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/http.mdx similarity index 84% rename from src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx rename to src/content/docs/cloudflare-one/traffic-policies/initial-setup/http.mdx index 768ec5e150bd0b..27d17f804c7638 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/http.mdx @@ -26,9 +26,9 @@ To filter HTTP requests from a device: 1. [Install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. 2. [Install the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/) on your device. 3. In the WARP client Settings, log in to your organization's Zero Trust instance. -4. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. -5. To inspect HTTPS traffic, [enable TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption). -6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/). +4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. +5. To inspect HTTPS traffic, [enable TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption). +6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/). ## 2. Verify device connectivity @@ -49,4 +49,4 @@ To verify your device is connected to Zero Trust: ## 4. Add optional policies -Refer to our list of [common HTTP policies](/cloudflare-one/policies/gateway/http-policies/common-policies) for other policies you may want to create. +Refer to our list of [common HTTP policies](/cloudflare-one/traffic-policies/http-policies/common-policies) for other policies you may want to create. diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/index.mdx similarity index 100% rename from src/content/docs/cloudflare-one/policies/gateway/initial-setup/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/initial-setup/index.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx similarity index 89% rename from src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx rename to src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx index 116e81eb953da1..0eb49f5a757673 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx @@ -24,8 +24,8 @@ To filter network traffic from a device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/block-page/), [install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device . -4. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. +3. (Optional) If you want to display a [custom block page](/cloudflare-one/traffic-policies/block-page/), [install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device . +4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. ### Connect private networks @@ -53,4 +53,4 @@ To verify your device is connected to Zero Trust: ## 4. Add optional policies -Refer to our list of [common network policies](/cloudflare-one/policies/gateway/network-policies/common-policies) for policies you may want to create. +Refer to our list of [common network policies](/cloudflare-one/traffic-policies/network-policies/common-policies) for policies you may want to create. diff --git a/src/content/docs/cloudflare-one/policies/gateway/lists.mdx b/src/content/docs/cloudflare-one/traffic-policies/lists.mdx similarity index 92% rename from src/content/docs/cloudflare-one/policies/gateway/lists.mdx rename to src/content/docs/cloudflare-one/traffic-policies/lists.mdx index 50a713bde221a0..99f9dcd2ecd7ff 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/lists.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/lists.mdx @@ -7,7 +7,7 @@ sidebar: import { Render } from "~/components"; -With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating [Gateway policies](/cloudflare-one/policies/gateway/) or [Access policies](/cloudflare-one/policies/access/). This allows you to quickly create rules that match and take actions against several items at once. +With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating [Gateway policies](/cloudflare-one/traffic-policies/) or [Access policies](/cloudflare-one/access-controls/policies/). This allows you to quickly create rules that match and take actions against several items at once. Before creating a list, make note of the [limitations](#limitations). diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx similarity index 93% rename from src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx rename to src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx index 79c89086eb21aa..b4917033727055 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx @@ -11,13 +11,13 @@ Only available on Enterprise plans. For more information, contact your account t Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. -The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. +The Tenant platform only supports [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. ## Get started {/* Don't need to surface much of the policy creation flow here */} -To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). ## Account types @@ -27,10 +27,10 @@ The Gateway Tenant platform supports tiered and siloed account configurations. In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: -- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) +- Configuring a [custom block page](/cloudflare-one/traffic-policies/block-page/) - Generating or uploading [root certificates](/cloudflare-one/team-and-resources/devices/user-side-certificates/) - Mapping [DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) -- Creating [lists](/cloudflare-one/policies/gateway/lists/) +- Creating [lists](/cloudflare-one/traffic-policies/lists/) Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/network-policies/common-policies.mdx similarity index 96% rename from src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/network-policies/common-policies.mdx index 51eb5ac0889cfa..8d6afbeed915fc 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/network-policies/common-policies.mdx @@ -12,7 +12,7 @@ import { Render, Tabs, TabItem, APIRequest } from "~/components"; The following policies are commonly used to secure network traffic. -Refer to the [network policies page](/cloudflare-one/policies/gateway/network-policies/) for a comprehensive list of other selectors, operators, and actions. +Refer to the [network policies page](/cloudflare-one/traffic-policies/network-policies/) for a comprehensive list of other selectors, operators, and actions. ## Block unauthorized applications @@ -93,7 +93,7 @@ To require users to re-authenticate after a certain amount of time has elapsed, ## Allow only approved traffic -Restrict user access to only the specific sites or applications configured in your [HTTP policies](/cloudflare-one/policies/gateway/http-policies/). +Restrict user access to only the specific sites or applications configured in your [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). ### 1. Allow HTTP and HTTPS traffic @@ -156,7 +156,7 @@ Restrict user access to only the specific sites or applications configured in yo ## Filter HTTPS traffic when inspecting on all ports -If your organization blocks traffic by default with a network policy and you want to [inspect HTTP traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it. +If your organization blocks traffic by default with a network policy and you want to [inspect HTTP traffic on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports), you need to explicitly allow HTTP and TLS traffic to filter it. diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx similarity index 97% rename from src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx rename to src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx index 3eb6bfe3ca828e..f0aeb7486a7eda 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx @@ -132,7 +132,7 @@ Policies with Audit SSH actions allow administrators to log SSH traffic. Gateway Gateway only audits SSH traffic over port `22`. Non-standard ports, including those specified with the [Destination Port selector](#destination-port), are not supported. -For more information on SSH logging, refer to [Configure SSH proxy and command logs](/cloudflare-one/policies/gateway/network-policies/ssh-logging/). +For more information on SSH logging, refer to [Configure SSH proxy and command logs](/cloudflare-one/traffic-policies/network-policies/ssh-logging/). ### Block @@ -303,7 +303,7 @@ Gateway matches network traffic against the following selectors, or criteria. ### Detected Protocol -The inferred network protocol based on Cloudflare's [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/). +The inferred network protocol based on Cloudflare's [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). | UI name | API example | | ----------------- | --------------------------------- | @@ -337,7 +337,7 @@ To enable Gateway filtering on TCP and UDP, go to **Settings** > **Network** > * The host whose Server Name Indication (SNI) header Gateway will filter traffic against. This will allow for an exact match. -By default, this selector only applies to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/) and choose to [inspect on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports). +By default, this selector only applies to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and choose to [inspect on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). | UI name | API example | | ------- | ----------------------------------- | @@ -347,7 +347,7 @@ By default, this selector only applies to HTTPS traffic on port `443`. To inspec The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for `example.com` will match `example.com`, `www.example.com`, and `my.test.example.com`. -By default, this selector only applies to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/) and choose to [inspect on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports). +By default, this selector only applies to HTTPS traffic on port `443`. To inspect traffic on every port, turn on [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and choose to [inspect on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). | UI name | API example | | ---------- | ---------------------------------- | diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx b/src/content/docs/cloudflare-one/traffic-policies/network-policies/protocol-detection.mdx similarity index 97% rename from src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx rename to src/content/docs/cloudflare-one/traffic-policies/network-policies/protocol-detection.mdx index 31cde26849bf8e..a0480ae2b15c93 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/protocol-detection.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/network-policies/protocol-detection.mdx @@ -18,7 +18,7 @@ To turn on protocol detection: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network** > **Firewall**. 2. Turn on **Protocol Detection**. -You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudflare-one/policies/gateway/network-policies/#detected-protocol). +You can now use _Detected Protocol_ as a selector in a [Network policy](/cloudflare-one/traffic-policies/network-policies/#detected-protocol). ### Inspect on all ports diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx b/src/content/docs/cloudflare-one/traffic-policies/network-policies/ssh-logging.mdx similarity index 98% rename from src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx rename to src/content/docs/cloudflare-one/traffic-policies/network-policies/ssh-logging.mdx index 02a5ef9edf78ec..251414d4ab2713 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/network-policies/ssh-logging.mdx @@ -63,7 +63,7 @@ cat /etc/ssh/sshd_config 2. In the **Network** tab, create a new network policy. -3. Name the policy and specify the [Destination IP](/cloudflare-one/policies/gateway/network-policies/#destination-ip) for your origin server. +3. Name the policy and specify the [Destination IP](/cloudflare-one/traffic-policies/network-policies/#destination-ip) for your origin server. You can enter either a public or private IP. To use a private IP, refer to [Connect private networks](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/). diff --git a/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx b/src/content/docs/cloudflare-one/traffic-policies/order-of-enforcement.mdx similarity index 81% rename from src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx rename to src/content/docs/cloudflare-one/traffic-policies/order-of-enforcement.mdx index 5435327c195ec6..b444e133aeab9a 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/order-of-enforcement.mdx @@ -7,6 +7,6 @@ sidebar: import { Render } from "~/components"; -With Cloudflare Gateway, you can [enable and configure](/cloudflare-one/policies/gateway/initial-setup/) any combination of DNS, network, and HTTP policies. +With Cloudflare Gateway, you can [enable and configure](/cloudflare-one/traffic-policies/initial-setup/) any combination of DNS, network, and HTTP policies. diff --git a/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx b/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx similarity index 96% rename from src/content/docs/cloudflare-one/policies/gateway/proxy.mdx rename to src/content/docs/cloudflare-one/traffic-policies/proxy.mdx index 214ac1297350c3..033214f0b86438 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/proxy.mdx @@ -7,7 +7,7 @@ sidebar: import { Badge, Tabs, TabItem, Render } from "~/components"; -You can forward [HTTP](/cloudflare-one/policies/gateway/initial-setup/http/) and [network](/cloudflare-one/policies/gateway/initial-setup/network/) traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, GRE tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server. +You can forward [HTTP](/cloudflare-one/traffic-policies/initial-setup/http/) and [network](/cloudflare-one/traffic-policies/initial-setup/network/) traffic to Gateway for logging and filtering. Gateway can proxy both outbound traffic and traffic directed to resources connected via a Cloudflare Tunnel, GRE tunnel, or IPsec tunnel. When a user connects to the Gateway proxy, Gateway will accept the connection and establish a new, separate connection to the origin server. The Gateway proxy is required for filtering HTTP and network traffic via the WARP client in Gateway with WARP mode. To proxy HTTP traffic without deploying the WARP client, you can configure [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) on your devices. @@ -37,7 +37,7 @@ By default, TCP connection attempts will timeout after 30 seconds and idle conne The UDP proxy forwards UDP traffic such as VoIP, [internal DNS requests](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/private-dns/), and thick client applications. -When the UDP proxy is enabled, Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to [HTTP/3 inspection](/cloudflare-one/policies/gateway/http-policies/http3/). +When the UDP proxy is enabled, Gateway will force all HTTP/3 traffic to HTTP/2 to allow inspection. Otherwise, HTTP/3 traffic will bypass inspection. For more information, refer to [HTTP/3 inspection](/cloudflare-one/traffic-policies/http-policies/http3/). ### ICMP diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/traffic-policies/resolver-policies.mdx similarity index 97% rename from src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx rename to src/content/docs/cloudflare-one/traffic-policies/resolver-policies.mdx index 82b766ca856ed7..5e3ad7b8b7a7de 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/resolver-policies.mdx @@ -78,7 +78,7 @@ Resolver policies can route queries for resolution from the following DNS endpoi - IPv6 - [DNS over HTTPS (DoH)](/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https/) - [DNS over TLS (DoT)](/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-tls/) -- DNS queries generated by Cloudflare [Browser Isolation](/cloudflare-one/policies/browser-isolation/) and [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) +- DNS queries generated by Cloudflare [Browser Isolation](/cloudflare-one/remote-browser-isolation/) and [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) - DNS queries generated by [proxy endpoints](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) Gateway will filter, resolve, and log your queries regardless of endpoint. @@ -87,7 +87,7 @@ Gateway will filter, resolve, and log your queries regardless of endpoint. -For more information on creating a DNS policy, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +For more information on creating a DNS policy, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). diff --git a/src/content/docs/cloudflare-one/tutorials/access-workers.mdx b/src/content/docs/cloudflare-one/tutorials/access-workers.mdx index bc6077b4467429..2834caa0673fbb 100644 --- a/src/content/docs/cloudflare-one/tutorials/access-workers.mdx +++ b/src/content/docs/cloudflare-one/tutorials/access-workers.mdx @@ -13,7 +13,7 @@ description: >- import { TypeScriptExample, DashButton } from "~/components"; -This tutorial covers how to use a [Cloudflare Worker](/workers/) to add custom HTTP headers to traffic, and how to send those custom headers to your origin services protected by [Cloudflare Access](/cloudflare-one/policies/access/). +This tutorial covers how to use a [Cloudflare Worker](/workers/) to add custom HTTP headers to traffic, and how to send those custom headers to your origin services protected by [Cloudflare Access](/cloudflare-one/access-controls/policies/). Some applications and networking implementations require specific custom headers to be passed to the origin, which can be difficult to implement for traffic moving through a Zero Trust proxy. You can configure a Worker to send the [user authorization headers](/cloudflare-one/identity/authorization-cookie/) required by Access. diff --git a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx index 93a1c5923b003a..2996468cc77843 100644 --- a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx +++ b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx @@ -11,7 +11,7 @@ description: >- import { TabItem, Tabs, Details, Render, DashButton } from "~/components"; -This tutorial explains how to use [Cloudflare AI Gateway](/ai-gateway/) and Zero Trust to create a functional and secure website wrapper for an AI agent. Cloudflare Zero Trust administrators can protect access to the wrapper with [Cloudflare Access](/cloudflare-one/policies/access/). Additionally, you can enforce [Gateway policies](/cloudflare-one/policies/gateway/) to control how your users interact with AI agents, including executing AI agents in an isolated browser with [Browser Isolation](/cloudflare-one/policies/browser-isolation/), enforcing [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) profiles to prevent your users from sharing sensitive data, and scanning content to avoid answers from AI agents that violate internal corporate guidelines. Creating an AI agent wrapper is also an effective way to enforce tenant control if you have an enterprise plan for a specific AI provider, such as ChatGPT Enterprise. +This tutorial explains how to use [Cloudflare AI Gateway](/ai-gateway/) and Zero Trust to create a functional and secure website wrapper for an AI agent. Cloudflare Zero Trust administrators can protect access to the wrapper with [Cloudflare Access](/cloudflare-one/access-controls/policies/). Additionally, you can enforce [Gateway policies](/cloudflare-one/traffic-policies/) to control how your users interact with AI agents, including executing AI agents in an isolated browser with [Browser Isolation](/cloudflare-one/remote-browser-isolation/), enforcing [Data Loss Prevention](/cloudflare-one/data-loss-prevention/) profiles to prevent your users from sharing sensitive data, and scanning content to avoid answers from AI agents that violate internal corporate guidelines. Creating an AI agent wrapper is also an effective way to enforce tenant control if you have an enterprise plan for a specific AI provider, such as ChatGPT Enterprise. This tutorial uses ChatGPT as an example AI agent. @@ -412,13 +412,13 @@ To secure the AI agent wrapper to ensure that only trusted users can access it: 5. In **Session Duration**, choose when the user's application token should expire. 6. Select **Add public hostname** and enter the custom domain you set for your Worker. 7. [Configure your Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for your Worker. -8. Add [Access policies](/cloudflare-one/policies/access/policy-management/) to control who can connect to your application. +8. Add [Access policies](/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application. Now your AI wrapper can only be accessed by your users that successfully match your Access policies. ## 5. Block access to public AI agents with Gateway -You can now block access to all unauthorized public AI agents with a Gateway [HTTP policy](/cloudflare-one/policies/gateway/http-policies/). +You can now block access to all unauthorized public AI agents with a Gateway [HTTP policy](/cloudflare-one/traffic-policies/http-policies/). 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. 2. Select **HTTP**. @@ -433,7 +433,7 @@ You can now block access to all unauthorized public AI agents with a Gateway [HT This ensures that public AI agents are not accessible using a managed endpoint. -Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page), [redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page), or a [user notification](/cloudflare-one/policies/gateway/http-policies/#warp-client-block-notifications) directing users to the AI agent wrapper. +Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page), [redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page), or a [user notification](/cloudflare-one/traffic-policies/http-policies/#warp-client-block-notifications) directing users to the AI agent wrapper. ## 6. Enforce Data Loss Prevention and Clientless Browser Isolation @@ -441,10 +441,10 @@ Now that you have full control over access to your AI agent wrapper, you can enf ### Apply Data Loss Prevention profiles -You can use [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) to prevent your users from sending sensitive data to the AI agent. +You can use [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) to prevent your users from sending sensitive data to the AI agent. 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **DLP profiles**. -2. Ensure that the [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) you want to enforce are properly configured. +2. Ensure that the [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/) you want to enforce are properly configured. 3. Add an HTTP policy to enforce the DLP profile for the hostname for your wrapper. For example: | Selector | Operator | Value | Logic | Action | @@ -454,11 +454,11 @@ You can use [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prev 4. Select **Create policy**. -For more information on creating DLP policies, refer to [Scan HTTP traffic](/cloudflare-one/policies/data-loss-prevention/dlp-policies/). +For more information on creating DLP policies, refer to [Scan HTTP traffic](/cloudflare-one/data-loss-prevention/dlp-policies/). ### Execute in a clientless isolated browser -Because you published your wrapper as a self-hosted Access application, you can execute it in an [isolated session](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) for your users by creating an [Access policy](/cloudflare-one/policies/access/) and configuring it for your application. +Because you published your wrapper as a self-hosted Access application, you can execute it in an [isolated session](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) for your users by creating an [Access policy](/cloudflare-one/access-controls/policies/) and configuring it for your application. @@ -478,7 +478,7 @@ Once the Access policy has been created, you can attach it to your wrapper. Because Clientless Web Isolation traffic applies your Gateway HTTP policies, your configured DLP profiles will apply to isolated sessions. -For more information on isolating an Access application, refer to [Isolate self-hosted application](/cloudflare-one/policies/access/isolate-application/). +For more information on isolating an Access application, refer to [Isolate self-hosted application](/cloudflare-one/access-controls/policies/isolate-application/). ## Additional benefits diff --git a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx index a5e6012747d04a..c8dddd930d0ac7 100644 --- a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx +++ b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx @@ -15,8 +15,8 @@ With Cloudflare Browser Isolation and resolver policies, users can connect to pr Make sure you have: -- [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/) enabled on your account -- [Resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) enabled on your account +- [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) enabled on your account +- [Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) enabled on your account - An HTTP or HTTPS application that users access through a browser ## Create a Cloudflare Tunnel @@ -57,7 +57,7 @@ To test, open a browser and go to `https://.cloudflareaccess.com/brow 2. Select **Add a policy**. -3. Create an expression to match against the private [domain](/cloudflare-one/policies/gateway/resolver-policies/#domain) or [hostname](/cloudflare-one/policies/gateway/resolver-policies/#host) of the application: +3. Create an expression to match against the private [domain](/cloudflare-one/traffic-policies/resolver-policies/#domain) or [hostname](/cloudflare-one/traffic-policies/resolver-policies/#host) of the application: | Selector | Operator | Value | | -------- | -------- | -------------------- | @@ -79,7 +79,7 @@ To test, open a browser and go to `https://.cloudflareaccess.com/brow 1. Go to **Gateway** > **Firewall policies** > **Network**. -2. Add a [network policy](/cloudflare-one/policies/gateway/network-policies/) that targets the private IP address of your application. You can optionally include any ports or protocols relevant for application access. For example, +2. Add a [network policy](/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address of your application. You can optionally include any ports or protocols relevant for application access. For example, | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | --------------- | ----- | ------ | @@ -101,4 +101,4 @@ Users can now access the application at the following URL: `https://.cloudflareaccess.com/browser/https://internalrecord.com` -The application will load in an isolated browser. You can optionally [configure remote browser controls](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. +The application will load in an isolated browser. You can optionally [configure remote browser controls](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) such as disabling copy/paste, printing, or keyboard input. diff --git a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx index 184abbc67cfd6b..ec24f9862cec89 100644 --- a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx +++ b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx @@ -76,7 +76,7 @@ To enforce your Conditional Access policies on a Cloudflare Access application: 5. Select **Add public hostname** and enter the target URL of the protected application. -6. Select **Create new policy** and build an [Access policy](/cloudflare-one/policies/access/) using the _Azure AD - Auth context_ selector. For example: +6. Select **Create new policy** and build an [Access policy](/cloudflare-one/access-controls/policies/) using the _Azure AD - Auth context_ selector. For example: | Action | Rule type | Selector | Value | | ------ | --------- | ----------------------- | --------------------------- | diff --git a/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx index faac9f3e4f9e1b..fd83698f6bc020 100644 --- a/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx +++ b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx @@ -21,8 +21,8 @@ This tutorial demonstrates how to automatically redirect users to a remote brows ## Prerequisites - Microsoft Entra ID Premium P2 license -- [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/) add-on -- [Gateway HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) enabled on your devices +- [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) add-on +- [Gateway HTTP filtering](/cloudflare-one/traffic-policies/initial-setup/http/) enabled on your devices - [npm](https://docs.npmjs.com/getting-started) installation - [Node.js](https://nodejs.org/en/) installation @@ -149,13 +149,13 @@ Cloudflare Access will now synchronize changes in group membership with Entra ID ## 5. Create a browser isolation policy -Finally, create a [Gateway HTTP policy](/cloudflare-one/policies/gateway/http-policies/) to isolate traffic for risky user groups. +Finally, create a [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to isolate traffic for risky user groups. 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies** > **HTTP**. 2. Select **Add a policy**. -3. Build an [Isolate policy](/cloudflare-one/policies/browser-isolation/isolation-policies/) that contains a _User Group Names_ rule. For example, the following policy serves `app1.example.com` and `app2.example.com` in a remote browser for all members flagged as high risk: +3. Build an [Isolate policy](/cloudflare-one/remote-browser-isolation/isolation-policies/) that contains a _User Group Names_ rule. For example, the following policy serves `app1.example.com` and `app2.example.com` in a remote browser for all members flagged as high risk: | Selector | Operator | Value | Logic | Action | | ---------------- | -------- | --------------------------------------------- | ----- | ------- | diff --git a/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx b/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx index 38add6b8f4d04b..5743a9bb6522fc 100644 --- a/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx +++ b/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx @@ -17,13 +17,13 @@ import { WranglerConfig, } from "~/components"; -This tutorial will walk you through extending the single-sign-on (SSO) capabilities of [Cloudflare Access](/cloudflare-one/policies/access/) with our serverless computing platform, [Cloudflare Workers](/workers/). Specifically, this guide will demonstrate how to modify requests sent to your secured origin to include additional information from the Cloudflare Access authentication event. +This tutorial will walk you through extending the single-sign-on (SSO) capabilities of [Cloudflare Access](/cloudflare-one/access-controls/policies/) with our serverless computing platform, [Cloudflare Workers](/workers/). Specifically, this guide will demonstrate how to modify requests sent to your secured origin to include additional information from the Cloudflare Access authentication event. **Time to complete:** 45 minutes ## Authentication flow -[Cloudflare Access](/cloudflare-one/policies/access/) is an authentication proxy in charge of validating a user's identity before they connect to your application. As shown in the diagram below, Access inserts a [JWT](/cloudflare-one/identity/authorization-cookie/application-token/) into the request, which can then be [verified](/cloudflare-one/identity/authorization-cookie/validating-json/#validate-jwts) by the origin server. +[Cloudflare Access](/cloudflare-one/access-controls/policies/) is an authentication proxy in charge of validating a user's identity before they connect to your application. As shown in the diagram below, Access inserts a [JWT](/cloudflare-one/identity/authorization-cookie/application-token/) into the request, which can then be [verified](/cloudflare-one/identity/authorization-cookie/validating-json/#validate-jwts) by the origin server. ![Standard authentication flow for a request to an Access application](~/assets/images/cloudflare-one/applications/access-standard-flow.png) diff --git a/src/content/docs/cloudflare-one/tutorials/index.mdx b/src/content/docs/cloudflare-one/tutorials/index.mdx index 47d0a47ec8c3d2..3d7ded06fe5d6a 100644 --- a/src/content/docs/cloudflare-one/tutorials/index.mdx +++ b/src/content/docs/cloudflare-one/tutorials/index.mdx @@ -6,7 +6,7 @@ title: Tutorials column_text: Category column_param: category sidebar: - order: 11 + order: 12 head: [] tableOfContents: false description: View tutorials for Cloudflare Zero Trust. diff --git a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx index 81ba6ef04f0153..14d8a8ba4c4c9f 100644 --- a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx +++ b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx @@ -34,7 +34,7 @@ You can connect to machines over `kubectl` using Cloudflare's Zero Trust platfor 3. Select **Self-hosted**. 4. Enter a name for your Access application. 5. Select **Add public hostname** and input a subdomain. This will be the hostname where your application will be available to users. -6. [Create a new policy](/cloudflare-one/policies/access/policy-management/) to control who can reach the application, or select existing policies. +6. [Create a new policy](/cloudflare-one/access-controls/policies/policy-management/) to control who can reach the application, or select existing policies. 7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application. ## Install `cloudflared` @@ -103,7 +103,7 @@ You can now create a DNS record that will route traffic to this Tunnel. Multiple 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and go to the **DNS Records** page for your domain. - + 2. Select **Add record**. Choose `CNAME` as the record type. For **Name**, choose the hostname where you want to create a Tunnel. This should match the hostname of the Access policy. diff --git a/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx index 1fadbc806088c3..4e6da7a65a6346 100644 --- a/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx @@ -22,7 +22,7 @@ You can map a named location in Microsoft Entra ID to a location associated with Make sure you have: -- In Cloudflare, a Zero Trust Enterprise plan with [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) +- In Cloudflare, a Zero Trust Enterprise plan with [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) - In Microsoft 365, an organization managed with [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/) ## Create an egress policy in Cloudflare Gateway @@ -31,7 +31,7 @@ Make sure you have: 2. Select **Add a policy**. -3. Name your policy, then add conditions to check users are configured in Microsoft Entra ID. For example, you can check for [identity conditions](/cloudflare-one/policies/gateway/identity-selectors/): +3. Name your policy, then add conditions to check users are configured in Microsoft Entra ID. For example, you can check for [identity conditions](/cloudflare-one/traffic-policies/identity-selectors/): | Selector | Operator | Value | | ---------------- | -------- | --------------------------------------------- | diff --git a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx index 4a98843e1e922d..2613b280c4f7ea 100644 --- a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx +++ b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx @@ -41,7 +41,7 @@ You can build a rule in Cloudflare Access to control who can connect to your Mon 5. Select **Add public hostname** and enter the subdomain where users will connect to your deployment (for example, `mongodb.app.com`). -6. Add [Access policies](/cloudflare-one/policies/access/) to control who can reach the deployment. You can build a policy that allows anyone in your organization to connect or you can build more granular policies based on signals like identity provider groups, [multifactor method](/cloudflare-one/tutorials/okta-u2f/), or [country](/cloudflare-one/policies/access/groups/). +6. Add [Access policies](/cloudflare-one/access-controls/policies/) to control who can reach the deployment. You can build a policy that allows anyone in your organization to connect or you can build more granular policies based on signals like identity provider groups, [multifactor method](/cloudflare-one/tutorials/okta-u2f/), or [country](/cloudflare-one/access-controls/policies/groups/). 7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application. diff --git a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx index 5f405d701212e1..15312aa8b13749 100644 --- a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx +++ b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx @@ -18,7 +18,7 @@ By the end of this tutorial, users that pass network policies will be able to ac Make sure you have: - A MySQL database listening for remote connections and configured with users that can connect remotely -- (Optional)[Resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) enabled on your account +- (Optional)[Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) enabled on your account ## Create a Cloudflare Tunnel @@ -40,7 +40,7 @@ The application and (optional) DNS server are now connected to Cloudflare. ## Create a Gateway network policy 1. Go to **Gateway** > **Firewall policies** > **Network**. -2. Add a [network policy](/cloudflare-one/policies/gateway/network-policies/) that targets the private IP address and the port of the MySQL database (port 3306 by default). The following example allows access to the database to the users that enrolled into WARP using an `@example.com` email address. The network policies can also take into consideration [device posture checks](/cloudflare-one/identity/devices/). +2. Add a [network policy](/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address and the port of the MySQL database (port 3306 by default). The following example allows access to the database to the users that enrolled into WARP using an `@example.com` email address. The network policies can also take into consideration [device posture checks](/cloudflare-one/identity/devices/). | Selector | Operator | Value | Logic | Action | | ---------------- | ------------- | --------------- | ----- | ------ | @@ -60,7 +60,7 @@ To allow users to access the MySQL database using an internal hostname instead o 2. Select **Add a policy**. -3. Create an expression to match against the private [domain](/cloudflare-one/policies/gateway/resolver-policies/#domain) or [hostname](/cloudflare-one/policies/gateway/resolver-policies/#host) of the application, like in the following example: +3. Create an expression to match against the private [domain](/cloudflare-one/traffic-policies/resolver-policies/#domain) or [hostname](/cloudflare-one/traffic-policies/resolver-policies/#host) of the application, like in the following example: | Selector | Operator | Value | | -------- | -------- | -------------------- | diff --git a/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx b/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx index 4468b4df4bfe33..387a76f235bacf 100644 --- a/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx +++ b/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx @@ -14,10 +14,10 @@ Some second factor methods are more resistant to phishing. U2F options require y **This tutorial covers how to:** -* Integrate Cloudflare Access with Okta -* Configure Okta for U2F enrollment -* Build an [Access policy](/cloudflare-one/policies/access/) that require users login with a hardware key -* Specify that policy to apply to certain Access applications +- Integrate Cloudflare Access with Okta +- Configure Okta for U2F enrollment +- Build an [Access policy](/cloudflare-one/access-controls/policies/) that require users login with a hardware key +- Specify that policy to apply to certain Access applications The first two sections of this tutorial link to guides to set up Cloudflare Access and integrate Okta. If you already use Cloudflare Access with Okta, you can skip ahead to the fourth section. @@ -25,7 +25,7 @@ The first two sections of this tutorial link to guides to set up Cloudflare Acce 20 minutes -*** +--- ## Configure Cloudflare Access diff --git a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx index 640d14a0b68d39..7faf6ec5b62cf2 100644 --- a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx +++ b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx @@ -113,7 +113,7 @@ Your Cloudflare Tunnel will terminate at the AWS VPC using your public hostname. 3. Select **Self-hosted**. 4. Enter a name for the application. 5. Select **Add public hostname** and enter the public hostname used by your Tunnel. For example, `s3-bucket..com`. -6. Add [Access policies](/cloudflare-one/policies/access/) to determine which users and applications may access your bucket. You can optionally create a [service token](/cloudflare-one/identity/service-tokens/) policy to automatically authenticate access to your S3 bucket. +6. Add [Access policies](/cloudflare-one/access-controls/policies/) to determine which users and applications may access your bucket. You can optionally create a [service token](/cloudflare-one/identity/service-tokens/) policy to automatically authenticate access to your S3 bucket. 7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application. Users and applications that successfully authenticate via Cloudflare Access can access your S3 bucket at `https://s3-bucket..com`. @@ -140,7 +140,7 @@ flowchart TB ### Prerequisites -- Cloudflare Zero Trust account with [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) +- Cloudflare Zero Trust account with [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) - S3 bucket to be protected by Cloudflare Zero Trust ### 1. Set up a bucket policy to restrict access to a specific IP address @@ -187,7 +187,7 @@ A bucket website endpoint will be available at `http://.s3-web ### 3. Setup a dedicated egress IP policy 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Egress policies**. Select **Add a policy**. -2. Create a policy that specifies which proxied traffic Gateway should assign a [dedicated egress IP](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) to. For more information, refer to [Egress policies](/cloudflare-one/policies/gateway/egress-policies/). +2. Create a policy that specifies which proxied traffic Gateway should assign a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) to. For more information, refer to [Egress policies](/cloudflare-one/traffic-policies/egress-policies/). 3. In **Select an egress IP**, choose _Use dedicated Cloudflare egress IPs_. Select the dedicated egress IP defined in your bucket policy. 4. Select **Create policy**. diff --git a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx index aac77bcee9700c..29c360336856a4 100644 --- a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx @@ -29,7 +29,7 @@ Make sure you have: - Created two tunnels [through the dashboard](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). - Routed `10.0.0.0/8` through one tunnel. - Routed `192.168.88.0/24` through the other tunnel. -- Received multiple [dedicated egress IP addresses](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). +- Received multiple [dedicated egress IP addresses](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). ## Create a virtual network for each egress route diff --git a/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx b/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx index 25be272008d90a..99d79915112492 100644 --- a/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx +++ b/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx @@ -155,7 +155,7 @@ The last step is to create a Zero Trust application to run your VNC server in th 5. Select **Add public hostname** and set the domain to which you would like to expose the VNC server. -6. In **Access policies**, add an Allow or Block policy. For example policies, refer to the [Access policies documentation](/cloudflare-one/policies/access/#allow). +6. In **Access policies**, add an Allow or Block policy. For example policies, refer to the [Access policies documentation](/cloudflare-one/access-controls/policies/#allow). :::note diff --git a/src/content/docs/cloudflare-one/tutorials/warp-on-headless-linux.mdx b/src/content/docs/cloudflare-one/tutorials/warp-on-headless-linux.mdx index 309c7ca884c884..d3cd13004cb28c 100644 --- a/src/content/docs/cloudflare-one/tutorials/warp-on-headless-linux.mdx +++ b/src/content/docs/cloudflare-one/tutorials/warp-on-headless-linux.mdx @@ -10,7 +10,7 @@ description: >- import { Render, GlossaryTooltip } from "~/components"; -This tutorial explains how to deploy the [Cloudflare WARP client](/cloudflare-one/team-and-resources/devices/warp/) on Linux devices using a service token and an installation script. This deployment workflow is designed for headless servers - that is, servers which do not have access to a browser for identity provider logins - and for situations where you want to fully automate the onboarding process. Because devices will not register through an identity provider, [identity-based policies](/cloudflare-one/policies/gateway/identity-selectors/) and logging will be unavailable. +This tutorial explains how to deploy the [Cloudflare WARP client](/cloudflare-one/team-and-resources/devices/warp/) on Linux devices using a service token and an installation script. This deployment workflow is designed for headless servers - that is, servers which do not have access to a browser for identity provider logins - and for situations where you want to fully automate the onboarding process. Because devices will not register through an identity provider, [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) and logging will be unavailable. :::note This tutorial focuses on deploying WARP as an endpoint device agent. If you are looking to deploy WARP as a gateway to a private network, refer to the [WARP Connector documentation](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/). diff --git a/src/content/docs/cloudflare-one/video-tutorials.mdx b/src/content/docs/cloudflare-one/video-tutorials.mdx index 112706edbaf6d0..f76c199bba285e 100644 --- a/src/content/docs/cloudflare-one/video-tutorials.mdx +++ b/src/content/docs/cloudflare-one/video-tutorials.mdx @@ -2,7 +2,7 @@ pcx_content_type: navigation title: Videos sidebar: - order: 11 + order: 13 --- import { CardGrid, LinkCard } from "~/components"; diff --git a/src/content/docs/data-localization/compatibility.mdx b/src/content/docs/data-localization/compatibility.mdx index 988aa7e7cc7c06..c73cea72916bed 100644 --- a/src/content/docs/data-localization/compatibility.mdx +++ b/src/content/docs/data-localization/compatibility.mdx @@ -43,7 +43,7 @@ The table below provides a summary of the Data Localization Suite product's beha | Advanced Certificate Manager | ⚫️ | ⚫️ | ⚫️ | | Advanced DDoS Protection | ✅ | ✅ | 🚧 [^3] | | API Shield | ✅ | ✅ | 🚧 [^4] | -| Bot Management | ✅ | ✅ | ✅ | +| Bot Management | ✅ | ✅ | ✅ | | DNS Firewall | ⚫️ | ⚫️ | 🚧 [^22] | | Page Shield | ✅ | ✅ | ✅ | | Rate Limiting | ✅ | ✅ | ✅ [^37] | @@ -84,7 +84,7 @@ The table below provides a summary of the Data Localization Suite product's beha | Static IP/BYOIP | ⚫️ | ✅ [^26] | ⚫️ | | Magic Firewall | ⚫️ | ⚫️ | ✅ | | Magic Network Monitoring | ⚫️ | ⚫️ | 🚧 [^1] | -| Magic Transit | ⚫️ | ⚫️ | ✅ | +| Magic Transit | ⚫️ | ⚫️ | ✅ | | Magic WAN | ⚫️ | ⚫️ | ✅ | | Spectrum | ✅ | ✅ [^42] | ✅ | @@ -116,9 +116,9 @@ The table below provides a summary of the Data Localization Suite product's beha [^2]: Regular and Custom Tiered Cache works; Smart Tiered Caching not available with Regional Services. -[^3]: [Adaptive DDoS Protection](/ddos-protection/managed-rulesets/adaptive-protection/) is only supported for CMB = US. All other features are available to all CMB regions. +[^3]: [Adaptive DDoS Protection](/ddos-protection/managed-rulesets/adaptive-protection/) is only supported for CMB = US. All other features are available to all CMB regions. -[^4]: API Discovery, Volumetric Abuse Detection and [Sequence Analytics and Mitigation](/api-shield/security/sequence-analytics/) will not work with CMB = EU. All other features are available to all CMB regions. +[^4]: API Discovery, Volumetric Abuse Detection and [Sequence Analytics and Mitigation](/api-shield/security/sequence-analytics/) will not work with CMB = EU. All other features are available to all CMB regions. [^6]: Only when using a Custom Domain set to a region, either through Workers or [Transform Rules](/images/transform-images/serve-images-custom-paths/) within the same zone. @@ -143,12 +143,14 @@ The table below provides a summary of the Data Localization Suite product's beha [^16]: Customer Metadata Boundary can be used to limit data transfer outside region, but Access User Logs will not be available outside US region. EU customers must use Logpush to retain logs. [^17]: Currently may only be used with US FedRAMP region. + [^18]: When Cloudflare Tunnel connects to Cloudflare, the connectivity options available are the Global Region (default) and [US FedRAMP Moderate Domestic region](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#region). For incoming requests to the Cloudflare Edge, Regional Services only applies when using [published applications](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/). In this case, the region associated with the DNS record will apply. + [^19]: Uses Gateway HTTP and CASB. [^20]: You can [bring your own certificate](https://blog.cloudflare.com/bring-your-certificates-cloudflare-gateway/) to Gateway but these cannot yet be restricted to a specific region. -[^21]: Gateway HTTP supports Regional Services. Gateway DNS does not yet support regionalization.
ICMP proxy and WARP-to-WARP proxy are not available to Regional Services users. [File Sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/) (add-on) is incompatible with DLS. +[^21]: Gateway HTTP supports Regional Services. Gateway DNS does not yet support regionalization.
ICMP proxy and WARP-to-WARP proxy are not available to Regional Services users. [File Sandboxing](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/) (add-on) is incompatible with DLS. [^22]: Dashboard Analytics and Logs are empty when using CMB outside the US region. Use Logpush instead. @@ -164,7 +166,7 @@ The table below provides a summary of the Data Localization Suite product's beha [^30]: Regular/Generic and Custom Tiered Cache works; Smart Tiered Caching does not work with Customer Metadata Boundary (CMB).
With CMB set to EU, the Zone Dashboard **Caching** > **Tiered Cache** > **Smart Tiered Caching** option will not populate the Dashboard Analytics. -[^31]: DLP is part of Gateway HTTP, however, [DLP detection entries](/cloudflare-one/policies/data-loss-prevention/detection-entries/) are not available outside US region when using Customer Metadata Boundary. +[^31]: DLP is part of Gateway HTTP, however, [DLP detection entries](/cloudflare-one/data-loss-prevention/detection-entries/) are not available outside US region when using Customer Metadata Boundary. [^32]: Dashboard Analytics are empty when using CMB outside the US region. Use Logpush instead. diff --git a/src/content/docs/data-localization/faq.mdx b/src/content/docs/data-localization/faq.mdx index b8d0ff2dc0c671..0fb5ea3ffdfc65 100644 --- a/src/content/docs/data-localization/faq.mdx +++ b/src/content/docs/data-localization/faq.mdx @@ -4,21 +4,18 @@ title: FAQs structured_data: true sidebar: order: 9 - --- ## Are DLP and DLS the same? -No, they are not. DLP stands for [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), and it is part of Cloudflare’s Zero Trust offering (requiring Gateway). It allows customers to scan web traffic and SaaS apps for sensitive data like secret keys, financial information (credit card numbers), and other keywords. +No, they are not. DLP stands for [Data Loss Prevention](/cloudflare-one/data-loss-prevention/), and it is part of Cloudflare’s Zero Trust offering (requiring Gateway). It allows customers to scan web traffic and SaaS apps for sensitive data like secret keys, financial information (credit card numbers), and other keywords. [Data Localization Suite](/data-localization/) (DLS) is a suite of features that can provide localization and data residency features. - ## Are Cloudflare’s services GDPR compliant? Yes, even without DLS, Cloudflare services are designed to satisfy the GDPR’s requirements. Cloudflare services are also verified compliant with the EU Cloud CoC, Verification-ID: 2023LVL02SCOPE4316. For further information, visit EU Cloud CoC [public register](https://eucoc.cloud/en/public-register). - ## How can I use DLS? Once you have purchased DLS, the post-sales team will entitle DLS for you, and you will be able to configure all features by yourself via dashboard or API. You can find more specific information under the [Configuration guides](/data-localization/how-to/) section. @@ -27,19 +24,16 @@ Once you have purchased DLS, the post-sales team will entitle DLS for you, and y Not yet. - ## Are there other options if I prefer not to have Cloudflare handle TLS termination (decryption)? Yes, you have these options available: -* [Spectrum TCP/UDP Apps](/spectrum/) (without TLS Termination) -* [Magic Transit](/magic-transit/) -* [Privacy Gateway](/privacy-gateway/) +- [Spectrum TCP/UDP Apps](/spectrum/) (without TLS Termination) +- [Magic Transit](/magic-transit/) +- [Privacy Gateway](/privacy-gateway/) These options only offer L3/L4 DDoS protection and using them imply that no application / L7 security or performance services can be applied. ## I have configured [Customer Metadata Boundary](/data-localization/metadata-boundary/) for EU region, I'm accessing the Cloudflare Dashboard from Europe, why am I getting an error `Data not available due to your account's Customer Metadata Boundary configuration`? Based on Internet conditions that vary over time, users may be dynamically steered to a data center that is physically further away. This can be based on a variety of factors, including latency and network congestion. [Out of region access](/data-localization/metadata-boundary/out-of-region-access/) allows requests arriving in the United States to pull Customer Logs from the European Union and vice-versa. The analytics are still exclusively stored in the CMB configured region. - - diff --git a/src/content/docs/data-localization/how-to/zero-trust.mdx b/src/content/docs/data-localization/how-to/zero-trust.mdx index e5ad6008a045c8..0928f14358e234 100644 --- a/src/content/docs/data-localization/how-to/zero-trust.mdx +++ b/src/content/docs/data-localization/how-to/zero-trust.mdx @@ -15,25 +15,25 @@ Regional Services can be used with Gateway in all [supported regions](/data-loca ### Egress policies -Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. -This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/policies/gateway/egress-policies/). +Enterprise customers can purchase a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) (IPv4 and IPv6) or range of IPs geolocated to one or more Cloudflare network locations. +This allows your egress traffic to geolocate to the city selected in your [egress policies](/cloudflare-one/traffic-policies/egress-policies/). ### HTTP policies -As part of Regional Services, Cloudflare Gateway will only perform [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) when using the [WARP client](/cloudflare-one/team-and-resources/devices/warp/) (in default [Gateway with WARP mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/)). +As part of Regional Services, Cloudflare Gateway will only perform [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) when using the [WARP client](/cloudflare-one/team-and-resources/devices/warp/) (in default [Gateway with WARP mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/)). {/* TODO: Reintroduce */} {/* */} #### Data Loss Prevention (DLP) -You are able to [log the payload of matched DLP rules](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and encrypt them with your public key so that only you can examine them later. +You are able to [log the payload of matched DLP rules](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and encrypt them with your public key so that only you can examine them later. -[Cloudflare cannot decrypt encrypted payloads](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#data-privacy). +[Cloudflare cannot decrypt encrypted payloads](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#data-privacy). ### Network policies -You are able to [configure SSH proxy and command logs](/cloudflare-one/policies/gateway/network-policies/ssh-logging/). Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key `sshkey.pub` to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs. +You are able to [configure SSH proxy and command logs](/cloudflare-one/traffic-policies/network-policies/ssh-logging/). Generate a Hybrid Public Key Encryption (HPKE) key pair and upload the public key `sshkey.pub` to your dashboard. All proxied SSH commands are immediately encrypted using this public key. The matching private key – which is in your possession – is required to view logs. ### DNS policies diff --git a/src/content/docs/dns/internal-dns/connectivity.mdx b/src/content/docs/dns/internal-dns/connectivity.mdx index a12680d45e088b..db6883526dd3da 100644 --- a/src/content/docs/dns/internal-dns/connectivity.mdx +++ b/src/content/docs/dns/internal-dns/connectivity.mdx @@ -9,10 +9,10 @@ sidebar: To connect to Cloudflare Gateway resolver - which is [required to reach private resources in Internal DNS](/dns/internal-dns/#architecture-overview) - you can use the following options: - DNS endpoints supported with [DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) - - DNS over UDP/TCP port 53 (IPv4 or IPv6) - - DNS over TLS - - DNS over HTTPS + - DNS over UDP/TCP port 53 (IPv4 or IPv6) + - DNS over TLS + - DNS over HTTPS - [Proxy Auto-Configuration (PAC) files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) - [WARP device client](/cloudflare-one/team-and-resources/devices/warp/) -- [Clientless browser isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/#filter-dns-queries) -- [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/) \ No newline at end of file +- [Clientless browser isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/#filter-dns-queries) +- [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/) diff --git a/src/content/docs/dns/internal-dns/dns-views.mdx b/src/content/docs/dns/internal-dns/dns-views.mdx index 2acd8ccf000f19..9fad406da039f4 100644 --- a/src/content/docs/dns/internal-dns/dns-views.mdx +++ b/src/content/docs/dns/internal-dns/dns-views.mdx @@ -8,7 +8,7 @@ sidebar: import { Details, Render, Tabs, TabItem, DashButton } from "~/components"; -Internal DNS views are logical groupings of [internal DNS zones](/dns/internal-dns/internal-zones/). As explained in the [architecture overview](/dns/internal-dns/#architecture-overview), DNS views are referenced by [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) to define how a specific query should be resolved. +Internal DNS views are logical groupings of [internal DNS zones](/dns/internal-dns/internal-zones/). As explained in the [architecture overview](/dns/internal-dns/#architecture-overview), DNS views are referenced by [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) to define how a specific query should be resolved. Refer to the sections below for details on how to manage your DNS views, or consider the [get started](/dns/internal-dns/get-started/) for a complete workflow. diff --git a/src/content/docs/dns/internal-dns/get-started.mdx b/src/content/docs/dns/internal-dns/get-started.mdx index 9d6b60c4d6ee71..9f6dfe1ea3c401 100644 --- a/src/content/docs/dns/internal-dns/get-started.mdx +++ b/src/content/docs/dns/internal-dns/get-started.mdx @@ -5,7 +5,14 @@ sidebar: order: 2 --- -import { TabItem, Tabs, Details, Example, Render, DashButton } from "~/components"; +import { + TabItem, + Tabs, + Details, + Example, + Render, + DashButton, +} from "~/components"; Follow this guide to get started with Internal DNS. @@ -13,7 +20,7 @@ Follow this guide to get started with Internal DNS. -- Make sure you have an Enterprise account with access to [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) and [Internal DNS](/dns/internal-dns/). +- Make sure you have an Enterprise account with access to [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) and [Internal DNS](/dns/internal-dns/). - Consider the different ways in which you can [connect to Gateway resolver](/dns/internal-dns/connectivity/). - If you will be using an API token for authentication, make sure you have the following permissions: @@ -128,7 +135,7 @@ Besides selecting an internal DNS view when setting up your resolver policies, y 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Resolver policies**. 2. Select **Add a policy** and enter a name and description. -3. Create an expression for the traffic you wish to route. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/policies/gateway/resolver-policies/#selectors). +3. Create an expression for the traffic you wish to route. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/traffic-policies/resolver-policies/#selectors). 4. Select **Use Internal DNS**. Choose the view that queries matching the expression should be sent to. 5. (Optional) Adjust the option to **fallback through public DNS** according to your use case. @@ -139,7 +146,7 @@ Besides selecting an internal DNS view when setting up your resolver policies, y -Use the API endpoints under [Zero Trust > Gateway > Rules](/api/resources/zero_trust/subresources/gateway/subresources/rules/) to set up resolver policies. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/policies/gateway/resolver-policies/#selectors). +Use the API endpoints under [Zero Trust > Gateway > Rules](/api/resources/zero_trust/subresources/gateway/subresources/rules/) to set up resolver policies. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/traffic-policies/resolver-policies/#selectors). Use the rule settings object to define `resolve_dns_internally`, specifying `view_id` and `fallback` option. The fallback options behave as follows: diff --git a/src/content/docs/dns/internal-dns/index.mdx b/src/content/docs/dns/internal-dns/index.mdx index b24de676646826..ecb365c032d9f7 100644 --- a/src/content/docs/dns/internal-dns/index.mdx +++ b/src/content/docs/dns/internal-dns/index.mdx @@ -30,7 +30,7 @@ import { -Manage DNS records that should only be accessible within your private network. Internal DNS [zones](/dns/internal-dns/internal-zones/) and [views](/dns/internal-dns/dns-views/) pair up with [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) so that you can control how a DNS query should be responded to according to query context, such as query source IP. +Manage DNS records that should only be accessible within your private network. Internal DNS [zones](/dns/internal-dns/internal-zones/) and [views](/dns/internal-dns/dns-views/) pair up with [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) so that you can control how a DNS query should be responded to according to query context, such as query source IP. @@ -118,7 +118,7 @@ In this example, a query for `ghi.example.local` routed to view ID 111 would go Set up policies to inspect DNS, Network, HTTP, and Egress traffic. diff --git a/src/content/docs/dns/internal-dns/internal-zones/index.mdx b/src/content/docs/dns/internal-dns/internal-zones/index.mdx index ad7e7ac2e2c036..378d2e22607c5b 100644 --- a/src/content/docs/dns/internal-dns/internal-zones/index.mdx +++ b/src/content/docs/dns/internal-dns/internal-zones/index.mdx @@ -14,8 +14,8 @@ Internal DNS zones are groupings of internal DNS records. While [public DNS reco Refer to [Manage internal zones](/dns/internal-dns/internal-zones/setup/) for a full list of configuration conditions and step-by-step instructions. -Internal DNS zones do not get assigned Cloudflare nameservers and can only be queried via [Cloudflare Gateway](/cloudflare-one/policies/gateway/resolver-policies/) when linked to a [DNS view](/dns/internal-dns/dns-views/). The Gateway configuration must exist within the same Cloudflare account where the internal zone exists. +Internal DNS zones do not get assigned Cloudflare nameservers and can only be queried via [Cloudflare Gateway](/cloudflare-one/traffic-policies/resolver-policies/) when linked to a [DNS view](/dns/internal-dns/dns-views/). The Gateway configuration must exist within the same Cloudflare account where the internal zone exists. ## Resources - \ No newline at end of file + diff --git a/src/content/docs/email-security/email-configuration/email-policies/link-actions.mdx b/src/content/docs/email-security/email-configuration/email-policies/link-actions.mdx index 6a5bcc48afb46e..ad1d5b24a32975 100644 --- a/src/content/docs/email-security/email-configuration/email-policies/link-actions.mdx +++ b/src/content/docs/email-security/email-configuration/email-policies/link-actions.mdx @@ -22,7 +22,7 @@ To update or create a new disposition action: ## Email Link Isolation -Email Link Isolation rewrites links that could be exploited, alerts users when there is uncertainty around the website they are visiting, and protects against malware and vulnerabilities through [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/). +Email Link Isolation rewrites links that could be exploited, alerts users when there is uncertainty around the website they are visiting, and protects against malware and vulnerabilities through [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/). When you enable Email Link Isolation, the service rewrites links in emails and opens them in a browser tab where all page contents are fetched and rendered on a remote server. When this feature is enabled, any malware that might be present in a web page or email link is isolated at the server level, and will not infect and compromise the client network at the endpoint. @@ -55,7 +55,7 @@ Email Link Isolation is now enabled. :::note -Email Link Isolation does not have advanced configuration options. If you need more fine-grained control over what users can do in an isolated browser session, you must have a Cloudflare Zero Trust account and make your changes on [Browser Isolation](/cloudflare-one/policies/browser-isolation/). +Email Link Isolation does not have advanced configuration options. If you need more fine-grained control over what users can do in an isolated browser session, you must have a Cloudflare Zero Trust account and make your changes on [Browser Isolation](/cloudflare-one/remote-browser-isolation/). ::: ## URL rewrite ignore patterns diff --git a/src/content/docs/fundamentals/manage-members/roles.mdx b/src/content/docs/fundamentals/manage-members/roles.mdx index 4a58afc95291db..6e790eeadc5a92 100644 --- a/src/content/docs/fundamentals/manage-members/roles.mdx +++ b/src/content/docs/fundamentals/manage-members/roles.mdx @@ -14,94 +14,92 @@ Whenever you [add a new member](/fundamentals/manage-members/manage/) to your ac Account-scoped roles apply across an entire Cloudflare account, and through all domains in that account. -| Role | Description | -| ------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Administrator | Can access the full account and edit subscriptions. Cannot manage memberships nor billing profile. | -| Super Administrator - All Privileges | Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators. | -| Administrator Read Only | Can access the full account in read-only mode. | -| Analytics | Can read Analytics. | -| API Gateway | Grants full access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | -| API Gateway Read | Grants read access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | -| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/account/account-security/review-audit-logs/). | -| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations for all domains in account. | -| Billing | Can edit the account's [billing profile](/billing/create-billing-profile/) and subscriptions | -| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | -| Cache Purge | Can purge the edge cache and allows the reading of zone settings. | -| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). | -| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/policies/gateway/) and read [Access](/cloudflare-one/identity/). | -| Cloudflare Images | Can access [Cloudflare Images](/images/) data. | -| Cloudflare R2 Admin | Can edit Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | -| Cloudflare R2 Read | Can read Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | -| Cloudflare Stream | Can edit [Cloudflare Stream](/stream/) media. | -| Cloudflare Zero Trust | Can edit [Cloudflare Zero Trust](/cloudflare-one/). Grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security. | -| Cloudflare Zero Trust DNS Locations Write | Can view [Gateway DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/#secure-dns-locations) and create and edit [secure DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/#secure-dns-locations). | -| Cloudflare Zero Trust PII | Can access [Cloudflare Zero Trust](/cloudflare-one/) PII. | -| Cloudflare Zero Trust Read Only | Can access [Cloudflare Zero Trust](/cloudflare-one/) read only mode. | -| Cloudflare Zero Trust Reporting | Can access [Cloudflare Zero Trust](/cloudflare-one/) reporting data. | -| DNS | Can edit [DNS records](/dns/manage-dns-records/). | -| Email Configuration Admin | Grants administrator access to Email Security. Cannot take actions on emails, or read emails. | -| Email Integration Admin | Grants read and write access to integrations only. | -| Email Security Analyst | Grants analyst access. Can take action on emails and read emails. | -| Email Security Read Only | Grants read only access to all of Email Security. | -| Email Security Reporting | Grants read access to Email Security metrics. | -| Email Security Policy Admin | Grants read access to all settings, and write access to [allow policies](/cloudflare-one/email-security/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/detection-settings/blocked-senders/) | -| Firewall | Can edit [WAF](/waf/), [IP Access rules](/waf/tools/ip-access-rules/), [Zone Lockdown](/waf/tools/zone-lockdown/) settings, and [Cache Rules](/cache/how-to/cache-rules/). | -| Load Balancer | Can edit [Load Balancers](/load-balancing/), Pools, Origins, and Health Checks. | -| Log Share | Can edit [Log Share](/logs/) configuration. | -| Log Share Reader | Can read Enterprise [Log Share](/logs/). | -| Magic Network Monitoring | Can view and edit [MNM configuration](/magic-network-monitoring/). | -| Magic Network Monitoring Admin | Can view, edit, create, and delete [MNM configuration](/magic-network-monitoring/). | -| Magic Network Monitoring Read-Only | Can view [MNM configuration](/magic-network-monitoring/). | -| Network Services Write (Magic) | Grants write access to network configurations for Magic services. Magic Tunnel health checks require the Analytics role for non-admin users. | -| Network Services Read (Magic) | Grants read access to network configurations for Magic services. Magic Tunnel health checks require the Analytics role for non-admin users. | -| Minimal Account Access | Can view account, and nothing else. | -| Page Shield | Grants write access to [Page Shield](/page-shield/) across the whole account. | -| Page Shield Read | Grants read access to [Page Shield](/page-shield/) across the whole account. | -| Hyperdrive Read | Grants read access to [Hyperdrive](/hyperdrive/) database configuration. | -| Hyperdrive Admin | Grants write access to [Hyperdrive](/hyperdrive/) database configuration. | -| SSL/TLS, Caching, Performance, Page Rules, and Customization | Can edit most Cloudflare settings except for [DNS](/dns/) and [Firewall](/waf/). | -| Secrets Store Admin | Can create, edit, duplicate, delete, and view secrets metadata. Can also [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). | -| Secrets Store Deployer | Can view secrets metadata but cannot create, edit, duplicate, nor delete secrets. Can also [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). | -| Secrets Store Reporter | Can view secrets metadata. Cannot perform any actions (create, edit, duplicate, delete secrets), nor add a Secrets Store binding to a Worker. | -| Security Center Brand Protection | Can access the Brand Protection feature on the API and Cloudflare dashboard. Brand Protection role also gives you access to the Investigate platform. | -| Security Center Cloudforce One Admin | Grants write access to [Cloudforce One](/security-center/cloudforce-one/). | -| Security Center Cloudforce One Read | Grants read access to [Cloudforce One](/security-center/cloudforce-one/), and cannot create and/or edit RFIs or PIRs. | -| Trust and Safety | Can access trust and safety related services. | -| Turnstile | Grants full access to [Turnstile](/turnstile/). | -| Turnstile Read | Grants read access to [Turnstile](/turnstile/). | -| Vectorize Admin | Can edit [Vectorize](/vectorize/) configurations. | -| Vectorize Read only | Can read [Vectorize](/vectorize/) configurations. | -| Waiting Room Admin | Can edit [Waiting Room](/waiting-room/) configuration. | -| Waiting Room Read | Can read [Waiting Room](/waiting-room/) configuration. | +| Role | Description | +| ------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Administrator | Can access the full account and edit subscriptions. Cannot manage memberships nor billing profile. | +| Super Administrator - All Privileges | Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators. | +| Administrator Read Only | Can access the full account in read-only mode. | +| Analytics | Can read Analytics. | +| API Gateway | Grants full access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | +| API Gateway Read | Grants read access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | +| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/account/account-security/review-audit-logs/). | +| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations for all domains in account. | +| Billing | Can edit the account's [billing profile](/billing/create-billing-profile/) and subscriptions | +| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | +| Cache Purge | Can purge the edge cache and allows the reading of zone settings. | +| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). | +| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/traffic-policies/) and read [Access](/cloudflare-one/identity/). | +| Cloudflare Images | Can access [Cloudflare Images](/images/) data. | +| Cloudflare R2 Admin | Can edit Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | +| Cloudflare R2 Read | Can read Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | +| Cloudflare Stream | Can edit [Cloudflare Stream](/stream/) media. | +| Cloudflare Zero Trust | Can edit [Cloudflare Zero Trust](/cloudflare-one/). Grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security. | +| Cloudflare Zero Trust DNS Locations Write | Can view [Gateway DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/#secure-dns-locations) and create and edit [secure DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/#secure-dns-locations). | +| Cloudflare Zero Trust PII | Can access [Cloudflare Zero Trust](/cloudflare-one/) PII. | +| Cloudflare Zero Trust Read Only | Can access [Cloudflare Zero Trust](/cloudflare-one/) read only mode. | +| Cloudflare Zero Trust Reporting | Can access [Cloudflare Zero Trust](/cloudflare-one/) reporting data. | +| DNS | Can edit [DNS records](/dns/manage-dns-records/). | +| Email Configuration Admin | Grants administrator access to Email Security. Cannot take actions on emails, or read emails. | +| Email Integration Admin | Grants read and write access to integrations only. | +| Email Security Analyst | Grants analyst access. Can take action on emails and read emails. | +| Email Security Read Only | Grants read only access to all of Email Security. | +| Email Security Reporting | Grants read access to Email Security metrics. | +| Email Security Policy Admin | Grants read access to all settings, and write access to [allow policies](/cloudflare-one/email-security/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/detection-settings/blocked-senders/) | +| Firewall | Can edit [WAF](/waf/), [IP Access rules](/waf/tools/ip-access-rules/), [Zone Lockdown](/waf/tools/zone-lockdown/) settings, and [Cache Rules](/cache/how-to/cache-rules/). | +| Load Balancer | Can edit [Load Balancers](/load-balancing/), Pools, Origins, and Health Checks. | +| Log Share | Can edit [Log Share](/logs/) configuration. | +| Log Share Reader | Can read Enterprise [Log Share](/logs/). | +| Magic Network Monitoring | Can view and edit [MNM configuration](/magic-network-monitoring/). | +| Magic Network Monitoring Admin | Can view, edit, create, and delete [MNM configuration](/magic-network-monitoring/). | +| Magic Network Monitoring Read-Only | Can view [MNM configuration](/magic-network-monitoring/). | +| Network Services Write (Magic) | Grants write access to network configurations for Magic services. Magic Tunnel health checks require the Analytics role for non-admin users. | +| Network Services Read (Magic) | Grants read access to network configurations for Magic services. Magic Tunnel health checks require the Analytics role for non-admin users. | +| Minimal Account Access | Can view account, and nothing else. | +| Page Shield | Grants write access to [Page Shield](/page-shield/) across the whole account. | +| Page Shield Read | Grants read access to [Page Shield](/page-shield/) across the whole account. | +| Hyperdrive Read | Grants read access to [Hyperdrive](/hyperdrive/) database configuration. | +| Hyperdrive Admin | Grants write access to [Hyperdrive](/hyperdrive/) database configuration. | +| SSL/TLS, Caching, Performance, Page Rules, and Customization | Can edit most Cloudflare settings except for [DNS](/dns/) and [Firewall](/waf/). | +| Secrets Store Admin | Can create, edit, duplicate, delete, and view secrets metadata. Can also [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). | +| Secrets Store Deployer | Can view secrets metadata but cannot create, edit, duplicate, nor delete secrets. Can also [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). | +| Secrets Store Reporter | Can view secrets metadata. Cannot perform any actions (create, edit, duplicate, delete secrets), nor add a Secrets Store binding to a Worker. | +| Security Center Brand Protection | Can access the Brand Protection feature on the API and Cloudflare dashboard. Brand Protection role also gives you access to the Investigate platform. | +| Security Center Cloudforce One Admin | Grants write access to [Cloudforce One](/security-center/cloudforce-one/). | +| Security Center Cloudforce One Read | Grants read access to [Cloudforce One](/security-center/cloudforce-one/), and cannot create and/or edit RFIs or PIRs. | +| Trust and Safety | Can access trust and safety related services. | +| Turnstile | Grants full access to [Turnstile](/turnstile/). | +| Turnstile Read | Grants read access to [Turnstile](/turnstile/). | +| Vectorize Admin | Can edit [Vectorize](/vectorize/) configurations. | +| Vectorize Read only | Can read [Vectorize](/vectorize/) configurations. | +| Waiting Room Admin | Can edit [Waiting Room](/waiting-room/) configuration. | +| Waiting Room Read | Can read [Waiting Room](/waiting-room/) configuration. | | Workers Platform Admin | Grants edit and read access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/), [R2](/r2/), Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced. | -| Workers Platform (Read-only) | Grants read-only access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/), [R2](/r2/), Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced. | -| Zaraz Admin | Can edit and publish [Zaraz](/zaraz/) configuration. | -| Zaraz Edit | Can edit [Zaraz](/zaraz/) configuration. | -| Zaraz Read | Can read [Zaraz](/zaraz/) configuration. | -| Zone Versioning (Account-Wide) | Can view and edit [Zone Versioning](/version-management/) for all domains in account. | -| Zone Versioning Read (Account-Wide) | Can view [Zone Versioning](/version-management/) for all domains in account. | +| Workers Platform (Read-only) | Grants read-only access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/), [R2](/r2/), Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced. | +| Zaraz Admin | Can edit and publish [Zaraz](/zaraz/) configuration. | +| Zaraz Edit | Can edit [Zaraz](/zaraz/) configuration. | +| Zaraz Read | Can read [Zaraz](/zaraz/) configuration. | +| Zone Versioning (Account-Wide) | Can view and edit [Zone Versioning](/version-management/) for all domains in account. | +| Zone Versioning Read (Account-Wide) | Can view [Zone Versioning](/version-management/) for all domains in account. | ## Domain-scoped roles Domain-scoped roles apply for a given domain within an account. -| Role | Description | -| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Bot Management | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations. | -| Cache Domain Purge | Grants access to [purge the edge cache](/cache/how-to/purge-cache/) for a specific domain and allows the reading of zone settings. | -| Domain Administrator | Grants full access to domains in an account, and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/policies/access/), and [Worker](/workers/) resources. | -| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/policies/access/), and [Worker](/workers/) resources. | -| Domain API Gateway | Grants full access to API Gateway (including [API Shield](/api-shield/)). | -| Domain API Gateway Read | Grants read access to API Gateway (including [API Shield](/api-shield/)). | -| Domain DNS | Grants access to edit [DNS settings](/dns/) for domains in an account. | -| Domain Page Shield | Grants write access to [Page Shield](/page-shield/) for domains in an account. | -| Domain Page Shield Read | Grants read access to [Page Shield](/page-shield/) for domains in an account. | -| Domain Waiting Room Admin | Can edit [waiting rooms](/waiting-room/) configuration. | -| Domain Waiting Room Read | Can read [waiting rooms](/waiting-room/) configuration. | -| Zone Versioning | Grants full access to [Zone Versioning](/version-management/). | -| Zone Versioning Read | Grants read-only access to [Zone Versioning](/version-management/). | - - +| Role | Description | +| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Bot Management | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations. | +| Cache Domain Purge | Grants access to [purge the edge cache](/cache/how-to/purge-cache/) for a specific domain and allows the reading of zone settings. | +| Domain Administrator | Grants full access to domains in an account, and read-only access to account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. | +| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](/waf/account/managed-rulesets/deploy-dashboard/), [Access](/cloudflare-one/access-controls/policies/), and [Worker](/workers/) resources. | +| Domain API Gateway | Grants full access to API Gateway (including [API Shield](/api-shield/)). | +| Domain API Gateway Read | Grants read access to API Gateway (including [API Shield](/api-shield/)). | +| Domain DNS | Grants access to edit [DNS settings](/dns/) for domains in an account. | +| Domain Page Shield | Grants write access to [Page Shield](/page-shield/) for domains in an account. | +| Domain Page Shield Read | Grants read access to [Page Shield](/page-shield/) for domains in an account. | +| Domain Waiting Room Admin | Can edit [waiting rooms](/waiting-room/) configuration. | +| Domain Waiting Room Read | Can read [waiting rooms](/waiting-room/) configuration. | +| Zone Versioning | Grants full access to [Zone Versioning](/version-management/). | +| Zone Versioning Read | Grants read-only access to [Zone Versioning](/version-management/). | ## Resource-scoped roles @@ -111,8 +109,8 @@ Resource-scoped roles apply for a specific resource within an account. Resource-scoped roles is currently in Beta. ::: -| Role | Description | -| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Cloudflare Access App Admin | Grants full access to a specific Access Application in an account. | -| Cloudflare Access Identity Provider Admin | Grants full access to a specific Access identity provider(IdP) in an account. | -| Access for Infrastructure Target Admin | Grants full access to a specific Access for Infrastructure. Target in an account | | +| Role | Description | +| ----------------------------------------- | -------------------------------------------------------------------------------- | --- | +| Cloudflare Access App Admin | Grants full access to a specific Access Application in an account. | +| Cloudflare Access Identity Provider Admin | Grants full access to a specific Access identity provider(IdP) in an account. | +| Access for Infrastructure Target Admin | Grants full access to a specific Access for Infrastructure. Target in an account | | diff --git a/src/content/docs/fundamentals/organizations.mdx b/src/content/docs/fundamentals/organizations.mdx index 755d31791761e4..228f70809ded72 100644 --- a/src/content/docs/fundamentals/organizations.mdx +++ b/src/content/docs/fundamentals/organizations.mdx @@ -54,7 +54,7 @@ You can also view specific data associated with your HTTP traffic by adding opti ## Shared Configurations -Create and enforce global policies across your organization or sub-organization with [WAF Custom Rulesets](/waf/custom-rules/) and [Gateway policies](/cloudflare-one/policies/gateway/). +Create and enforce global policies across your organization or sub-organization with [WAF Custom Rulesets](/waf/custom-rules/) and [Gateway policies](/cloudflare-one/traffic-policies/). By utilizing shared configurations, you can define a WAF custom ruleset that can apply to one or more accounts to be managed in a single place. @@ -71,5 +71,5 @@ Rename your organization and add or edit customer identification data related to ### Edit customer identification data 1. Select **Organizations** > **Manage Organization**. -2. From **Customer identification data**, select **Edit**. -3. Enter the information in the text fields and select **Save**. \ No newline at end of file +2. From **Customer identification data**, select **Edit**. +3. Enter the information in the text fields and select **Save**. diff --git a/src/content/docs/fundamentals/performance/maintenance-mode.mdx b/src/content/docs/fundamentals/performance/maintenance-mode.mdx index 7944d863acfe5d..28480099e3bf5e 100644 --- a/src/content/docs/fundamentals/performance/maintenance-mode.mdx +++ b/src/content/docs/fundamentals/performance/maintenance-mode.mdx @@ -1,7 +1,6 @@ --- title: Maintenance mode pcx_content_type: how-to - --- If you need to make large changes to your website, you may want to make your site temporarily unavailable. @@ -24,7 +23,7 @@ Certain customization and queue options depend on your [plan](/waiting-room/plan ### All plans -Users on all plans can [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). Make sure to limit your [Access policy](/cloudflare-one/policies/access/policy-management/#create-a-policy) to only include yourself and any collaborators. +Users on all plans can [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). Make sure to limit your [Access policy](/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) to only include yourself and any collaborators. If needed, you can also further [customize the login page](/cloudflare-one/applications/login-page). diff --git a/src/content/docs/fundamentals/reference/network-layers.mdx b/src/content/docs/fundamentals/reference/network-layers.mdx index f969a729e12195..ffbcbf94fb9e57 100644 --- a/src/content/docs/fundamentals/reference/network-layers.mdx +++ b/src/content/docs/fundamentals/reference/network-layers.mdx @@ -1,7 +1,6 @@ --- pcx_content_type: concept title: Network Layers - --- Below is a list of the different layers that makes up the [open systems interconnection (OSI) model](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) and the associated Cloudflare products. @@ -12,12 +11,12 @@ The list of related products is representative but not comprehensive. ::: -| Network layer | Protocol and related products | -| -------------------- | ------------------------- | -| 7 Application layer | **HTTP, DNS**
[Authoritative DNS](/dns), [Bot Management](/bots), [CDN](/cache/), [Cloudflare Access](/cloudflare-one/policies/access/), [Cloudflare Gateway](/cloudflare-one/policies/gateway/) (outbound only), [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/), [Load Balancing](/load-balancing/understand-basics/proxy-modes/), [Stream](/stream/), [WAF](/waf/) | -| 6 Presentation layer | | -| 5 Session layer | | -| 4 Transport layer | **TCP/UDP**
[Argo Smart Routing](/argo-smart-routing/), [Cloudflare Gateway](/cloudflare-one/policies/gateway/) (outbound only), [Load Balancing](/load-balancing/understand-basics/proxy-modes/), [Spectrum](/spectrum/) | -| 3 Network layer | **IP, GRE, any packet/protocol**
[Magic Firewall](/magic-firewall), [Magic Transit](/magic-transit), [Magic WAN](/magic-wan) | -| 2 Datalink layer | **Direct connection**
[Cloudflare Network Interconnect (CNI)](/network-interconnect) | -| 1 Physical layer | **Direct connection**
[Cloudflare Network Interconnect (CNI)](/network-interconnect) | +| Network layer | Protocol and related products | +| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 7 Application layer | **HTTP, DNS**
[Authoritative DNS](/dns), [Bot Management](/bots), [CDN](/cache/), [Cloudflare Access](/cloudflare-one/access-controls/policies/), [Cloudflare Gateway](/cloudflare-one/traffic-policies/) (outbound only), [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/), [Load Balancing](/load-balancing/understand-basics/proxy-modes/), [Stream](/stream/), [WAF](/waf/) | +| 6 Presentation layer | | +| 5 Session layer | | +| 4 Transport layer | **TCP/UDP**
[Argo Smart Routing](/argo-smart-routing/), [Cloudflare Gateway](/cloudflare-one/traffic-policies/) (outbound only), [Load Balancing](/load-balancing/understand-basics/proxy-modes/), [Spectrum](/spectrum/) | +| 3 Network layer | **IP, GRE, any packet/protocol**
[Magic Firewall](/magic-firewall), [Magic Transit](/magic-transit), [Magic WAN](/magic-wan) | +| 2 Datalink layer | **Direct connection**
[Cloudflare Network Interconnect (CNI)](/network-interconnect) | +| 1 Physical layer | **Direct connection**
[Cloudflare Network Interconnect (CNI)](/network-interconnect) | diff --git a/src/content/docs/fundamentals/reference/policies-compliances/cybersafe.mdx b/src/content/docs/fundamentals/reference/policies-compliances/cybersafe.mdx index 68eb55b3679e6f..e2cb88347ce7d8 100644 --- a/src/content/docs/fundamentals/reference/policies-compliances/cybersafe.mdx +++ b/src/content/docs/fundamentals/reference/policies-compliances/cybersafe.mdx @@ -1,12 +1,11 @@ --- pcx_content_type: reference title: Project Cybersafe Schools - --- -import { Render } from "~/components" +import { Render } from "~/components"; -Project Cybersafe Schools grants eligible schools with free access to Cloudflare's [Email Security](/email-security/) and [Gateway](/cloudflare-one/policies/gateway/) products. +Project Cybersafe Schools grants eligible schools with free access to Cloudflare's [Email Security](/email-security/) and [Gateway](/cloudflare-one/traffic-policies/) products. ## School Eligibility diff --git a/src/content/docs/fundamentals/security/recovering-from-hacked-site.mdx b/src/content/docs/fundamentals/security/recovering-from-hacked-site.mdx index f82a8b47f24bc1..20045148aa1f20 100644 --- a/src/content/docs/fundamentals/security/recovering-from-hacked-site.mdx +++ b/src/content/docs/fundamentals/security/recovering-from-hacked-site.mdx @@ -2,7 +2,6 @@ pcx_content_type: troubleshooting source: https://support.cloudflare.com/hc/en-us/articles/203020124-Recovering-from-a-hacked-site title: Recovering from a hacked site - --- If your website has been hacked recently, review the recommended steps below to recover a hacked website and prevent future hacks. @@ -11,19 +10,19 @@ If your website has been hacked recently, review the recommended steps below to To recover from an attack, reach out to your hosting provider to request: -* Details about the hack, including how they believe the site was hacked. -* That your hosting provider remove any malicious content placed on your website. +- Details about the hack, including how they believe the site was hacked. +- That your hosting provider remove any malicious content placed on your website. Once the hack has been resolved, you should resolve site warnings in [Google Webmaster Tools](https://www.google.com/webmasters/tools) and resubmit your site for Google's review. -*** +--- ## Preventing and mitigating the risks of a future hack To prevent the risk of a hacked site: -* Activate Cloudflare's [WAF managed rules](/waf/managed-rules/) so they can challenge or block known malicious behavior. -* If you use a Content Management System (CMS), make sure you have the most recent version installed (CMS platforms push out updates to address known vulnerabilities). -* If you use plugins, make sure they are updated. -* If you have an admin login page, protect it with Cloudflare's [Rate limiting rules](/waf/rate-limiting-rules/) or a [Cloudflare Access policy](/cloudflare-one/policies/access/). -* Use a backup service so you can avoid losing valid content. +- Activate Cloudflare's [WAF managed rules](/waf/managed-rules/) so they can challenge or block known malicious behavior. +- If you use a Content Management System (CMS), make sure you have the most recent version installed (CMS platforms push out updates to address known vulnerabilities). +- If you use plugins, make sure they are updated. +- If you have an admin login page, protect it with Cloudflare's [Rate limiting rules](/waf/rate-limiting-rules/) or a [Cloudflare Access policy](/cloudflare-one/access-controls/policies/). +- Use a backup service so you can avoid losing valid content. diff --git a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx index dd0af7dc87126a..494519e30b1a4f 100644 --- a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx +++ b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx @@ -9,14 +9,14 @@ sidebar: import { TabItem, Tabs, Render, Steps, Details } from "~/components"; -Hyperdrive can securely connect to your private databases using [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) and [Cloudflare Access](/cloudflare-one/policies/access/). +Hyperdrive can securely connect to your private databases using [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) and [Cloudflare Access](/cloudflare-one/access-controls/policies/). ## How it works When your database is isolated within a private network (such as a [virtual private cloud](https://www.cloudflare.com/learning/cloud/what-is-a-virtual-private-cloud) or an on-premise network), you must enable a secure connection from your network to Cloudflare. - [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) is used to establish the secure tunnel connection. -- [Cloudflare Access](/cloudflare-one/policies/access/) is used to restrict access to your tunnel such that only specific Hyperdrive configurations can access it. +- [Cloudflare Access](/cloudflare-one/access-controls/policies/) is used to restrict access to your tunnel such that only specific Hyperdrive configurations can access it. A request from the Cloudflare Worker to the origin database goes through Hyperdrive, Cloudflare Access, and the Cloudflare Tunnel established by `cloudflared`. `cloudflared` must be running in the private network in which your database is accessible. @@ -60,9 +60,9 @@ If you are setting up the tunnel through the CLI instead ([locally-managed tunne ## 2. Create and configure Hyperdrive to connect to the Cloudflare Tunnel -To restrict access to the Cloudflare Tunnel to Hyperdrive, a [Cloudflare Access application](/cloudflare-one/applications/) must be configured with a [Policy](/cloudflare-one/policies/) that requires requests to contain a valid [Service Auth token](/cloudflare-one/policies/access/#service-auth). +To restrict access to the Cloudflare Tunnel to Hyperdrive, a [Cloudflare Access application](/cloudflare-one/applications/) must be configured with a [Policy](/cloudflare-one/traffic-policies/) that requires requests to contain a valid [Service Auth token](/cloudflare-one/access-controls/policies/#service-auth). -The Cloudflare dashboard can automatically create and configure the underlying [Cloudflare Access application](/cloudflare-one/applications/), [Service Auth token](/cloudflare-one/policies/access/#service-auth), and [Policy](/cloudflare-one/policies/) on your behalf. Alternatively, you can manually create the Access application and configure the Policies. +The Cloudflare dashboard can automatically create and configure the underlying [Cloudflare Access application](/cloudflare-one/applications/), [Service Auth token](/cloudflare-one/access-controls/policies/#service-auth), and [Policy](/cloudflare-one/traffic-policies/) on your behalf. Alternatively, you can manually create the Access application and configure the Policies.
@@ -87,6 +87,7 @@ Create a Hyperdrive configuration in the Cloudflare dashboard to automatically c The service token will be used to restrict requests to the tunnel, and is needed for the next step. + 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Service auth** > **Service Tokens**. 2. Select **Create Service Token**. @@ -102,11 +103,12 @@ The service token will be used to restrict requests to the tunnel, and is needed :::caution This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must regenerate the service token. ::: + ### 2.2. (Manual) Create an Access application to secure the tunnel -[Cloudflare Access](/cloudflare-one/policies/access/) will be used to verify that requests to the tunnel originate from Hyperdrive using the service token created above. +[Cloudflare Access](/cloudflare-one/access-controls/policies/) will be used to verify that requests to the tunnel originate from Hyperdrive using the service token created above. 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. @@ -142,6 +144,7 @@ The service token will be used to restrict requests to the tunnel, and is needed 16. Select **Next**. 17. Save the application. + ### 2.3. (Manual) Create a Hyperdrive configuration @@ -213,7 +216,7 @@ Now, deploy your Worker: npx wrangler deploy ``` -If you successfully receive the list of `pg_tables` from your database when you access your deployed Worker, your Hyperdrive has now been configured to securely connect to a private database using [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) and [Cloudflare Access](/cloudflare-one/policies/access/). +If you successfully receive the list of `pg_tables` from your database when you access your deployed Worker, your Hyperdrive has now been configured to securely connect to a private database using [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) and [Cloudflare Access](/cloudflare-one/access-controls/policies/). @@ -228,7 +231,7 @@ Now, deploy your Worker: npx wrangler deploy ``` -If you successfully receive the list of tables from your database when you access your deployed Worker, your Hyperdrive has now been configured to securely connect to a private database using [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) and [Cloudflare Access](/cloudflare-one/policies/access/). +If you successfully receive the list of tables from your database when you access your deployed Worker, your Hyperdrive has now been configured to securely connect to a private database using [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) and [Cloudflare Access](/cloudflare-one/access-controls/policies/). diff --git a/src/content/docs/learning-paths/clientless-access/access-application/best-practices.mdx b/src/content/docs/learning-paths/clientless-access/access-application/best-practices.mdx index d42c5bb6757943..32e86bf5dde144 100644 --- a/src/content/docs/learning-paths/clientless-access/access-application/best-practices.mdx +++ b/src/content/docs/learning-paths/clientless-access/access-application/best-practices.mdx @@ -3,20 +3,19 @@ title: Best practices pcx_content_type: overview sidebar: order: 2 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Learn best practices for building scalable Access applications and policies. ## Create reusable policy components -If you have many policies that contain duplicate rules, we recommend [building a rule group](/cloudflare-one/policies/access/groups/) and referencing it across multiple policies. For example, you could define a rule group for "corporate users", which has both device posture check requirements and specific emails, or just “developers”, which references a group in your identity provider. +If you have many policies that contain duplicate rules, we recommend [building a rule group](/cloudflare-one/access-controls/policies/groups/) and referencing it across multiple policies. For example, you could define a rule group for "corporate users", which has both device posture check requirements and specific emails, or just “developers”, which references a group in your identity provider. ## Define your domain structure -Access applications have an inherently flexible and powerful domain structure capability. Your domain structure should achieve your application security goals without being overly permissive or overly restrictive. Before designing applications for production, review the [Application paths documentation](/cloudflare-one/policies/access/app-paths/) to understand how path definitions work and how to use wildcards. +Access applications have an inherently flexible and powerful domain structure capability. Your domain structure should achieve your application security goals without being overly permissive or overly restrictive. Before designing applications for production, review the [Application paths documentation](/cloudflare-one/access-controls/policies/app-paths/) to understand how path definitions work and how to use wildcards. ### Multiple domains in an application diff --git a/src/content/docs/learning-paths/clientless-access/access-application/create-access-app.mdx b/src/content/docs/learning-paths/clientless-access/access-application/create-access-app.mdx index cb00cfbae1c502..6576968fa7b644 100644 --- a/src/content/docs/learning-paths/clientless-access/access-application/create-access-app.mdx +++ b/src/content/docs/learning-paths/clientless-access/access-application/create-access-app.mdx @@ -3,17 +3,19 @@ title: Create an Access application pcx_content_type: overview sidebar: order: 1 - --- -import { Render } from "~/components" +import { Render } from "~/components"; -Cloudflare Access allows you to securely publish internal tools and applications to the Internet by providing an authentication layer between the end user and your origin server. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/policies/access/#selectors) to control who can access your application. +Cloudflare Access allows you to securely publish internal tools and applications to the Internet by providing an authentication layer between the end user and your origin server. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/access-controls/policies/#selectors) to control who can access your application. Each application can have multiple policies with different constraints depending on what user group is accessing the application. For example, you can create one policy that requires corporate users to present specific device posture checks or mutual TLS authentication events, and a second policy for contractors which does not require these attributes. ## Add your application to Access - + When users go to the application, they will be prompted to login with your identity provider. diff --git a/src/content/docs/learning-paths/clientless-access/advanced-workflows/external-evaluation.mdx b/src/content/docs/learning-paths/clientless-access/advanced-workflows/external-evaluation.mdx index 447f77d14b840d..a8c8142d3cd286 100644 --- a/src/content/docs/learning-paths/clientless-access/advanced-workflows/external-evaluation.mdx +++ b/src/content/docs/learning-paths/clientless-access/advanced-workflows/external-evaluation.mdx @@ -3,19 +3,18 @@ title: External Evaluation rules pcx_content_type: overview sidebar: order: 1 - --- With Cloudflare Access, you can build infinitely customizable policies using External Evaluation rules. External Evaluation rules allow you to call any API during the evaluation of an Access policy and authenticate users based on custom business logic. Example use cases include: -* Customize policies based on time of day. -* Check IP addresses against external threat feeds. -* Call industry-specific user registries. +- Customize policies based on time of day. +- Check IP addresses against external threat feeds. +- Call industry-specific user registries. The External Evaluation rule requires two values: an API endpoint to call and a key to verify that any request response is coming from a trusted source. After the user authenticates with your identity provider, all information about the user, device and location is passed to your external API. The API returns a pass or fail response to Access which will then either allow or deny access to the user. ## Set up External Evaluation rule -For detailed setup instructions, refer to [External Evaluation rules](/cloudflare-one/policies/access/external-evaluation/). +For detailed setup instructions, refer to [External Evaluation rules](/cloudflare-one/access-controls/policies/external-evaluation/). Example code for the API is available in our [open-source repository](https://github.com/cloudflare/workers-access-external-auth-example). diff --git a/src/content/docs/learning-paths/clientless-access/advanced-workflows/isolate-application.mdx b/src/content/docs/learning-paths/clientless-access/advanced-workflows/isolate-application.mdx index 6d28e9abe69511..2d9f978017d7d6 100644 --- a/src/content/docs/learning-paths/clientless-access/advanced-workflows/isolate-application.mdx +++ b/src/content/docs/learning-paths/clientless-access/advanced-workflows/isolate-application.mdx @@ -12,12 +12,12 @@ import { Render, TabItem, Tabs } from "~/components"; Requires the Browser Isolation add-on. ::: -[Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/) integrates with your web-delivered Access applications to protect sensitive applications from data loss. You can build Access policies that require certain users to access your application exclusively through Browser Isolation, while other users matching different policies continue to access the application directly. For example, you may wish to layer on additional security measures for third-party contractors or other users without a corporate device. +[Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) integrates with your web-delivered Access applications to protect sensitive applications from data loss. You can build Access policies that require certain users to access your application exclusively through Browser Isolation, while other users matching different policies continue to access the application directly. For example, you may wish to layer on additional security measures for third-party contractors or other users without a corporate device. -Cloudflare sends all isolated traffic through our Secure Web Gateway inspection engine, which allows you to apply [Gateway HTTP policies](/cloudflare-one/policies/gateway/http-policies/) such as: +Cloudflare sends all isolated traffic through our Secure Web Gateway inspection engine, which allows you to apply [Gateway HTTP policies](/cloudflare-one/traffic-policies/http-policies/) such as: - Restrict specific actions and HTTP request methods. -- Inspect the request body to match against [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) (DLP) profiles with as much specificity and control as if the user had deployed an endpoint agent. +- Inspect the request body to match against [Data Loss Prevention](/cloudflare-one/data-loss-prevention/) (DLP) profiles with as much specificity and control as if the user had deployed an endpoint agent. - Control users ability to cut and paste, upload and download files, or print while in an isolated session. ## Prerequisites @@ -239,7 +239,7 @@ Block users on unmanaged devices from downloading files that contain credit card | Selector | Operator | Value | Logic | Action | | -------------------------------------------------------------------------- | -------- | -------------------------- | ----- | ------ | | Host | in | `internal.site.com` | And | Block | -| [DLP Profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) | in | _Financial Information_ | And | | +| [DLP Profile](/cloudflare-one/data-loss-prevention/dlp-profiles/) | in | _Financial Information_ | And | | | Passed Device Posture Checks | not in | _Corporate serial numbers_ | | | diff --git a/src/content/docs/learning-paths/clientless-access/alternative-onramps/clientless-rbi.mdx b/src/content/docs/learning-paths/clientless-access/alternative-onramps/clientless-rbi.mdx index d1965e7d5fd929..57b617d65a67d3 100644 --- a/src/content/docs/learning-paths/clientless-access/alternative-onramps/clientless-rbi.mdx +++ b/src/content/docs/learning-paths/clientless-access/alternative-onramps/clientless-rbi.mdx @@ -11,7 +11,7 @@ sidebar: Requires the Browser Isolation add-on. ::: -[Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) allows you to on-ramp user traffic to your private network without needing to install the WARP client. Users access private applications by going to a prefixed URL: +[Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) allows you to on-ramp user traffic to your private network without needing to install the WARP client. Users access private applications by going to a prefixed URL: `https://.cloudflareaccess.com/browser/` diff --git a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx index 8dbc01cf6c0113..96fe5a3b8552fa 100644 --- a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx +++ b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx @@ -18,7 +18,7 @@ To ensure a smooth deployment, we recommend testing a simple policy before deplo :::note -When testing against frequently-visited sites, you may need to [clear the DNS cache](/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering/#clear-dns-cache) in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies. +When testing against frequently-visited sites, you may need to [clear the DNS cache](/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering/#clear-dns-cache) in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies. ::: You have now validated DNS filtering! diff --git a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx index 0c0316f0c1da90..5595d8b1bb78ab 100644 --- a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx +++ b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx @@ -22,7 +22,7 @@ If you use specific AI tools within your organization, you may want to create po 5. For **Action**, select **Allow**. 6. Select **Create policy**. -For more information, refer to [Block unauthorized applications](/cloudflare-one/policies/gateway/http-policies/common-policies/#block-unauthorized-applications). +For more information, refer to [Block unauthorized applications](/cloudflare-one/traffic-policies/http-policies/common-policies/#block-unauthorized-applications). ## Create a Gateway policy to redirect users towards approved AI tools @@ -53,7 +53,7 @@ Cloudflare Workers are an easy method to stand up custom user coaching pages. Th 2. Enter the URL to the approved application you want to redirect the user to use instead. 7. Select **Create policy**. -For more information, refer to [Configure policy block behavior](/cloudflare-one/policies/gateway/block-page/#configure-policy-block-behavior). +For more information, refer to [Configure policy block behavior](/cloudflare-one/traffic-policies/block-page/#configure-policy-block-behavior). ## Capture prompts to prevent data loss @@ -79,7 +79,7 @@ You can build policies that enable Prompt Capture for AI applications in specifi ## Configure Gateway to use ChatGPT workspace header -If your organization uses [ChatGPT Business](https://chatgpt.com/business/), you can configure a Gateway policy to enforce the use of your organization's workspace ID, ensuring all traffic to ChatGPT is correctly associated with your account. This will implement Gateway [tenant control](/cloudflare-one/policies/gateway/http-policies/tenant-control/), which lets you manage how users interact with specific applications. +If your organization uses [ChatGPT Business](https://chatgpt.com/business/), you can configure a Gateway policy to enforce the use of your organization's workspace ID, ensuring all traffic to ChatGPT is correctly associated with your account. This will implement Gateway [tenant control](/cloudflare-one/traffic-policies/http-policies/tenant-control/), which lets you manage how users interact with specific applications. To create this policy, you will add a custom HTTP header to your Gateway policy. This header, `Chatgpt-Allowed-Workspace-Id`, ensures that only requests with your organization's unique workspace ID are permitted. diff --git a/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx b/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx index a3fc81c4a5c361..99f114af803589 100644 --- a/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx +++ b/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/monitor-prompts-responses.mdx @@ -6,11 +6,11 @@ sidebar: order: 4 --- -When you enable [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption), you can review the prompts and responses for supported AI applications. This allows you to understand three key things about AI application usage: +When you enable [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), you can review the prompts and responses for supported AI applications. This allows you to understand three key things about AI application usage: - The sanctioned and unsanctioned AI tools your users are engaging with. - How they are interacting with them. - What information they are sharing. ![Log entry for a prompt detected using AI prompt protection.](~/assets/images/learning-paths/holistic-ai-security/gateway-prompt-log.png) -You can use this in conjunction with [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) to detect sensitive data potentially being used in prompts, with or without explicitly blocking the action. You can use DLP to log AI prompt topics by turning on [Capture generative AI prompt content in logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#turn-on-ai-prompt-content-logging-for-a-dlp-policy) for the policy. \ No newline at end of file +You can use this in conjunction with [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/) to detect sensitive data potentially being used in prompts, with or without explicitly blocking the action. You can use DLP to log AI prompt topics by turning on [Capture generative AI prompt content in logs](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#turn-on-ai-prompt-content-logging-for-a-dlp-policy) for the policy. \ No newline at end of file diff --git a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx index fcc1c679a80e0f..a9ec3b5c72ef60 100644 --- a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx +++ b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx @@ -13,12 +13,12 @@ Some common mTLS use cases are: - Protect and verify legitimate API traffic by verifying Client Certificates provided during TLS/SSL handshakes. - Check IoT devices' identity by verifying Client Certificates they provide during TLS/SSL handshakes. -There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](/api-shield/)) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences: +There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](/api-shield/)) or [Cloudflare Access](/cloudflare-one/access-controls/policies/). Below is a non-exhaustive overview table of their differences: -| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) | -| :-------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) | -| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. | -| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). | -| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/forward-a-client-certificate/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | -| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | +| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) | +| :-------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) | +| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. | +| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). | +| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/forward-a-client-certificate/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | +| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | diff --git a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx index 143375138a0ba0..99a0e50c38b07f 100644 --- a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx @@ -9,7 +9,7 @@ sidebar: This requires an active Enterprise [Account](/fundamentals/concepts/accounts-and-zones/) with Cloudflare Access enabled. ::: -Setting up [mTLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/policies/access/) can help in cases where the customer: +Setting up [mTLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) can help in cases where the customer: - Already has existing Client Certificates on devices. - Needs to protect Access applications with [Bring Your Own CA (BYOCA)](/ssl/client-certificates/byo-ca/). @@ -114,7 +114,7 @@ Additionally, authenticated requests also send the `Cf-Access-Jwt-Assertion\` JW ## 4. Create the self-hosted applications -Finally, the hostname you want to protect with mTLS needs to be added as a [self-hosted app](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access, defining an [Access Policy](/cloudflare-one/policies/access/) which uses the action [Service Auth](/cloudflare-one/policies/access/#service-auth) and the Selector _"Valid Certificate"_, or simply requiring an [IdP](/cloudflare-one/integrations/identity-providers/) authentication. You can also take advantage of extra requirements, such as the "Common Name" (CN), which expects the indicated hostname, and more [Selectors](/cloudflare-one/policies/access/#selectors). Alternatively, one can also [extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/). +Finally, the hostname you want to protect with mTLS needs to be added as a [self-hosted app](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access, defining an [Access Policy](/cloudflare-one/access-controls/policies/) which uses the action [Service Auth](/cloudflare-one/access-controls/policies/#service-auth) and the Selector _"Valid Certificate"_, or simply requiring an [IdP](/cloudflare-one/integrations/identity-providers/) authentication. You can also take advantage of extra requirements, such as the "Common Name" (CN), which expects the indicated hostname, and more [Selectors](/cloudflare-one/access-controls/policies/#selectors). Alternatively, one can also [extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/). ## Demo diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx index 70f425d91a1301..d97fc6c3d66311 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx @@ -50,41 +50,42 @@ For DNS policies, you will need to enable the block page on a per-policy basis. -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Zero Trust Write` - -2. Choose a DNS policy with a Block action. - -3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy. - - ```tf - resource "cloudflare_zero_trust_gateway_policy" "dns_block_security_categories" { - name = "Block DNS Security Categories" - enabled = true - account_id = var.cloudflare_account_id - description = "Managed by Terraform - Generic security policy based on Cloudflare Threat Intelligence categories." - precedence = 101 - action = "block" - filters = ["dns"] - /* Categories being enabled here: - - 80: "Command and Control & Botnet" - - 83: "Cryptomining" - - 117: "Malware" - - 131: "Phishing" - - 153: "Spyware" - - 175: "DNS Tunneling" - - 176: "DGA Domains" - - 178: "Brand Embedding" - */ - traffic = "any(dns.security_category[*] in {80 83 117 131 153 175 176 178})" - identity = "" - - rule_settings = { - block_page_enabled = true - block_reason = "This domain has been flagged as a potential security risk." // Adds an additional message to the custom block page. Requires enabling custom block page in cloudflare_zero_trust_gateway_settings. - } - } - ``` +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): + - `Zero Trust Write` + +2. Choose a DNS policy with a Block action. + +3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy. + + ```tf + resource "cloudflare_zero_trust_gateway_policy" "dns_block_security_categories" { + name = "Block DNS Security Categories" + enabled = true + account_id = var.cloudflare_account_id + description = "Managed by Terraform - Generic security policy based on Cloudflare Threat Intelligence categories." + precedence = 101 + action = "block" + filters = ["dns"] + /* Categories being enabled here: + - 80: "Command and Control & Botnet" + - 83: "Cryptomining" + - 117: "Malware" + - 131: "Phishing" + - 153: "Spyware" + - 175: "DNS Tunneling" + - 176: "DGA Domains" + - 178: "Brand Embedding" + */ + traffic = "any(dns.security_category[*] in {80 83 117 131 153 175 176 178})" + identity = "" + + rule_settings = { + block_page_enabled = true + block_reason = "This domain has been flagged as a potential security risk." // Adds an additional message to the custom block page. Requires enabling custom block page in cloudflare_zero_trust_gateway_settings. + } + } + ``` + @@ -105,4 +106,4 @@ Client notifications provide additional functionality over the [custom block pag - Client notifications work with network policies, which means you can surface feedback for all partial actions on user traffic including blocking a specific port, file upload, or protocol. -- Client notifications allow you to direct users to a unique link per individual policy. For example, you could link users to your organization's acceptable use policy, data protection policy, or any existing IT troubleshooting infrastructure. If no infrastructure for this exists within your organization, you can quickly deploy an HTML site on [Cloudflare Pages](/pages/), put the site behind a [Cloudflare Access policy](/cloudflare-one/policies/access/), and provide dynamic feedback based on the identity and device posture values found in the user's [Access JWT](/cloudflare-one/identity/authorization-cookie/application-token/). +- Client notifications allow you to direct users to a unique link per individual policy. For example, you could link users to your organization's acceptable use policy, data protection policy, or any existing IT troubleshooting infrastructure. If no infrastructure for this exists within your organization, you can quickly deploy an HTML site on [Cloudflare Pages](/pages/), put the site behind a [Cloudflare Access policy](/cloudflare-one/access-controls/policies/), and provide dynamic feedback based on the identity and device posture values found in the user's [Access JWT](/cloudflare-one/identity/authorization-cookie/application-token/). diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx index 95d37e862f9caa..ecc8d0b472c5ff 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx @@ -9,9 +9,9 @@ import { TabItem, Tabs } from "~/components"; To ensure holistic security precautions, we recommend securing each distinct private application with at least two policies: -- A [Gateway DNS policy](/cloudflare-one/policies/gateway/dns-policies/) with the appropriate identity and device posture values, targeting the domain list that defines your application. Policy enforcement happens at the request resolution event, before the user’s device makes a connection request to the application itself; if denied here, no traffic will reach your private network. +- A [Gateway DNS policy](/cloudflare-one/traffic-policies/dns-policies/) with the appropriate identity and device posture values, targeting the domain list that defines your application. Policy enforcement happens at the request resolution event, before the user’s device makes a connection request to the application itself; if denied here, no traffic will reach your private network. -- A [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/) with the same identity and device posture values as the DNS policy, targeting the IP list that defines your application. You can optionally include the domain list by matching the SNI header. Then, you can include any combinations of ports or protocols that are relevant for application access. Network policy enforcement happens after the user passes the DNS policy, when the user's device attempts to connect to the target application. +- A [Gateway network policy](/cloudflare-one/traffic-policies/network-policies/) with the same identity and device posture values as the DNS policy, targeting the IP list that defines your application. You can optionally include the domain list by matching the SNI header. Then, you can include any combinations of ports or protocols that are relevant for application access. Network policy enforcement happens after the user passes the DNS policy, when the user's device attempts to connect to the target application. ## Create a Gateway policy @@ -252,8 +252,8 @@ resource "cloudflare_zero_trust_gateway_policy" "network_catch_all" { -Network policies are evaluated in [top-down order](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), so if a user does not match an explicitly defined policy for an application, they will be blocked. -To learn how multiple policies interact, refer to [Order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/). +Network policies are evaluated in [top-down order](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence), so if a user does not match an explicitly defined policy for an application, they will be blocked. +To learn how multiple policies interact, refer to [Order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/). :::note diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/policy-design.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/policy-design.mdx index 9a4df0d1bc1766..3744a9609052a6 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/policy-design.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/policy-design.mdx @@ -26,7 +26,7 @@ We recommend the following approach when planning your Zero Trust Network Access #### Identity -Determine which identity provider you will use as the source of truth for user email, user groups, and other [identity-based attributes](/cloudflare-one/policies/gateway/identity-selectors/). +Determine which identity provider you will use as the source of truth for user email, user groups, and other [identity-based attributes](/cloudflare-one/traffic-policies/identity-selectors/). :::note diff --git a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx index 9bfface3bdb555..399d71830ddc4f 100644 --- a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx +++ b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx @@ -14,12 +14,12 @@ import { Render } from "~/components"; With TLS decryption turned on, you can apply advanced Gateway policies, such as: - Filtering based on the complete URL and path of requests -- Scanning for sensitive data with [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) -- Starting a remote browser isolation session with [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/) +- Scanning for sensitive data with [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) +- Starting a remote browser isolation session with [Cloudflare Browser Isolation](/cloudflare-one/remote-browser-isolation/) -These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policy or an [Untrusted certificate _Pass through_](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) policy to allow users to connect. To learn more, refer to [TLS decryption limitations](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). +These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a [Do Not Inspect](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) policy or an [Untrusted certificate _Pass through_](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) policy to allow users to connect. To learn more, refer to [TLS decryption limitations](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). -With TLS decryption turned off, Gateway can only inspect and apply HTTP policies to unencrypted HTTP requests. However, you can still apply network policies to HTTPS traffic based on user identity, device posture, IP, resolved domain, SNI, and other attributes that support a Zero Trust security implementation. For more information, refer to [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/). +With TLS decryption turned off, Gateway can only inspect and apply HTTP policies to unencrypted HTTP requests. However, you can still apply network policies to HTTPS traffic based on user identity, device posture, IP, resolved domain, SNI, and other attributes that support a Zero Trust security implementation. For more information, refer to [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/). ## Enable TLS decryption diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx index deee19cbe61454..552be60d69360c 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx @@ -9,7 +9,7 @@ import { Tabs, TabItem, APIRequest } from "~/components"; In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. An allowlist is a list of allowed domains or IP addresses, such as the domains of essential corporate applications. -Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of URLs, hostnames, or other entries to use in your policies. +Gateway supports creating [lists](/cloudflare-one/traffic-policies/lists/) of URLs, hostnames, or other entries to use in your policies. ## Example list policy diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index fc97ac7ba112c8..d5a27c73d10cdb 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -21,14 +21,14 @@ To create a new DNS policy: 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): +5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories): 6. Select **Create policy**. -For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +For more information, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx index ae125b90869fae..f2308b1f1e8393 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx @@ -21,12 +21,12 @@ It is common for a misconfigured Gateway policy to accidentally block traffic to :::note -[Custom block pages](/cloudflare-one/policies/gateway/block-page/) require you to install a root certificate on the device. +[Custom block pages](/cloudflare-one/traffic-policies/block-page/) require you to install a root certificate on the device. ::: 6. In **Logs** > **Gateway** > **DNS**, verify that you see the blocked domain. 7. Slowly turn on or add other policies to your configuration. -8. When testing against frequently-visited sites, you may need to [clear the DNS cache](/cloudflare-one/policies/gateway/dns-policies/test-dns-filtering/#clear-dns-cache) in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies. +8. When testing against frequently-visited sites, you may need to [clear the DNS cache](/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering/#clear-dns-cache) in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies. You have now validated DNS filtering on a test device. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/deploy-egress-ips.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/deploy-egress-ips.mdx index b78c4bcbaae5f9..6d384e472a04c7 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/deploy-egress-ips.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/deploy-egress-ips.mdx @@ -23,7 +23,7 @@ You should also reserve multiple egress IPs if you have locations that need expl ## Access allowlisted sources -One of the most common use cases for egress policies is to ensure a consistent egress IP for users accessing SaaS applications that may not support SAML (or vendor services that can only use IP-level controls). If given the option -- or if your business controls the application -- Cloudflare strongly recommends using [Cloudflare Access](/cloudflare-one/policies/access/) to move from IP-level authentication to identity-aware authentication that uses continuous evaluation. +One of the most common use cases for egress policies is to ensure a consistent egress IP for users accessing SaaS applications that may not support SAML (or vendor services that can only use IP-level controls). If given the option -- or if your business controls the application -- Cloudflare strongly recommends using [Cloudflare Access](/cloudflare-one/access-controls/policies/) to move from IP-level authentication to identity-aware authentication that uses continuous evaluation. We recommend building baseline egress policies that can cover a majority of your use cases without making policy management overly complex. If all of your users need to access a series of applications that all require a specific egress IP, you should build a policy explicit to those users (or to all of your users) to ensure that all of their traffic egresses using those egress IPs. For example, you can define specific egress IPs for users with access to financial data: diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx index 0fc2261e9ef7e5..2f9c750232873e 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx @@ -12,7 +12,7 @@ import { Render } from "~/components"; Only available on Enterprise plans. ::: -Egress policies allow you to determine whether your organization's traffic egresses via the default Cloudflare IP or via a [dedicated egress IP](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) assigned to your account. +Egress policies allow you to determine whether your organization's traffic egresses via the default Cloudflare IP or via a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) assigned to your account. To create a new egress policy: @@ -31,4 +31,4 @@ To create a new egress policy: 5. Select **Create policy**. -For more information, refer to [Egress policies](/cloudflare-one/policies/gateway/egress-policies/). +For more information, refer to [Egress policies](/cloudflare-one/traffic-policies/egress-policies/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/index.mdx index 61a029362aa1bc..7087bcd88cdf58 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/index.mdx @@ -11,7 +11,7 @@ Now that you have created firewall policies to secure your organization, you can :::note -The following module requires [egress policies](/cloudflare-one/policies/gateway/egress-policies/), a feature only available on Enterprise plans. If you are not an Enterprise user, you can skip ahead to [Secure SaaS applications](/learning-paths/secure-internet-traffic/secure-saas-applications/). +The following module requires [egress policies](/cloudflare-one/traffic-policies/egress-policies/), a feature only available on Enterprise plans. If you are not an Enterprise user, you can skip ahead to [Secure SaaS applications](/learning-paths/secure-internet-traffic/secure-saas-applications/). For more information on egress policies, contact your account team. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx index 1458bec6b7b307..bf6d6d0f8ec536 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/data-loss-prevention.mdx @@ -7,7 +7,7 @@ sidebar: import { Render, TabItem, Tabs, APIRequest } from "~/components"; -In order to use Data Loss Prevention (DLP) tools within Cloudflare Zero Trust, you first need to define your DLP profiles. [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) are complex objects with dictionaries, pre-built detections, and custom logic that you can reference as selectors within your Gateway policies. +In order to use Data Loss Prevention (DLP) tools within Cloudflare Zero Trust, you first need to define your DLP profiles. [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/) are complex objects with dictionaries, pre-built detections, and custom logic that you can reference as selectors within your Gateway policies. ## Configure a DLP profile @@ -113,7 +113,7 @@ For example, you can use a custom expression to detect when your users share pro #### DLP datasets -If your data is a distinct [dataset](/cloudflare-one/policies/data-loss-prevention/detection-entries/#datasets) you have defined, you can build a profile by uploading a database to use in an Exact Data Match or Custom Wordlist function. Exact Data Match and Custom Wordlist feature some key differences: +If your data is a distinct [dataset](/cloudflare-one/data-loss-prevention/detection-entries/#datasets) you have defined, you can build a profile by uploading a database to use in an Exact Data Match or Custom Wordlist function. Exact Data Match and Custom Wordlist feature some key differences: | | Exact Data Match | Custom Wordlist | | ------------------- | ------------------------------------------------------- | ------------------------------------------------------------------ | @@ -129,7 +129,7 @@ As your datasets change and grow, we recommend building a pipeline to update the If your data already contains Microsoft Information Protection (MIP) labeling schema, Cloudflare can detect those values in-transit automatically. To get started, connect your Microsoft 365 account with a [CASB integration](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/). Cloudflare will automatically pull in your existing MIP definitions into Zero Trust. You can then use the MIP definitions to build DLP profiles for use in Gateway policies. -For more information, refer to [Integration profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/). +For more information, refer to [Integration profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles/). ## Build DLP policies diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx index 9bfac1752851b4..f3b03efbf6ebe2 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx @@ -26,14 +26,14 @@ To decide why and how you should turn on TLS inspection, we recommend you start ### 1. Identify your goals -Cloudflare Zero Trust requires TLS inspection for most advanced security and data loss prevention (DLP) features. +Cloudflare Zero Trust requires TLS inspection for most advanced security and data loss prevention (DLP) features. Some security organizations choose to avoid TLS inspection due to concerns about user privacy and acceptable use. This is an important and sometimes complicated organization decision, but you can simplify it by establishing goals related to your security practices. Questions to consider: - Is your organizational use of TLS inspection designed to protect from the "known" (such as sensitive data in corporate-sanctioned SaaS applications) or the "unknown" (such as users downloading or uploading files to brand-new blob storage buckets)? - Do you intend to primarily block by domain or hostname or by building policies for complete URLs? - Do you plan to scan the body of requests or files against DLP profiles or scan downloaded files with an antivirus or anti-malware engine? -- Do you intend to use inline Remote Browser Isolation to take advantage of data security capabilities like copy/paste blocking, keyboard blocking, and print blocking? +- Do you intend to use inline Remote Browser Isolation to take advantage of data security capabilities like copy/paste blocking, keyboard blocking, and print blocking? If the answer to a majority of these questions is no and your organization relies mostly on hostname or DNS-based security controls, then you may not need to inspect most, if not all TLS traffic. Because Cloudflare operates both as a secure web gateway and as a secure DNS resolver for your connected users, you can apply policy control that may increase your security posture without the need to broadly inspect TLS traffic. @@ -50,7 +50,7 @@ To turn on TLS inspection for your Zero Trust organization: product="cloudflare-one" params={{ turnOnProcedure: - "you can turn on [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/policies/gateway/network-policies/protocol-detection/#inspect-on-all-ports)", + "you can turn on [protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/) and configure Gateway to [inspect traffic on all ports](/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports)", }} /> diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx index 5aa96e4ac220c7..bffa936eb33a06 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 8 --- -After creating policies for security based on DNS resolution, we can layer in additional security controls with the Gateway network firewall, which operates at Layer 4 of the OSI model. The Gateway network firewall allows you to build specific policies to block users or services' ability to connect to endpoints at specific IPs or on specific ports. You can also use [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/policies/gateway/network-policies/protocol-detection/) to block proxying specific protocols. +After creating policies for security based on DNS resolution, we can layer in additional security controls with the Gateway network firewall, which operates at Layer 4 of the OSI model. The Gateway network firewall allows you to build specific policies to block users or services' ability to connect to endpoints at specific IPs or on specific ports. You can also use [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) to block proxying specific protocols. ## Objectives diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx index 0bc035fd35940b..19dad41b1bb65a 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx @@ -15,7 +15,7 @@ import { We recommend you add the following network policies to build an Internet and SaaS app security strategy for your organization. -For more information on building network policies, refer to [Network policies](/cloudflare-one/policies/gateway/network-policies/). +For more information on building network policies, refer to [Network policies](/cloudflare-one/traffic-policies/network-policies/). ## Quarantined-Users-NET-Restricted-Access @@ -249,7 +249,7 @@ resource "cloudflare_zero_trust_gateway_policy" "finance_users_net_https_finance :::note -The **Detected Protocol** selector is only available for Enterprise users. For more information, refer to [Protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/). +The **Detected Protocol** selector is only available for Enterprise users. For more information, refer to [Protocol detection](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). ::: ## All-NET-SSH-Internet-Allowlist diff --git a/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx b/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx index 8956270d27b854..1710caf740f817 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/concepts/security-concepts.mdx @@ -21,13 +21,13 @@ A secure web gateway (SWG) is a cyber security product that protects company dat -For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) and [Gateway documentation](/cloudflare-one/policies/gateway/). +For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) and [Gateway documentation](/cloudflare-one/traffic-policies/). ## What is HTTPS inspection? HTTPS inspection (also known as TLS decryption) is the process of filtering traffic by decrypting traffic sent to or from your organization, inspecting it and applying policies, then re-encrypting the traffic as it ingresses or egresses. -For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/security/what-is-https-inspection/) and [TLS decryption documentation](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). +For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/security/what-is-https-inspection/) and [TLS decryption documentation](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). ## What is data loss prevention (DLP)? @@ -35,7 +35,7 @@ Data loss prevention checks for sensitive data sent in uploads and downloads. -For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/access-management/what-is-dlp/) and [DLP documentation](/cloudflare-one/policies/data-loss-prevention/). +For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/access-management/what-is-dlp/) and [DLP documentation](/cloudflare-one/data-loss-prevention/). ## What is a cloud access security broker (CASB)? @@ -51,4 +51,4 @@ Browser isolation prevents users from interacting directly with malicious websit -For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) and [Browser Isolation documentation](/cloudflare-one/policies/browser-isolation/). +For more information, refer to the [Learning Center](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) and [Browser Isolation documentation](/cloudflare-one/remote-browser-isolation/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx index 179f591932e428..8afb9c357be702 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx @@ -14,6 +14,6 @@ import { Render } from "~/components"; 1. Go to **Settings** > **Network**. 2. Enable **Proxy** for TCP. 3. (Recommended) To proxy all port `443` traffic, including internal DNS queries, select **UDP**. -4. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/). +4. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/). -Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-warp). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/policies/gateway/proxy/). +Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-warp). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/traffic-policies/proxy/). diff --git a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/layer-security.mdx b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/layer-security.mdx index 9e218d4838df27..16aea5d9aad510 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/layer-security.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/layer-security.mdx @@ -29,6 +29,6 @@ When your users' devices are enrolled with the WARP client, Cloudflare will tran ### Clientless Web Isolation -With [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), Cloudflare will append a static link to the web address. For example, a user's browser going to `example.com` in an isolated session will display `.cloudflareaccess.com/browser/https://www.example.com`. +With [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/), Cloudflare will append a static link to the web address. For example, a user's browser going to `example.com` in an isolated session will display `.cloudflareaccess.com/browser/https://www.example.com`. When Browser Isolation isolates traffic, Cloudflare can apply the security stack of TLS decryption, HTTP inspection, network inspection, DNS filtering, and DLP policy evaluation to the traffic in the request body. This provides a solution for securing unmanaged endpoint access to sensitive systems and can potentially upgrade traffic from users or services that may have otherwise been deemed as risky. Any method for Browser Isolation attaches the user to your dedicated egress IP addresses so you can apply policies across each method of access consistently. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx index a1509ae6e7c7c4..a566f5f45838c5 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx @@ -31,11 +31,11 @@ Access for SaaS supports SCIM passthrough in an API-only closed beta. If you req ## Configure your SSO provider -If you cannot use Access for SaaS for some or all of your SaaS apps, you can accomplish most of the same outcomes through a combination of strong security controls on your managed devices and your [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) implementation. You can use your existing SSO provider to enforce a strong relationship between Cloudflare and your SaaS applications. +If you cannot use Access for SaaS for some or all of your SaaS apps, you can accomplish most of the same outcomes through a combination of strong security controls on your managed devices and your [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) implementation. You can use your existing SSO provider to enforce a strong relationship between Cloudflare and your SaaS applications. ### Policies based on dedicated egress IPs -With [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/), you can set explicit egress locations globally and share these IPs with your SSO provider. With this Zero Trust security approach, your users must meet all of your Cloudflare requirements (such as being enrolled in WARP or Browser Isolation) when they authenticate to your SSO provider. Using your dedicated egress IPs as a control mechanism within your SSO means you can set policies on the basis of which users are subject to security policy and inspection because they are guaranteed to be proxied through Cloudflare. +With [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/), you can set explicit egress locations globally and share these IPs with your SSO provider. With this Zero Trust security approach, your users must meet all of your Cloudflare requirements (such as being enrolled in WARP or Browser Isolation) when they authenticate to your SSO provider. Using your dedicated egress IPs as a control mechanism within your SSO means you can set policies on the basis of which users are subject to security policy and inspection because they are guaranteed to be proxied through Cloudflare. ### Generic IdP multi-factor authentication diff --git a/src/content/docs/load-balancing/load-balancers/dns-records.mdx b/src/content/docs/load-balancing/load-balancers/dns-records.mdx index bcb9c73da8ea33..759fec6f067801 100644 --- a/src/content/docs/load-balancing/load-balancers/dns-records.mdx +++ b/src/content/docs/load-balancing/load-balancers/dns-records.mdx @@ -6,10 +6,9 @@ sidebar: head: - tag: title content: DNS records for load balancing - --- -When you [create a load balancer](/load-balancing/load-balancers/create-load-balancer/), Cloudflare automatically creates an LB DNS record for the specified **Hostname**. This functionality allows you to use a hostname with or without an existing DNS record. Private load balancers do not receive an automatic DNS record. Instead, you can configure a hostname using your internal DNS system or by applying a [Gateway Firewall override](/cloudflare-one/policies/gateway/dns-policies/#override) to a hostname. +When you [create a load balancer](/load-balancing/load-balancers/create-load-balancer/), Cloudflare automatically creates an LB DNS record for the specified **Hostname**. This functionality allows you to use a hostname with or without an existing DNS record. Private load balancers do not receive an automatic DNS record. Instead, you can configure a hostname using your internal DNS system or by applying a [Gateway Firewall override](/cloudflare-one/traffic-policies/dns-policies/#override) to a hostname. ## Supported records @@ -21,47 +20,41 @@ For customers on Enterprise plans, Cloudflare supports load balancing for `A`, ` For hostnames with existing DNS records, the LB record takes precedence when it is more or equally specific: -* **Scenario 1**: - - * **A, AAAA, or CNAME**: `x.example.com` - * **LB record**: `x.example.com` - * **Outcome**: LB record takes precedence because it is as specific as the DNS record. - -* **Scenario 2**: - - * **A, AAAA, or CNAME**: `y.example.com` - * **LB record**: `*.example.com` (wildcard record) - * **Outcome**: DNS record takes precedence because it is more specific. +- **Scenario 1**: + - **A, AAAA, or CNAME**: `x.example.com` + - **LB record**: `x.example.com` + - **Outcome**: LB record takes precedence because it is as specific as the DNS record. -* **Scenario 3**: +- **Scenario 2**: + - **A, AAAA, or CNAME**: `y.example.com` + - **LB record**: `*.example.com` (wildcard record) + - **Outcome**: DNS record takes precedence because it is more specific. - * **A, AAAA, or CNAME**: `*.example.com` - * **LB record**: `*.example.com` - * **Outcome**: LB record takes precedence because it is as specific as the DNS record. +- **Scenario 3**: + - **A, AAAA, or CNAME**: `*.example.com` + - **LB record**: `*.example.com` + - **Outcome**: LB record takes precedence because it is as specific as the DNS record. :::note - This behavior only applies to [supported records](#supported-records) (determined by your plan type). - ::: If the DNS record points to a [SaaS provider](/cloudflare-for-platforms/cloudflare-for-saas/) and an active [custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) exists, the custom hostname will take precedence over the Load Balancing record: -* **Scenario 4**: - - * **CNAME**: `x.example.com` with target to a Cloudflare for SaaS provider - * **LB record**: `x.example.com` - * **Active custom hostname on the SaaS provider side**: `x.example.com` - * **Outcome**: Custom hostname takes precedence. +- **Scenario 4**: + - **CNAME**: `x.example.com` with target to a Cloudflare for SaaS provider + - **LB record**: `x.example.com` + - **Active custom hostname on the SaaS provider side**: `x.example.com` + - **Outcome**: Custom hostname takes precedence. ## Disabling a load balancer When you disable a load balancer, requests to a specific hostname depend on your existing DNS records: -* If you have existing DNS records, these records will be served. -* If there are no existing records, requests to the hostname will fail. +- If you have existing DNS records, these records will be served. +- If there are no existing records, requests to the hostname will fail. In both cases, disabling your load balancer prevents traffic from going to any associated endpoint or fallback pools. diff --git a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx index 254c1f3368c1be..3c8844aef2f297 100644 --- a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx +++ b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx @@ -1,13 +1,18 @@ --- - pcx_content_type: how-to title: Set up Private Network Load Balancing with WARP-to-Tunnel sidebar: order: 4 - --- -import { DashButton, Render, Tabs, TabItem, APIRequest, GlossaryTooltip } from "~/components" +import { + DashButton, + Render, + Tabs, + TabItem, + APIRequest, + GlossaryTooltip, +} from "~/components"; You can use Private Network Load Balancing to distribute WARP client traffic to private hostnames and IPs connected via [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). @@ -42,6 +47,7 @@ graph LR ``` The components in the diagram include: + - **cloudflared**: Each data center is connected to Cloudflare with its own Cloudflare Tunnel. `cloudflared` installs on one or [more](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/#cloudflared-replicas) host machines in the network. - **Private load balancer IP**: End users connect to the application using the load balancer's IP address. This can either be a Cloudflare-assigned CGNAT IP (`100.64.0.0/10`) or a custom [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) IP. - **Load balancer pool**: The load balancer is configured with one [pool](/load-balancing/understand-basics/load-balancing-components/#pools) per tunnel. @@ -64,9 +70,10 @@ Pools can be created using either the Cloudflare dashboard or the API. To create a pool using the dashboard, refer to the [Create a pool](/load-balancing/pools/create-pool/#create-a-pool) documentation. :::note[Endpoint IP address limitations] + - All endpoints with private IPs must have a virtual network (VNET) specified. - A pool cannot have multiple endpoints with the same IP address, even when using different virtual networks. You can assign endpoints with overlapping IPs to different pools, as shown in the [example diagram](#_top). Alternatively, add endpoints using their [private hostnames](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) instead of IPs. -::: + ::: @@ -97,7 +104,6 @@ The following example adds a Cloudflare Tunnel endpoint to an existing Load Bala - ## 2. Create a private load balancer 1. In the Cloudflare dashboard, go to the **Load Balancing** page. @@ -106,9 +112,7 @@ The following example adds a Cloudflare Tunnel endpoint to an existing Load Bala 2. Select **Create a Load Balancer**. 3. Select **Private Load Balancer**. -4. On the next step you can choose to associate this load balancer with either: - - A Cloudflare-assigned IP from the `100.64.0.0/10` range - - A custom [RFC 1918 address](https://datatracker.ietf.org/doc/html/rfc1918) +4. On the next step you can choose to associate this load balancer with either: - A Cloudflare-assigned IP from the `100.64.0.0/10` range - A custom [RFC 1918 address](https://datatracker.ietf.org/doc/html/rfc1918) 5. Add a descriptive name to identify your load balancer. 6. Proceed through the setup. @@ -122,27 +126,26 @@ In order for WARP clients to connect to your load balancer, the load balancer's 2. Under **Device settings**, find the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to modify and select **Edit**. 3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**. 4. Select **Manage**. Depending on the mode: - - - **Exclude mode**: Delete the IP range that contains your load balancer IP. For example, if your load balancer has a Cloudflare-assigned CGNAT IP, delete `100.64.0.0/10`. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used by your load balancer. - :::note - Some IPs in the `100.64.0.0/10` range may be reserved for other Zero Trust services such as Gateway initial resolved IPs or WARP CGNAT IPs. These IPs should remain deleted from the Exclude list. - - **Include mode**: Add your load balancer IP. + - **Exclude mode**: Delete the IP range that contains your load balancer IP. For example, if your load balancer has a Cloudflare-assigned CGNAT IP, delete `100.64.0.0/10`. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used by your load balancer. + :::note + Some IPs in the `100.64.0.0/10` range may be reserved for other Zero Trust services such as Gateway initial resolved IPs or WARP CGNAT IPs. These IPs should remain deleted from the Exclude list. + - **Include mode**: Add your load balancer IP. WARP traffic can now reach your private load balancer. For example, if your load balancer points to a web application, you can test by running `curl ` from the WARP device. This traffic will be distributed over Cloudflare Tunnel to your private endpoints according to your configured steering method. ## 4. (Optional) Assign a hostname to the load balancer -If you want your load balancer and its endpoints to be transparently accessible to users via a hostname, you can create a Gateway DNS [Override policy](/cloudflare-one/policies/gateway/dns-policies/#override) that maps the hostname to the load balancer's IP address. This ensures that traffic destined for the hostname resolves to the correct IP. +If you want your load balancer and its endpoints to be transparently accessible to users via a hostname, you can create a Gateway DNS [Override policy](/cloudflare-one/traffic-policies/dns-policies/#override) that maps the hostname to the load balancer's IP address. This ensures that traffic destined for the hostname resolves to the correct IP. 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies**> **DNS**. 2. Select **Add DNS policy**. 3. In **Traffic**, create an expression where the **Selector** equals `Host`, the **Operator** equals `is`, and **Value** is the hostname you wish to associate with your load balancer. For example, - | Selector | Operator | Value | - | -------- | -------- | ----------------- | - | Host | is | `app.internal.local` | + | Selector | Operator | Value | + | -------- | -------- | -------------------- | + | Host | is | `app.internal.local` | 4. Set the **Action** to _Override_. 5. In **Override Hostname**, enter your private load balancer IP (for example, `100.112.0.0`). -Requests to the hostname will now resolve to your private load balancer. \ No newline at end of file +Requests to the hostname will now resolve to your private load balancer. diff --git a/src/content/docs/magic-firewall/plans.mdx b/src/content/docs/magic-firewall/plans.mdx index cfbc4a05751ba8..a13ff942edd416 100644 --- a/src/content/docs/magic-firewall/plans.mdx +++ b/src/content/docs/magic-firewall/plans.mdx @@ -30,5 +30,5 @@ All standard features are included with the purchase of the advanced features be * Block or allow packets based on Autonomous System Number (ASN). * Packet captures on demand for network troubleshooting. * [Protocol validation rules](/magic-firewall/about/protocol-validation-rules/) to inspect traffic validity and enforce a positive security model. -* [Secure Web Gateway](/cloudflare-one/policies/gateway/) filtering for outbound Internet traffic (network and HTTP policies). The Secure Web Gateway supports all TCP and UDP ports, as well as traffic sourced from RFC 1918 address space. Gateway will proxy BYOIP traffic to egress via the default Cloudflare IPs or your assigned [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). +* [Secure Web Gateway](/cloudflare-one/traffic-policies/) filtering for outbound Internet traffic (network and HTTP policies). The Secure Web Gateway supports all TCP and UDP ports, as well as traffic sourced from RFC 1918 address space. Gateway will proxy BYOIP traffic to egress via the default Cloudflare IPs or your assigned [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). * Intrusion Detection System (IDS). diff --git a/src/content/docs/magic-transit/reference/traffic-steering.mdx b/src/content/docs/magic-transit/reference/traffic-steering.mdx index 1b42bd4f63cfb1..14683b8f2ae7a9 100644 --- a/src/content/docs/magic-transit/reference/traffic-steering.mdx +++ b/src/content/docs/magic-transit/reference/traffic-steering.mdx @@ -16,19 +16,23 @@ import { Render } from "~/components"; file="reference/traffic-steering" product="networking-services" params={{ - magicWord: "Magic Transit", - productName: "Magic Transit", + magicWord: "Magic Transit", + productName: "Magic Transit", mFirewallName: "Magic Firewall", mFirewallURL: "/magic-firewall/", warpClientURL: "/cloudflare-one/team-and-resources/devices/warp/", - remoteBrowserURL: "/cloudflare-one/policies/browser-isolation/", - accessURL: "/cloudflare-one/policies/access/", - gatewayURL: "/cloudflare-one/policies/gateway/", - greIpsecReferenceURL: "/magic-transit/reference/gre-ipsec-tunnels/", - createStaticRoute: "/magic-transit/how-to/configure-routes/#create-a-static-route", - editStaticRoute: "/magic-transit/how-to/configure-routes/#edit-a-static-route", - setupBgpPeering: "/magic-transit/how-to/configure-routes/#set-up-bgp-peering", - legacyHCs: "/magic-transit/reference/tunnel-health-checks/#legacy-bidirectional-health-checks", - tunnelHCsPage: "/magic-transit/reference/tunnel-health-checks/" + remoteBrowserURL: "/cloudflare-one/remote-browser-isolation/", + accessURL: "/cloudflare-one/access-controls/policies/", + gatewayURL: "/cloudflare-one/traffic-policies/", + greIpsecReferenceURL: "/magic-transit/reference/gre-ipsec-tunnels/", + createStaticRoute: + "/magic-transit/how-to/configure-routes/#create-a-static-route", + editStaticRoute: + "/magic-transit/how-to/configure-routes/#edit-a-static-route", + setupBgpPeering: + "/magic-transit/how-to/configure-routes/#set-up-bgp-peering", + legacyHCs: + "/magic-transit/reference/tunnel-health-checks/#legacy-bidirectional-health-checks", + tunnelHCsPage: "/magic-transit/reference/tunnel-health-checks/", }} /> diff --git a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/index.mdx b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/index.mdx index a52f82eb5297be..6af8d44de8da88 100644 --- a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/index.mdx +++ b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/index.mdx @@ -1,15 +1,17 @@ --- pcx_content_type: concept title: Application-aware policies - --- -import { Render } from "~/components" +import { Render } from "~/components"; - + productName: "Magic WAN Connector", + gatewayPoliciesURL: "/cloudflare-one/traffic-policies/", + appTypesGatewayURL: + "/cloudflare-one/traffic-policies/application-app-types/", + }} +/> diff --git a/src/content/docs/magic-wan/configuration/connector/reference.mdx b/src/content/docs/magic-wan/configuration/connector/reference.mdx index 41010ab979d159..1568426b8ebc39 100644 --- a/src/content/docs/magic-wan/configuration/connector/reference.mdx +++ b/src/content/docs/magic-wan/configuration/connector/reference.mdx @@ -13,20 +13,29 @@ import { Render } from "~/components"; params={{ productName: "Magic WAN Connector", virtualProductName: "Virtual Connector", - gatewayURL: "/cloudflare-one/policies/gateway/", - hardConnectorURL: "/magic-wan/configuration/connector/configure-hardware-connector/", - virtualConnectorURL: "/magic-wan/configuration/connector/configure-virtual-connector/", + gatewayURL: "/cloudflare-one/traffic-policies/", + hardConnectorURL: + "/magic-wan/configuration/connector/configure-hardware-connector/", + virtualConnectorURL: + "/magic-wan/configuration/connector/configure-virtual-connector/", configHardProductName: "Configure hardware Connector", configVirtualProductName: "Configure Virtual Connector", - haSetupURL: "/magic-wan/configuration/connector/configure-hardware-connector/#create-a-high-availability-configuration", - ecmpRoutingURL: "/magic-wan/reference/traffic-steering/#equal-cost-multi-path-routing", - multipleWansURL: "(magic-wan/configuration/connector/configure-hardware-connector/#create-a-wan", - sfpURL: "/magic-wan/configuration/connector/configure-hardware-connector/sfp-port-information/", + haSetupURL: + "/magic-wan/configuration/connector/configure-hardware-connector/#create-a-high-availability-configuration", + ecmpRoutingURL: + "/magic-wan/reference/traffic-steering/#equal-cost-multi-path-routing", + multipleWansURL: + "(magic-wan/configuration/connector/configure-hardware-connector/#create-a-wan", + sfpURL: + "/magic-wan/configuration/connector/configure-hardware-connector/sfp-port-information/", vlanIdURL: "#vlan-id", trafficSteeringURL: "/magic-wan/reference/traffic-steering/", - hcFrequencyURL: "/magic-wan/configuration/common-settings/update-tunnel-health-checks-frequency/", + hcFrequencyURL: + "/magic-wan/configuration/common-settings/update-tunnel-health-checks-frequency/", dhcpURL: "/magic-wan/configuration/connector/network-options/dhcp/", - routedSubnetsURL: "/magic-wan/configuration/connector/network-options/routed-subnets/", - networkSegmentationURL: "/magic-wan/configuration/connector/network-options/network-segmentation/" + routedSubnetsURL: + "/magic-wan/configuration/connector/network-options/routed-subnets/", + networkSegmentationURL: + "/magic-wan/configuration/connector/network-options/network-segmentation/", }} -/> \ No newline at end of file +/> diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/aruba-edgeconnect.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/aruba-edgeconnect.mdx index 9d16820fc457cd..9c1e8d3a4ae511 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/aruba-edgeconnect.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/aruba-edgeconnect.mdx @@ -1,16 +1,17 @@ --- title: Aruba EdgeConnect Enterprise pcx_content_type: integration-guide - --- import { Render } from "~/components"; - + gatewayUrl: "/cloudflare-one/traffic-policies/", + }} +/> diff --git a/src/content/docs/magic-wan/reference/traffic-steering.mdx b/src/content/docs/magic-wan/reference/traffic-steering.mdx index 5c289cb8f70168..b1764c28bf6567 100644 --- a/src/content/docs/magic-wan/reference/traffic-steering.mdx +++ b/src/content/docs/magic-wan/reference/traffic-steering.mdx @@ -16,20 +16,24 @@ import { Render } from "~/components"; file="reference/traffic-steering" product="networking-services" params={{ - magicWord: "Magic WAN", - productName: "Magic WAN", + magicWord: "Magic WAN", + productName: "Magic WAN", mFirewallName: "Magic Firewall", mFirewallURL: "/magic-firewall/", warpClientURL: "/cloudflare-one/team-and-resources/devices/warp/", - remoteBrowserURL: "/cloudflare-one/policies/browser-isolation/", - accessURL: "/cloudflare-one/policies/access/", - gatewayURL: "/cloudflare-one/policies/gateway/", + remoteBrowserURL: "/cloudflare-one/remote-browser-isolation/", + accessURL: "/cloudflare-one/access-controls/policies/", + gatewayURL: "/cloudflare-one/traffic-policies/", cfTunnelURL: "/magic-wan/zero-trust/cloudflare-tunnel/", - greIpsecReferenceURL: "/magic-wan/reference/gre-ipsec-tunnels/", - createStaticRoute: "/magic-wan/configuration/manually/how-to/configure-routes/#create-a-static-route", - editStaticRoute: "/magic-wan/configuration/manually/how-to/configure-routes/#edit-a-static-route", - setupBgpPeering: "/magic-wan/configuration/manually/how-to/configure-routes/#set-up-bgp-peering", - legacyHCs: "/magic-wan/reference/tunnel-health-checks/#legacy-bidirectional-health-checks", - tunnelHCsPage: "/magic-wan/reference/tunnel-health-checks/" + greIpsecReferenceURL: "/magic-wan/reference/gre-ipsec-tunnels/", + createStaticRoute: + "/magic-wan/configuration/manually/how-to/configure-routes/#create-a-static-route", + editStaticRoute: + "/magic-wan/configuration/manually/how-to/configure-routes/#edit-a-static-route", + setupBgpPeering: + "/magic-wan/configuration/manually/how-to/configure-routes/#set-up-bgp-peering", + legacyHCs: + "/magic-wan/reference/tunnel-health-checks/#legacy-bidirectional-health-checks", + tunnelHCsPage: "/magic-wan/reference/tunnel-health-checks/", }} /> diff --git a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx index 82b764449394b8..4652d012fdbe96 100644 --- a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx +++ b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx @@ -12,26 +12,26 @@ import { Render } from "~/components"; file="magic-wan/zero-trust/gateway" product="networking-services" params={{ - gatewayURL: "/cloudflare-one/policies/gateway/", + gatewayURL: "/cloudflare-one/traffic-policies/", magicFirewallName: "Magic Firewall", magicFirewallURL: "/magic-firewall/", warpURL: "/cloudflare-one/team-and-resources/devices/warp/", cfAutoCertificatesURL: "/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/", cfManualCertificatesURL: "/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/", - decryptTlsURL: "/cloudflare-one/policies/gateway/http-policies/tls-decryption/", - doNotInspectURL: "/cloudflare-one/policies/gateway/http-policies/#do-not-inspect", + decryptTlsURL: "/cloudflare-one/traffic-policies/http-policies/tls-decryption/", + doNotInspectURL: "/cloudflare-one/traffic-policies/http-policies/#do-not-inspect", magicWANName: "Magic WAN", warpChecksURL: "/cloudflare-one/identity/devices/warp-client-checks/", osVersionChecks: "/cloudflare-one/identity/devices/warp-client-checks/os-version/", mwanOnrampsURL: "/magic-wan/on-ramps/", - gatewayResolverPoliciesURL: "/cloudflare-one/policies/gateway/resolver-policies/", - gatewayInternalDnsURL: "/cloudflare-one/policies/gateway/resolver-policies/#internal-dns", - egressPoliciesURL: "/cloudflare-one/policies/gateway/egress-policies/", + gatewayResolverPoliciesURL: "/cloudflare-one/traffic-policies/resolver-policies/", + gatewayInternalDnsURL: "/cloudflare-one/traffic-policies/resolver-policies/#internal-dns", + egressPoliciesURL: "/cloudflare-one/traffic-policies/egress-policies/", cloudflareTunnelURL:"/cloudflare-one/networks/connectors/cloudflare-tunnel/", gatewayLogsURL: "/cloudflare-one/insights/logs/gateway-logs/#http-logs", tcpMssClampingURL: "/magic-wan/get-started/#set-maximum-segment-size", ikeURL: "/magic-wan/reference/gre-ipsec-tunnels/#supported-configuration-parameters" - }} -/> + }} +/> diff --git a/src/content/docs/magic-wan/zero-trust/cloudflare-tunnel.mdx b/src/content/docs/magic-wan/zero-trust/cloudflare-tunnel.mdx index 897717d4740436..e6f7b428551bac 100644 --- a/src/content/docs/magic-wan/zero-trust/cloudflare-tunnel.mdx +++ b/src/content/docs/magic-wan/zero-trust/cloudflare-tunnel.mdx @@ -11,7 +11,8 @@ import { Render } from "~/components"; params={{ productName: "Magic WAN", tunnelURL: "/cloudflare-one/networks/connectors/cloudflare-tunnel/", - gatewayURL: "/cloudflare-one/policies/gateway/", - privateRoutesURL: "/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/" + gatewayURL: "/cloudflare-one/traffic-policies/", + privateRoutesURL: + "/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/", }} /> diff --git a/src/content/docs/network/grpc-connections.mdx b/src/content/docs/network/grpc-connections.mdx index d7697a44f136e3..9495de09917167 100644 --- a/src/content/docs/network/grpc-connections.mdx +++ b/src/content/docs/network/grpc-connections.mdx @@ -2,10 +2,9 @@ pcx_content_type: concept source: https://support.cloudflare.com/hc/en-us/articles/360050483011-Understanding-Cloudflare-gRPC-support title: gRPC connections - --- -import { FeatureTable, Render } from "~/components" +import { FeatureTable, Render } from "~/components"; Cloudflare offers support for gRPC to protect your APIs on any [proxied gRPC endpoints](/dns/proxy-status/). The gRPC protocol helps build efficient APIs with smaller payloads for reduced bandwidth usage, decreased latency, and faster implementations. @@ -21,21 +20,21 @@ Running gRPC traffic on Cloudflare is compatible with most Cloudflare products. However, the following products have limited capabilities with gRPC requests: -* The [Cloudflare WAF](/waf/) will only run for header inspection during the connection phase. WAF Managed Rules will not run on the content of a gRPC stream. -* -* [Cloudflare Access](/cloudflare-one/policies/access/) does not support gRPC traffic sent through Cloudflare’s reverse proxy. gRPC traffic will be ignored by Access if gRPC is enabled in Cloudflare. We recommend disabling gRPC for any sensitive origin servers protected by Access or enabling another means of authenticating gRPC traffic to your origin servers. +- The [Cloudflare WAF](/waf/) will only run for header inspection during the connection phase. WAF Managed Rules will not run on the content of a gRPC stream. +- +- [Cloudflare Access](/cloudflare-one/access-controls/policies/) does not support gRPC traffic sent through Cloudflare’s reverse proxy. gRPC traffic will be ignored by Access if gRPC is enabled in Cloudflare. We recommend disabling gRPC for any sensitive origin servers protected by Access or enabling another means of authenticating gRPC traffic to your origin servers. ## Enable gRPC ### Requirements -* Your gRPC endpoint must listen on port 443.  -* Your gRPC endpoint must support TLS and HTTP/2. -* HTTP/2 must be advertised over ALPN. -* Use `application/grpc` or `application/grpc+ + 2. Select your Pages project. 3. Go to **Deployments** > **View details** > **Build log**. @@ -98,7 +99,7 @@ If your [custom domain](/pages/configuration/custom-domains/) has not moved from ### Blocked HTTP validation -Pages uses HTTP validation and needs to hit an HTTP endpoint during validation. If another Cloudflare product is in the way (such as [Access](/cloudflare-one/policies/access/), [a redirect](/rules/url-forwarding/), [a Worker](/workers/), etc.), validation cannot be completed. +Pages uses HTTP validation and needs to hit an HTTP endpoint during validation. If another Cloudflare product is in the way (such as [Access](/cloudflare-one/access-controls/policies/), [a redirect](/rules/url-forwarding/), [a Worker](/workers/), etc.), validation cannot be completed. To check this, run a `curl` command against your domain hitting `/.well-known/acme-challenge/randomstring`. For example: @@ -186,7 +187,6 @@ If you see a `404` error on the root `pages.dev` URL (`example.pages.dev`), you Upload an `index.html` file to resolve this issue. - ## Resources If you need additional guidance on build errors, contact your Cloudflare account team (Enterprise) or refer to the [Support Center](/support/contacting-cloudflare-support/) for guidance on contacting Cloudflare Support. diff --git a/src/content/docs/pages/configuration/preview-deployments.mdx b/src/content/docs/pages/configuration/preview-deployments.mdx index 45c73346fdea11..1c9de17123a828 100644 --- a/src/content/docs/pages/configuration/preview-deployments.mdx +++ b/src/content/docs/pages/configuration/preview-deployments.mdx @@ -10,6 +10,7 @@ Preview deployments allow you to preview new versions of your project without de 1. In the Cloudflare dashboard, go to the **Workers & Pages** page. + 2. Select your project and find the deployment you would like to view. Every time you open a new pull request on your GitHub repository, Cloudflare Pages will create a unique preview URL, which will stay updated as you continue to push new commits to the branch. This is only true when pull requests originate from the repository itself. @@ -34,17 +35,18 @@ Any custom domains, as well as your `user-example.pages.dev` site, will not be a ## Customize preview deployments access -You can use [Cloudflare Access](/cloudflare-one/policies/access/) to manage access to your deployment previews. By default, these deployment URLs are public. Enabling the access policy will restrict viewing project deployments to your Cloudflare account. +You can use [Cloudflare Access](/cloudflare-one/access-controls/policies/) to manage access to your deployment previews. By default, these deployment URLs are public. Enabling the access policy will restrict viewing project deployments to your Cloudflare account. Once enabled, you can [set up a multi-user account](/fundamentals/manage-members/) to allow other members of your team to view preview deployments. -By default, preview deployments are enabled and available publicly. In your project's settings, you can require visitors to authenticate to view preview deployment. This allows you to lock down access to these preview deployments to your teammates, organization, or anyone else you specify via [Access policies](/cloudflare-one/policies/). +By default, preview deployments are enabled and available publicly. In your project's settings, you can require visitors to authenticate to view preview deployment. This allows you to lock down access to these preview deployments to your teammates, organization, or anyone else you specify via [Access policies](/cloudflare-one/traffic-policies/). To protect your preview deployments behind Cloudflare Access: 1. In the Cloudflare dashboard, go to the **Workers & Pages** page. + 2. Select your Pages project. 3. Go to **Settings** > **General** > and select **Enable access policy**. @@ -68,18 +70,18 @@ To view branch aliases within your Pages project, select **View build** for any You can attach a Preview alias to a custom domain by [adding a custom domain to a branch](https://developers.cloudflare.com/pages/how-to/custom-branch-aliases/). -## Preview indexing by search engines +## Preview indexing by search engines To maintain a healthy SEO profile, it's vital to prevent search engines from finding duplicate content across the web. Because preview deployments are designed to be an exact replica of your production environment, they inherently create this exact situation. Cloudflare Pages by default ensures your search rankings are not harmed by these temporary previews. ### X-Robots-Tag: noindex on Preview Deployments + By default, every preview deployment generated by Cloudflare Pages includes the X-Robots-Tag: noindex HTTP response header. This header acts as a clear directive to search engine crawlers, instructing them to disregard the page and not include it in their search results. You can easily confirm that your preview deployments are correctly configured to block indexing. Run the following curl command in your terminal, replacing the placeholder with your unique preview URL: -``` +``` curl -I https://.pages.dev ``` Inspect the output for the x-robots-tag: noindex line to verify that your preview site is not being indexed. - diff --git a/src/content/docs/r2/tutorials/cloudflare-access.mdx b/src/content/docs/r2/tutorials/cloudflare-access.mdx index 113eae029c796e..81e29178fed459 100644 --- a/src/content/docs/r2/tutorials/cloudflare-access.mdx +++ b/src/content/docs/r2/tutorials/cloudflare-access.mdx @@ -40,7 +40,7 @@ To create an Access application for your R2 bucket: 2. Select **Self-hosted**. 3. Enter an **Application name**. 4. Select **Add a public hostname** and enter the application domain. The **Domain** must be a domain hosted on Cloudflare, and the **Subdomain** part of the custom domain you will connect to your R2 bucket. For example, if you want to serve files from `behind-access.example.com` and `example.com` is a domain within your Cloudflare account, then enter `behind-access` in the subdomain field and select `example.com` from the **Domain** list. -5. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. This should be an **Allow** policy so that users can access objects within the bucket behind this Access application. +5. Add [Access policies](/cloudflare-one/access-controls/policies/) to control who can connect to your application. This should be an **Allow** policy so that users can access objects within the bucket behind this Access application. :::note Ensure that your policies only allow the users within your organization that need access to this R2 bucket. diff --git a/src/content/docs/radar/glossary.mdx b/src/content/docs/radar/glossary.mdx index 08aa3dd4f55529..fc13b0f4588bab 100644 --- a/src/content/docs/radar/glossary.mdx +++ b/src/content/docs/radar/glossary.mdx @@ -3,7 +3,6 @@ pcx_content_type: reference title: Glossary sidebar: order: 6 - --- This page provides a list of terms and concepts to help you understand Radar and the information shown. @@ -37,16 +36,16 @@ On Cloudflare Radar, we provide time series charts for both the volume of BGP me [BGP route leaks](https://www.rfc-editor.org/rfc/rfc7908.html) are defined as the propagation of routing announcements beyond their intended scope. In Cloudflare Radar, you can inspect the detected route leak events on the corresponding autonomous system number (ASN) pages. The columns in the table are defined as follows: -* `From`: The autonomous system (AS) from which the routes are learned from. -* `By`: The AS that leaked the routes, or the leaker. -* `To`: The AS that received and propagated the leaked routes. -* `Start` and `End`: The starting and ending time of a route leak event. -* `BGP Msgs.`: The number of BGP announcements that contain leaked routes. -* `Prefixes`: The number of IP prefixes a route leak event affects. -* `Origins`: The number of origin ASes a route leak event affects. -* `Vantage Points`: The number of route collectors that observed a route leak event. +- `From`: The autonomous system (AS) from which the routes are learned from. +- `By`: The AS that leaked the routes, or the leaker. +- `To`: The AS that received and propagated the leaked routes. +- `Start` and `End`: The starting and ending time of a route leak event. +- `BGP Msgs.`: The number of BGP announcements that contain leaked routes. +- `Prefixes`: The number of IP prefixes a route leak event affects. +- `Origins`: The number of origin ASes a route leak event affects. +- `Vantage Points`: The number of route collectors that observed a route leak event. -Learn more about our route leak detection system design and usages in [How we detect route leaks and our new Cloudflare Radar route leak service](https://blog.cloudflare.com/route-leak-detection-with-cloudflare-radar/) blog post. +Learn more about our route leak detection system design and usages in [How we detect route leaks and our new Cloudflare Radar route leak service](https://blog.cloudflare.com/route-leak-detection-with-cloudflare-radar/) blog post. ## BGP origin hijacks @@ -57,14 +56,14 @@ legitimate destination, causing data loss with potential leak of private/confide In Cloudflare Radar, you can inspect the detected BGP origin hijack events in the "BGP Origin Hijacks" table. The columns of the table are defined as follows: -* `ID`: Event ID, clickable and navigates to the event details page. -* `Detected Origin`: The AS that originated the prefixes at the time of detection, potentially being a BGP hijacker. -* `Expected Origin(s)`: The AS(es) that are expected to originate the corresponding prefixes based on various evidences. -* `Start Time (UTC)` and `Duration`: The detected timestamp in UTC with a human-readable time duration for how long the event lasted. Ongoing events will not have a duration value, indicated by the `--` sign. -* `BGP Messages`: The number of BGP messages that contain the detected anomaly. -* `Prefixes`: The prefixes hijacked during the event, showing only one full prefix due to table space limitation. -* `Confidence`: The level of confidence that we have on the event being a true hijacks. Values can be `High`, `Medium`, or `Low`. -* `Tags`: The relevant evidence presented as short tags, presenting key facts we compiled using additional data sources, such as RPKI validation results or network relationship. +- `ID`: Event ID, clickable and navigates to the event details page. +- `Detected Origin`: The AS that originated the prefixes at the time of detection, potentially being a BGP hijacker. +- `Expected Origin(s)`: The AS(es) that are expected to originate the corresponding prefixes based on various evidences. +- `Start Time (UTC)` and `Duration`: The detected timestamp in UTC with a human-readable time duration for how long the event lasted. Ongoing events will not have a duration value, indicated by the `--` sign. +- `BGP Messages`: The number of BGP messages that contain the detected anomaly. +- `Prefixes`: The prefixes hijacked during the event, showing only one full prefix due to table space limitation. +- `Confidence`: The level of confidence that we have on the event being a true hijacks. Values can be `High`, `Medium`, or `Low`. +- `Tags`: The relevant evidence presented as short tags, presenting key facts we compiled using additional data sources, such as RPKI validation results or network relationship. You can also access the detection result programmatically via our [public API](/api/resources/radar/subresources/bgp/subresources/hijacks/subresources/events/methods/list/) ([CC BY-NC 4.0](https://creativecommons.org/licenses/by-nc/4.0/) license). @@ -102,6 +101,7 @@ CT helps detect misissued or malicious certificates by requiring CAs to publicly These logs are monitored by various entities, including browsers and security researchers, to ensure transparency and trust in the certificate ecosystem. Key entities in CT include: + - **CAs:** Organizations that issue certificates. - **CT Logs:** Public, append-only logs where issued certificates are recorded. - **Monitors:** Parties that check logs for correctness. @@ -123,7 +123,7 @@ Cloudflare Speed Test measures latency multiple times over the course of the tes ## Content categories -Cloudflare uses a variety of data sources to categorize domains. Using Cloudflare Radar, you can view the content categories associated with a given domain. Cloudflare customers using [Cloudflare Gateway](/cloudflare-one/policies/gateway/domain-categories/) or [1.1.1.1 for Families](/1.1.1.1/setup/#1111-for-families) can decide to block certain categories, like "Adult Content", in addition to security threats like malware and phishing. +Cloudflare uses a variety of data sources to categorize domains. Using Cloudflare Radar, you can view the content categories associated with a given domain. Cloudflare customers using [Cloudflare Gateway](/cloudflare-one/traffic-policies/domain-categories/) or [1.1.1.1 for Families](/1.1.1.1/setup/#1111-for-families) can decide to block certain categories, like "Adult Content", in addition to security threats like malware and phishing. In some cases, a domain may be miscategorized. For example, a social media site might be categorized as "Shopping & Auctions". If you believe a domain is miscategorized, or a domain has not yet been categorized, please provide your suggested category using [this form](https://radar.cloudflare.com/domains/feedback) to bring it to our attention. @@ -180,7 +180,7 @@ The IQI methodology requires a minimum number of measurements to generate estima ## IRR AS-SETs -An IRR AS-SET is a named collection of Autonomous System Numbers (ASNs) within the Internet Routing Registry (IRR) used to define and manage BGP routing policies. By grouping related networks, such as customers and downstream peers, under a single identifier, network operators can automate the creation of BGP filters, which are essential for preventing the propagation of BGP route leaks. AS-SETs can be hierarchical, meaning they can include other AS-SETs as members, creating a scalable but complex structure. To quantify this complexity, the "AS Cone" measures the total number of unique ASNs in a fully expanded set (its downstream footprint), while "Upstreams" measures how many other AS-SETs include it directly or indirectly, providing insight into its role in the global routing system. +An IRR AS-SET is a named collection of Autonomous System Numbers (ASNs) within the Internet Routing Registry (IRR) used to define and manage BGP routing policies. By grouping related networks, such as customers and downstream peers, under a single identifier, network operators can automate the creation of BGP filters, which are essential for preventing the propagation of BGP route leaks. AS-SETs can be hierarchical, meaning they can include other AS-SETs as members, creating a scalable but complex structure. To quantify this complexity, the "AS Cone" measures the total number of unique ASNs in a fully expanded set (its downstream footprint), while "Upstreams" measures how many other AS-SETs include it directly or indirectly, providing insight into its role in the global routing system. An AS-SET does not inherently includes its owner networks. Cloudflare Radar infers the owner by matching the AS-SET name on [PeeringDB](https://www.peeringdb.com/) or by the name itself. When an AS-SET's owner can be inferred via both methods, we prefer the PeeringDB information. @@ -218,23 +218,23 @@ Currently, we only include AI-focused user agents listed in the [ai.robots.txt]( ## TCP resets and timeouts -In the Transmission Control Protocol (TCP), client-initiated connection resets (via the RST flag, TCP's "panic button") are atypical, and indicate to the server that *something went wrong* requiring the connection to be closed immediately. Similarly, connection timeouts (where the server closes a connection due to an unresponsive client) should not happen in conventional data exchanges. For comparison, a typical TCP connection consists of a 3-way handshake initiated by a client with a SYN packet to the server, then a data exchange moderated with ACK and PSH flags in the data packets, and finally a graceful close initiated from either side with a FIN packet. A FIN close is considered graceful because it ensures both sides complete their data transfer before closing the connection. In contrast, a timeout or RST flag triggers a hard stop, even if data is waiting to be sent or acknowledged. See [RFC 9293](https://datatracker.ietf.org/doc/html/rfc9293) for more details on the TCP protocol. +In the Transmission Control Protocol (TCP), client-initiated connection resets (via the RST flag, TCP's "panic button") are atypical, and indicate to the server that _something went wrong_ requiring the connection to be closed immediately. Similarly, connection timeouts (where the server closes a connection due to an unresponsive client) should not happen in conventional data exchanges. For comparison, a typical TCP connection consists of a 3-way handshake initiated by a client with a SYN packet to the server, then a data exchange moderated with ACK and PSH flags in the data packets, and finally a graceful close initiated from either side with a FIN packet. A FIN close is considered graceful because it ensures both sides complete their data transfer before closing the connection. In contrast, a timeout or RST flag triggers a hard stop, even if data is waiting to be sent or acknowledged. See [RFC 9293](https://datatracker.ietf.org/doc/html/rfc9293) for more details on the TCP protocol. A TCP server may see timed-out or reset connections for a variety of reasons. Some are benign, such as client applications that lose connectivity or abruptly shut down (e.g., browsers cleaning up closed tabs or port scanners). Others are more concerning, such as [DoS attacks](https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/) or third-party interference. In some cases, a close examination of the packets in a connection can help to shed light on the reason for termination. For example, [Global, Passive Detection of Connection Tampering](https://research.cloudflare.com/publications/SundaraRaman2023/) finds that certain packet patterns can be linked to middlebox connection tampering. On Cloudflare Radar’s [Security & Attacks page](https://radar.cloudflare.com/security-and-attacks), you can view statistics on resets and timeouts from a sample of TCP connections to Cloudflare’s servers, broken down by how far the connection progressed before termination. The plot lines are defined as follows: -* **Post-SYN (mid-handshake)**: Connection resets or timeouts after the server received only a single SYN packet. -* **Post-ACK (immediately post-handshake)**: Connection resets or timeouts after the server received both a SYN packet and an ACK packet, meaning the connection was successfully established. -* **Post-PSH (after first data packet)**: Connection resets or timeouts after the server received a packet with PSH flag set, following connection establishment. The PSH flag indicates that the TCP packet contains data (such as a TLS Client Hello message) ready to deliver to the application. -* **Later (after multiple data packets)**: Connection resets within the first 10 packets from the client, but after the server has received multiple data packets. -* **None**: All other connections. +- **Post-SYN (mid-handshake)**: Connection resets or timeouts after the server received only a single SYN packet. +- **Post-ACK (immediately post-handshake)**: Connection resets or timeouts after the server received both a SYN packet and an ACK packet, meaning the connection was successfully established. +- **Post-PSH (after first data packet)**: Connection resets or timeouts after the server received a packet with PSH flag set, following connection establishment. The PSH flag indicates that the TCP packet contains data (such as a TLS Client Hello message) ready to deliver to the application. +- **Later (after multiple data packets)**: Connection resets within the first 10 packets from the client, but after the server has received multiple data packets. +- **None**: All other connections. Learn more about the TCP resets and timeouts dataset in our [blog post](https://blog.cloudflare.com/tcp-resets-timeouts). ## Threat categories -Attackers use multiple types of techniques when carrying out email-based attacks, including links or attachments leading to malware; identity deception, where the message appears to be coming from a trusted contact; and brand impersonation, where the message appears to be coming from a trusted brand. Categories are assigned to the various types of threats found during the analysis of a malicious email message, and a single message can have multiple categories. These categories are aggregated into “Link”, “Attachment”, “Impersonation”, and “Other” groupings. “Link” groups individual threat types where the attacker is trying to get the user to click on something, “Attachment” groups individual threat types where the attacker has attached a file to the email message, and “Impersonation” groups individual threat types where the attacker is impersonating a trusted brand or contact. The “Other” grouping includes other threat types not covered by the previous three. The percentages represent the share of malicious email messages where the given threat categories have been found. Data for this metric comes from Cloudflare’s cloud email security service. +Attackers use multiple types of techniques when carrying out email-based attacks, including links or attachments leading to malware; identity deception, where the message appears to be coming from a trusted contact; and brand impersonation, where the message appears to be coming from a trusted brand. Categories are assigned to the various types of threats found during the analysis of a malicious email message, and a single message can have multiple categories. These categories are aggregated into “Link”, “Attachment”, “Impersonation”, and “Other” groupings. “Link” groups individual threat types where the attacker is trying to get the user to click on something, “Attachment” groups individual threat types where the attacker has attached a file to the email message, and “Impersonation” groups individual threat types where the attacker is impersonating a trusted brand or contact. The “Other” grouping includes other threat types not covered by the previous three. The percentages represent the share of malicious email messages where the given threat categories have been found. Data for this metric comes from Cloudflare’s cloud email security service. ## Threat classification @@ -242,11 +242,11 @@ Malicious email messages may be part of a phishing campaign, where recipients ar ## Traffic type filter -* **Human Only Traffic**: Traffic that our algorithms determine as being generated by human activity. +- **Human Only Traffic**: Traffic that our algorithms determine as being generated by human activity. -* **Automated Only Traffic**: Traffic that our algorithms determine as being generated by bot or automated script activity. +- **Automated Only Traffic**: Traffic that our algorithms determine as being generated by bot or automated script activity. -* **All Traffic**: Use all traffic, which includes both human activity and automated activity. +- **All Traffic**: Use all traffic, which includes both human activity and automated activity. ## Trends diff --git a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx index e01913487135db..d0385606059ebe 100644 --- a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx +++ b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx @@ -50,7 +50,7 @@ Microsoft and Cloudflare can be integrated in the following ways. - Using Microsoft [Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) for authentication to all Cloudflare protected resources - Leveraging Microsoft [Intune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune) device posture in Cloudflare policies to ensure only managed, trusted devices have access to protected resources - Using Cloudflare [CASB](/cloudflare-one/applications/casb/) to inspect your [Microsoft 365](https://www.microsoft.com/en-us/microsoft-365/what-is-microsoft-365) tenants and alert on security findings for incorrectly configured accounts and shared files containing sensitive data -- Using Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) to control access to Microsoft SaaS applications such as Outlook, OneDrive and Teams +- Using Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) to control access to Microsoft SaaS applications such as Outlook, OneDrive and Teams - Using Cloudflare's [Email Security](/email-security/) service to increase protection of email from phishing attacks and business email compromise. ### Microsoft Entra ID with Cloudflare diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index 5fca0de05d8fde..37074dc5e0fab3 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -1,7 +1,19 @@ --- title: Evolving to a SASE architecture with Cloudflare pcx_content_type: reference-architecture -products: [access, gateway, casb, email-security-cf1, dex, browser-isolation, dlp, magic-wan, magic-firewall, magic-transit] +products: + [ + access, + gateway, + casb, + email-security-cf1, + dex, + browser-isolation, + dlp, + magic-wan, + magic-firewall, + magic-transit, + ] sidebar: order: 1 label: Secure Access Service Edge (SASE) @@ -190,7 +202,7 @@ SaaS applications are inherently always connected to and accessed via the public The SWG includes policies that examine outbound traffic requests and inbound content responses to determine if the user, device, or network location has access to resources on the Internet. Organizations can use these policies to control access to approved SaaS applications, as well as detect and block the use of unapproved applications (also known as [shadow IT](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/)). -Some SaaS applications allow organizations to configure an IP address allowlist, which limits access to the application based on the source IP address of the request. With Cloudflare, organizations can obtain dedicated [egress IP](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) addresses, which can be used as the source address for all traffic leaving their network. When combined with an allowlist in a SaaS application, organizations can ensure that users are only able to access applications if they are first connected to Cloudflare. (More detail on this approach is outlined in a later section about connecting user devices.) +Some SaaS applications allow organizations to configure an IP address allowlist, which limits access to the application based on the source IP address of the request. With Cloudflare, organizations can obtain dedicated [egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) addresses, which can be used as the source address for all traffic leaving their network. When combined with an allowlist in a SaaS application, organizations can ensure that users are only able to access applications if they are first connected to Cloudflare. (More detail on this approach is outlined in a later section about connecting user devices.) Another method to secure access to SaaS applications is to configure single sign-on (SSO) so that Cloudflare becomes an identity proxy — acting as the identity provider (IDP) — as part of the authentication and authorization process. @@ -395,7 +407,7 @@ Another option to ensure device traffic is sent to Cloudflare is to use [remote RBI renders the received content in an isolated and secure cloud environment. Instead of executing the web content locally, the user device receives commands for how to "draw" the final rendered web page over a highly optimized protocol supported by all HTML5-compliant browsers on all operating systems. Because the remote browser runs on Cloudflare's servers, SWG policies are automatically applied to all browser requests. -Ensuring access to sites is protected with RBI does not require any local software installation or reconfiguring the user's browser. Below are [several ways](/cloudflare-one/policies/browser-isolation/setup/) to accomplish this: +Ensuring access to sites is protected with RBI does not require any local software installation or reconfiguring the user's browser. Below are [several ways](/cloudflare-one/remote-browser-isolation/setup/) to accomplish this: - Typically, a remote browser session is started as the result of an SWG policy — the user just requests websites without being notified that the content is loading in a remote browser. - Organizations can also provide users with a link that automatically ensures RBI always processes each request. @@ -412,7 +424,7 @@ Isolating web applications and applying policies to risky websites helps organiz #### Agentless DNS Filtering -Another option for securing traffic via the Cloudflare network is to configure the device to forward DNS traffic to Cloudflare to be inspected and filtered. First [DNS locations](/cloudflare-one/policies/gateway/initial-setup/dns/#connect-dns-locations) are created which allow policies to be applied based on different network locations. They can be determined either by the source IP address for the request or you can use "[DNS over TLS](https://www.cloudflare.com/learning/dns/dns-over-tls/)" or "[DNS over HTTPS](https://www.cloudflare.com/learning/dns/dns-over-tls/)". +Another option for securing traffic via the Cloudflare network is to configure the device to forward DNS traffic to Cloudflare to be inspected and filtered. First [DNS locations](/cloudflare-one/traffic-policies/initial-setup/dns/#connect-dns-locations) are created which allow policies to be applied based on different network locations. They can be determined either by the source IP address for the request or you can use "[DNS over TLS](https://www.cloudflare.com/learning/dns/dns-over-tls/)" or "[DNS over HTTPS](https://www.cloudflare.com/learning/dns/dns-over-tls/)". When using source IP addresses, either the device will need to be told which DNS servers to use, or the local DNS server on the network the device is connected to needs to forward all DNS queries to Cloudflare. For DNS over TLS or HTTPS support, the devices need to be configured and support varies. Our recommendation is to use DNS over HTTPS which has wider operating system support. @@ -536,9 +548,9 @@ Connecting an IdP to Cloudflare provides the ability to make access decisions ba ### Lists -Cloudflare's vast intelligent network continually monitors billions of web assets and [categorizes them](/cloudflare-one/policies/gateway/domain-categories/) based on our threat intelligence and general knowledge of Internet content. You can use our free [Cloudflare Radar](https://radar.cloudflare.com/) service to examine what categories might be applied to any specific domain. Policies can then include these categories to block known and potential security risks on the public Internet, as well as specific categories of content. +Cloudflare's vast intelligent network continually monitors billions of web assets and [categorizes them](/cloudflare-one/traffic-policies/domain-categories/) based on our threat intelligence and general knowledge of Internet content. You can use our free [Cloudflare Radar](https://radar.cloudflare.com/) service to examine what categories might be applied to any specific domain. Policies can then include these categories to block known and potential security risks on the public Internet, as well as specific categories of content. -Additionally, Cloudflare's SWG offers the flexibility to create and maintain customized [lists of data](/cloudflare-one/policies/gateway/lists/). These lists can be uploaded via CSV files, manually maintained, or integrated with other processes and applications using the Cloudflare API. A list can contain the following data: +Additionally, Cloudflare's SWG offers the flexibility to create and maintain customized [lists of data](/cloudflare-one/traffic-policies/lists/). These lists can be uploaded via CSV files, manually maintained, or integrated with other processes and applications using the Cloudflare API. A list can contain the following data: - URLs - Hostnames @@ -663,15 +675,15 @@ Having acquired a comprehensive understanding of Cloudflare's SASE platform, you It's worth noting that many of the capabilities described in this document can be used for free, without any time constraints, for up to 50 users. [Sign up](https://dash.cloudflare.com/sign-up) for an account and head to the [Zero Trust](https://one.dash.cloudflare.com/) section. While this document has provided an overview of the platform as a whole, for those interested in delving deeper into specific areas, we recommend exploring the following resources. -| Topic | Content | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Topic | Content | +| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Cloudflare Tunnels | [Understanding Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) - [Open source repository for `cloudflared`](https://github.com/cloudflare/cloudflared) | -| WAN as a Service | [Cloudflare Magic WAN documentation](/magic-wan/) | -| Secure Web Gateway | [How to build Gateway policies](/cloudflare-one/policies/gateway/) | -| Zero Trust Network Access | [How to build Access policies](/cloudflare-one/policies/access/) | -| Remote Browser Isolation | [Understanding browser isolation](/cloudflare-one/policies/browser-isolation/) | -| API-Driven CASB | [Scanning SaaS applications](/cloudflare-one/applications/casb/) | -| Email Security | [Understanding Cloudflare Email Security](/email-security/) | -| Replacing your VPN | [Using Cloudflare to replace your VPN](/learning-paths/replace-vpn/concepts/) | +| WAN as a Service | [Cloudflare Magic WAN documentation](/magic-wan/) | +| Secure Web Gateway | [How to build Gateway policies](/cloudflare-one/traffic-policies/) | +| Zero Trust Network Access | [How to build Access policies](/cloudflare-one/access-controls/policies/) | +| Remote Browser Isolation | [Understanding browser isolation](/cloudflare-one/remote-browser-isolation/) | +| API-Driven CASB | [Scanning SaaS applications](/cloudflare-one/applications/casb/) | +| Email Security | [Understanding Cloudflare Email Security](/email-security/) | +| Replacing your VPN | [Using Cloudflare to replace your VPN](/learning-paths/replace-vpn/concepts/) | If you would like to discuss your SASE requirements in greater detail and connect with one of our architects, please visit [https://www.cloudflare.com/cloudflare-one/](https://www.cloudflare.com/cloudflare-one/) and request a consultation. diff --git a/src/content/docs/reference-architecture/architectures/security.mdx b/src/content/docs/reference-architecture/architectures/security.mdx index fc08349b81d0ca..d909c2d209e92f 100644 --- a/src/content/docs/reference-architecture/architectures/security.mdx +++ b/src/content/docs/reference-architecture/architectures/security.mdx @@ -1,7 +1,28 @@ --- title: Cloudflare Security Architecture pcx_content_type: reference-architecture -products: [access, casb, dlp, gateway, email-security-cf1, workers, turnstile, magic-wan, magic-firewall, magic-transit, api-shield, bots, ddos-protection, dns-firewall, page-shield, ssl, spectrum, security-center, waf] +products: + [ + access, + casb, + dlp, + gateway, + email-security-cf1, + workers, + turnstile, + magic-wan, + magic-firewall, + magic-transit, + api-shield, + bots, + ddos-protection, + dns-firewall, + page-shield, + ssl, + spectrum, + security-center, + waf, + ] sidebar: order: 1 label: Security Architecture @@ -505,9 +526,9 @@ Existing private infrastructure can be complex. Cloudflare provides a variety of | ------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Magic WAN](/magic-wan/) | IPsec or GRE tunnel from networking devices to Cloudflare, routing entire network traffic. | Connecting existing network routers to Cloudflare. Allowing all traffic into and out of the network to go through Cloudflare. | | [Magic WAN Connector](/magic-wan/configuration/connector/) | Appliance-based IPsec or GRE tunnel from networking devices to Cloudflare, routing entire network traffic. | Uses the same technology as Magic WAN; however, instead of using existing networking devices, a dedicated appliance or virtual machine is used — the Magic WAN Connector. | -| [cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/) | Software agent deployed on servers or alongside services like Kubernetes for creating a tunnel for incoming connections to private applications or networks. | IT admins or application owners can easily install this tunnel software to expose their application to the Cloudflare network. | -| [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | Software agent deployed on servers for creating a tunnel for incoming and outgoing connections to private applications or networks. | Similar to cloudflared, but supports East to West traffic and is often used in place of Magic WAN when there is no ability to create an IPsec tunnel from existing devices. | -| [WARP Desktop Agent](/cloudflare-one/team-and-resources/devices/warp/) | Software agent deployed on user devices, creating a tunnel for traffic to and from private applications and networks. | Connecting end user devices like phones and laptops to be part of the Cloudflare network. | +| [cloudflared](/cloudflare-one/networks/connectors/cloudflare-tunnel/) | Software agent deployed on servers or alongside services like Kubernetes for creating a tunnel for incoming connections to private applications or networks. | IT admins or application owners can easily install this tunnel software to expose their application to the Cloudflare network. | +| [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | Software agent deployed on servers for creating a tunnel for incoming and outgoing connections to private applications or networks. | Similar to cloudflared, but supports East to West traffic and is often used in place of Magic WAN when there is no ability to create an IPsec tunnel from existing devices. | +| [WARP Desktop Agent](/cloudflare-one/team-and-resources/devices/warp/) | Software agent deployed on user devices, creating a tunnel for traffic to and from private applications and networks. | Connecting end user devices like phones and laptops to be part of the Cloudflare network. | | [Cloudflare Network Interconnect](https://www.cloudflare.com/network-services/products/network-interconnect/) | Direct connection between your physical networks and Cloudflare. | When your applications live in the same data centers we operate in, we can connect those networks directly to Cloudflare. | For more details on how these methods work, please refer to our [SASE reference architecture](/reference-architecture/architectures/sase/). @@ -526,7 +547,7 @@ There may be instances where you cannot install software on end user devices. In ##### Isolated browser -In some situations, you have no ability to modify the end device in any way. In those instances we provide the ability for a user to access a browser that runs directly on our edge network. This [browser isolation service](/cloudflare-one/policies/browser-isolation/) requires users to point their browser at a Cloudflare URL, which in turn runs a headless, secure browser on one of our edge servers. Secure vectors are then used over HTTPS and WebRTC connections. For more information, refer to [this architecture](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/). +In some situations, you have no ability to modify the end device in any way. In those instances we provide the ability for a user to access a browser that runs directly on our edge network. This [browser isolation service](/cloudflare-one/remote-browser-isolation/) requires users to point their browser at a Cloudflare URL, which in turn runs a headless, secure browser on one of our edge servers. Secure vectors are then used over HTTPS and WebRTC connections. For more information, refer to [this architecture](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/). #### Integrating identity systems @@ -542,8 +563,8 @@ This centralization of identity into a common access control layer allows you to The focus on this document is about security, and now that applications, devices, identities, and networks are all connected, every request to and from any resource on the network, and also to the Internet, is now subject to Cloudflare's access control and firewall services. There are two services that apply policy-based controls to traffic. -- **Zero Trust Network Access**: Our [Access](/cloudflare-one/policies/access/) product manages access to specific networks or applications that are deemed private. It enforces authentication either for users via an existing identity provider, or for other applications via service tokens or mTLS. -- **Secure Web Gateway**: Our [Gateway](/cloudflare-one/policies/gateway/) product is used to analyze traffic and apply policies, no matter the destination. It is most commonly used to allow, block, or isolate traffic that is destined for the Internet. This can be used to apply access controls to SaaS applications, but any traffic flowing through Cloudflare can be inspected and acted upon by Gateway. Therefore it can also be used to add additional access controls to non-Internet, private tunneled applications. +- **Zero Trust Network Access**: Our [Access](/cloudflare-one/access-controls/policies/) product manages access to specific networks or applications that are deemed private. It enforces authentication either for users via an existing identity provider, or for other applications via service tokens or mTLS. +- **Secure Web Gateway**: Our [Gateway](/cloudflare-one/traffic-policies/) product is used to analyze traffic and apply policies, no matter the destination. It is most commonly used to allow, block, or isolate traffic that is destined for the Internet. This can be used to apply access controls to SaaS applications, but any traffic flowing through Cloudflare can be inspected and acted upon by Gateway. Therefore it can also be used to add additional access controls to non-Internet, private tunneled applications. ![Cloudflare's ZTNA and SWG services can be combined to secure both private and Internet access.](~/assets/images/reference-architecture/security/security-ref-arch-21.svg) @@ -562,15 +583,15 @@ It is possible to define access groups of users that can be applied across multi All traffic is flowing through Cloudflare, so therefore all data is flowing through Cloudflare. This allows you to apply data controls on that traffic. Typically, employees are allowed access to sensitive applications and data only on managed devices where the device agent installs Cloudflare certificates that allow Cloudflare to terminate SSL connections on our network. This in turn allows for inspection of the contents of HTTPS web traffic and policy can be written to manage and secure that data. -Cloudflare has a [data loss prevention](/cloudflare-one/policies/data-loss-prevention/) (DLP) service that defines profiles that can be used to identify sensitive data. These profiles are then used in Gateway policies to match specific traffic and either allow, block, or isolate it. +Cloudflare has a [data loss prevention](/cloudflare-one/data-loss-prevention/) (DLP) service that defines profiles that can be used to identify sensitive data. These profiles are then used in Gateway policies to match specific traffic and either allow, block, or isolate it. The same DLP profiles can also be used in our Cloud Access Security Broker (CASB) service, where Cloudflare is integrated via APIs to SaaS applications. We then scan the storage and configuration of those applications looking for misconfiguration or sensitive data that's publicly exposed. #### Securing Internet access -A lot of this section has focused on protecting access to private networks and applications, but a business must also protect their employees and their devices. Our [secure web gateway](/cloudflare-one/policies/gateway/) (SWG) service sits between users connected to Cloudflare and any resource they are attempting to access, both public and private. Policies can be written to prevent employees from accessing high-risk websites or known sites that distribute malware. Policies can also be written to mitigate phishing attacks by blocking access to domains and websites known to be part of phishing campaigns. Protecting users and their devices from Internet threats also reduces associated risks of those same users and devices accessing private resources. +A lot of this section has focused on protecting access to private networks and applications, but a business must also protect their employees and their devices. Our [secure web gateway](/cloudflare-one/traffic-policies/) (SWG) service sits between users connected to Cloudflare and any resource they are attempting to access, both public and private. Policies can be written to prevent employees from accessing high-risk websites or known sites that distribute malware. Policies can also be written to mitigate phishing attacks by blocking access to domains and websites known to be part of phishing campaigns. Protecting users and their devices from Internet threats also reduces associated risks of those same users and devices accessing private resources. -Another critical private resource to secure is email. This is often one of the most private of all resources, as it contains confidential communications across your entire organization. It's also a common attack surface, mostly by way of phishing attacks. [Email Security](https://www.cloudflare.com/zero-trust/products/email-security/) (CES) examines all emails in your employee's inboxes and detects spoofed, malicious, or suspicious emails and can be configured to act accordingly. CES can be integrated by changing your domain MX records and redirecting all email via Cloudflare. Another option, for Microsoft and Google, is to integrate via API and inspect email already in a user’s inbox. For suspicious emails, links in the email are rewritten to leverage Cloudflare's [browser isolation service](/cloudflare-one/policies/browser-isolation/) so that when a user heads to that website, their local machine is protected against any malicious code that might be running in the browser. +Another critical private resource to secure is email. This is often one of the most private of all resources, as it contains confidential communications across your entire organization. It's also a common attack surface, mostly by way of phishing attacks. [Email Security](https://www.cloudflare.com/zero-trust/products/email-security/) (CES) examines all emails in your employee's inboxes and detects spoofed, malicious, or suspicious emails and can be configured to act accordingly. CES can be integrated by changing your domain MX records and redirecting all email via Cloudflare. Another option, for Microsoft and Google, is to integrate via API and inspect email already in a user’s inbox. For suspicious emails, links in the email are rewritten to leverage Cloudflare's [browser isolation service](/cloudflare-one/remote-browser-isolation/) so that when a user heads to that website, their local machine is protected against any malicious code that might be running in the browser. ![Cloud email security filters unwanted email traffic from your users inboxes.](~/assets/images/reference-architecture/security/security-ref-arch-23.svg) diff --git a/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx b/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx index 7eb843a0b4ffed..19e85c50f6c7cc 100644 --- a/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx +++ b/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx @@ -15,7 +15,7 @@ Organizations today are increasingly adopting a [Zero Trust security](https://ww Typically two technologies play a role in a Zero Trust architecture. First, a [Secure Web Gateway (SWG)](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) filters outbound traffic destined for the Internet and blocks users from accessing high risk websites such as those involved in phishing campaigns. Then, to enable remote access for users to SaaS apps, internally-hosted applications and networks, Zero Trust Network Access ([ZTNA](https://www.cloudflare.com/learning/access-management/what-is-ztna/)) services are used to create secure tunnels and provide access for remote users into private applications. -This guide is for customers looking to deploy Cloudflare's ZTNA service ([Access](/cloudflare-one/policies/access/)) and provides best practices and guidelines for how to effectively build the right policies. If you have not already done so, we recommend also reading Cloudflare's [SASE reference architecture](/reference-architecture/architectures/sase/), which goes into detail on all aspects of how to use Cloudflare as part of your Zero Trust initiatives. +This guide is for customers looking to deploy Cloudflare's ZTNA service ([Access](/cloudflare-one/access-controls/policies/)) and provides best practices and guidelines for how to effectively build the right policies. If you have not already done so, we recommend also reading Cloudflare's [SASE reference architecture](/reference-architecture/architectures/sase/), which goes into detail on all aspects of how to use Cloudflare as part of your Zero Trust initiatives. ### Who is this document for and what will you learn? @@ -25,7 +25,7 @@ This document is aimed at administrators who are evaluating or have adopted Clou - **Building policies**: The main components of an access policy and how they are combined. - **Use cases**: Common use cases and policies that can serve as blueprints for your own policy designs. -This design guide assumes you have a basic understanding of Cloudflare's ZTNA solution, [Cloudflare Access](/cloudflare-one/policies/access/). Therefore, this guide focuses on designing effective access policies and assumes you have already configured [DNS](/cloudflare-one/policies/gateway/initial-setup/dns/), [identity](/cloudflare-one/identity/) and [device posture providers](/cloudflare-one/identity/devices/service-providers/) as well as [created connectivity](/cloudflare-one/networks/) to self-hosted applications and related networks. +This design guide assumes you have a basic understanding of Cloudflare's ZTNA solution, [Cloudflare Access](/cloudflare-one/access-controls/policies/). Therefore, this guide focuses on designing effective access policies and assumes you have already configured [DNS](/cloudflare-one/traffic-policies/initial-setup/dns/), [identity](/cloudflare-one/identity/) and [device posture providers](/cloudflare-one/identity/devices/service-providers/) as well as [created connectivity](/cloudflare-one/networks/) to self-hosted applications and related networks. By the end of this guide, you will be equipped to implement granular access policies that enforce Zero Trust principles across various common enterprise scenarios. @@ -89,7 +89,7 @@ When a user makes a request to access an application, they must first authentica Cloudflare Access supports four main types of applications: - **Self-hosted** refers to applications that your organization hosts and manages, either on premises or in the cloud. Cloudflare creates a public hostname which it uses to proxy traffic through a secure tunnel to the application. While access via public hostnames is supported if your server is just publicly facing on the Internet, we recommend you use `cloudflared` to create a secure, outbound-only connection from your application to Cloudflare's edge. Once that occurs, Cloudflare will then reverse proxy the target application/content to your users. -- **Private IP** applications are similarly privately hosted, but lack fully-qualified public hostnames. Access can be facilitated via `cloudflared`, WARP Connector, Cloudflare Magic WAN, or Cloudflare Network Interconnect. Remote users not connected to a network already connected to Cloudflare will need to use the device client to get access to the application via private IP and to avoid using IP addresses with users, use [internal DNS services](/cloudflare-one/policies/gateway/resolver-policies/#use-cases) to resolve private hostnames to private IP addresses. But it is possible to provide access without any software deployed to the client by using our agentless [browser isolation service](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/). +- **Private IP** applications are similarly privately hosted, but lack fully-qualified public hostnames. Access can be facilitated via `cloudflared`, WARP Connector, Cloudflare Magic WAN, or Cloudflare Network Interconnect. Remote users not connected to a network already connected to Cloudflare will need to use the device client to get access to the application via private IP and to avoid using IP addresses with users, use [internal DNS services](/cloudflare-one/traffic-policies/resolver-policies/#use-cases) to resolve private hostnames to private IP addresses. But it is possible to provide access without any software deployed to the client by using our agentless [browser isolation service](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/). - **SaaS** applications are accessed over the public Internet, and therefore do not require any tunnel connectivity to Cloudflare. Instead, Access acts as an identity proxy between users and the SaaS application. When a user attempts to access the SaaS app, they are first authenticated by Cloudflare, which redirects to your main identity service. SaaS applications are then configured via SAML or OAuth to trust Cloudflare. This allows organizations to implement additional security layers (like device posture checks) and centralize access control for their SaaS applications, even if the SaaS or identity provider does not natively support these features. - **Infrastructure** applications enable users to control access to individual servers, clusters or databases in a private network. Infrastructure apps work by defining a 'target' proxied over `cloudflared`, but allows users to group multiple machines under the same target - essentially, allowing users to define common access policies across potentially disparate infrastructure resources. Built-in access and command logging capabilities means organizations can maintain detailed audit trails for compliance and security investigation purposes. @@ -154,7 +154,7 @@ Each rule is a filter to determine which users this policy is going to affect. T - **Require** rules set mandatory conditions that must be met for access to be granted. Unlike Include rules, "Require" rules use AND logic — every rule must be met. This is typically used to layer security on top of the basic access criteria defined by Include rules. For example, administrators can require that anyone trying to access an application use specific MFA methods. -- **Exclude** rules define exceptions to access, overriding other rule types. If a user matches an "Exclude" rule, they're denied access regardless of other policy conditions. For example, a user may meet a requirement to use a MFA method during login, but if their specific [multifactor authentication (MFA) method](/cloudflare-one/policies/access/mfa-requirements/) is defined in an Exclude rule, they will be blocked by the policy. Alternatively, if a user is associated with a 'high risk' IdP group, they can be excluded on that basis even if they meet all the other posture requirements. +- **Exclude** rules define exceptions to access, overriding other rule types. If a user matches an "Exclude" rule, they're denied access regardless of other policy conditions. For example, a user may meet a requirement to use a MFA method during login, but if their specific [multifactor authentication (MFA) method](/cloudflare-one/access-controls/policies/mfa-requirements/) is defined in an Exclude rule, they will be blocked by the policy. Alternatively, if a user is associated with a 'high risk' IdP group, they can be excluded on that basis even if they meet all the other posture requirements. A useful way to imagine how these different types of rules are applied, is to imagine a funnel. Include selectors define what attributes of the user, traffic or device are included in the policy that will be Allowed, Blocked and so on. Require then further filters from that list what attributes must be associated with the user with the Exclude type filtering out users who have matched both the Include and Require. @@ -162,7 +162,7 @@ A useful way to imagine how these different types of rules are applied, is to im The above diagram visualises an example for the policy "All employees and contractors on secure devices using strong MFA". Anyone in the group "All Employees" or contractors who have authenticated with a username in their company domain will match this policy. They are required to be using a device that has the latest OS and is using encrypted storage. They must have authenticated with an MFA factor, but not SMS. Also, they must be accessing the application via Cloudflare's secure web gateway. -There are many different [types of selectors](/cloudflare-one/policies/access/#selectors). While every possible selector is not listed here, the following lists specific outcomes that organizations using Cloudflare Access typically desire when building policies. This will help you understand how to achieve a specific outcome. +There are many different [types of selectors](/cloudflare-one/access-controls/policies/#selectors). While every possible selector is not listed here, the following lists specific outcomes that organizations using Cloudflare Access typically desire when building policies. This will help you understand how to achieve a specific outcome. - **Is user traffic coming over Cloudflare Gateway?** Guaranteeing that a user only accesses an application over our SWG, Cloudflare Gateway, is a great way to prevent unauthorized access due to phishing or credential theft. Additionally, you can ensure all traffic bound to the application is logged and filtered by Cloudflare Gateway. @@ -182,7 +182,7 @@ There are many different [types of selectors](/cloudflare-one/policies/access/#s - **Individual or organizational emails** All identity services provide an email address, which in many cases matches the individual's username. Using an email in a policy can be useful when wanting to allow access to an entire domain of users, but they might authenticate via a consumer IdP that allows for any email. For example, you might only allow access for users who have authenticated via GitHub using their @company.com email address. - Another good use of this selector is if you are managing a [list of emails](/cloudflare-one/policies/gateway/lists/) of users that might be high risk or have been blocked from a specific application. You can use an Exclude rule, with your list to ensure a subset of users cannot access an application. + Another good use of this selector is if you are managing a [list of emails](/cloudflare-one/traffic-policies/lists/) of users that might be high risk or have been blocked from a specific application. You can use an Exclude rule, with your list to ensure a subset of users cannot access an application. - **How did the user authenticate?** When an identity provider authenticates a user and then redirects them back to Cloudflare, it includes information about what authentication method was used. This is typically sent as [Authentication Method Reference](https://datatracker.ietf.org/doc/html/rfc8176) data. Using this you can check if MFA was used and what type. @@ -196,7 +196,7 @@ There are many different [types of selectors](/cloudflare-one/policies/access/#s You can set rules based on the IP range of the incoming request. This could be allowing access only from your corporate network IP ranges. - **Is it possible to verify device or user information from a list?** - Sometimes, you might want to grant or restrict access based on specific device or user characteristics that do not fit neatly into other categories. This is where [lists](/cloudflare-one/policies/gateway/lists/) come in handy: you can define or import a list of contractor emails, or a list of approved device serial numbers and use those as criteria within an Access policy. These lists can be updated manually or via our [API](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/create/), allowing for integration with other device or user management systems. + Sometimes, you might want to grant or restrict access based on specific device or user characteristics that do not fit neatly into other categories. This is where [lists](/cloudflare-one/traffic-policies/lists/) come in handy: you can define or import a list of contractor emails, or a list of approved device serial numbers and use those as criteria within an Access policy. These lists can be updated manually or via our [API](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/create/), allowing for integration with other device or user management systems. - **Is the device's security posture adequate?** This is where the device client provides telemetry on the native device making the access request. It accomplishes this by performing device-level scans. Is the device's hard drive encrypted? The agent can check if technologies like BitLocker or FileVault are active, in addition to checking for specific volume names. If you are protecting a sensitive application, or something that holds critical information, this is an effective requirement to enforce. @@ -217,11 +217,11 @@ Below are a few additional application settings to consider that help improve se ##### Isolate application -Sometimes you want to manage access to a self-hosted application for less trusted, third-party users such as contractors or partners. You might want to allow them to read content in an application, but limit their ability to download files, copy and paste data, and print the page. Cloudflare Access allows you to render the application in a remote [browser](/cloudflare-one/policies/access/isolate-application/) (using [remote browser isolation, or RBI](/cloudflare-one/policies/browser-isolation/)) so that the application is rendered using a headless browser on our network versus sending all the content down to the user's browser. This allows Cloudflare to then enforce a range of controls over how the user can interact with the content. +Sometimes you want to manage access to a self-hosted application for less trusted, third-party users such as contractors or partners. You might want to allow them to read content in an application, but limit their ability to download files, copy and paste data, and print the page. Cloudflare Access allows you to render the application in a remote [browser](/cloudflare-one/access-controls/policies/isolate-application/) (using [remote browser isolation, or RBI](/cloudflare-one/remote-browser-isolation/)) so that the application is rendered using a headless browser on our network versus sending all the content down to the user's browser. This allows Cloudflare to then enforce a range of controls over how the user can interact with the content. The setting is at the policy level, so one policy can allow trusted users (such as employees) to access applications normally, while another policy with browser isolation enabled can apply the RBI service for contractors. -This setting forces traffic to an isolated browser before being delivered to the end user, which means all traffic is then inspected and managed by Cloudflare Gateway. To limit what the user can do, you need to create an accompanying policy in the gateway, which also identifies the same users and then enforces the [controls](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings) you wish to limit access. Note that it is important to write the Gateway policy such that it only enforces RBI for the same group of users accessing the application that the Cloudflare Access policy applies to. Otherwise, the policy will default to enforce browser isolation for all users. +This setting forces traffic to an isolated browser before being delivered to the end user, which means all traffic is then inspected and managed by Cloudflare Gateway. To limit what the user can do, you need to create an accompanying policy in the gateway, which also identifies the same users and then enforces the [controls](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) you wish to limit access. Note that it is important to write the Gateway policy such that it only enforces RBI for the same group of users accessing the application that the Cloudflare Access policy applies to. Otherwise, the policy will default to enforce browser isolation for all users. It is possible to actually enforce RBI for the same set of users if they attempt to access the application using a non-secured device. In this case, you would continue to define a policy for employees in Cloudflare Access. But then, also create a policy in Cloudflare Gateway to isolate the application if users going to the same application URL have failed a device posture check that deems the device is not managed or secure. This could be if the device does not have the company endpoint security client (Crowdstrike or SentinelOne for example) installed, or has failed a security check. We will demonstrate this in the use cases below. @@ -237,7 +237,7 @@ Add an additional layer of access control by requiring users to obtain "temporar ### Access Groups -One of the most important parts of defining ZTNA policies is to leverage reusable elements called [Access Groups](/cloudflare-one/policies/access/groups/). Each access group uses the same rules we've just described to define users, traffic or devices. These groups can then be used across many policies to allow, deny, bypass, or isolate access to an application. +One of the most important parts of defining ZTNA policies is to leverage reusable elements called [Access Groups](/cloudflare-one/access-controls/policies/groups/). Each access group uses the same rules we've just described to define users, traffic or devices. These groups can then be used across many policies to allow, deny, bypass, or isolate access to an application. For example, you can define "Employees" once as an Access Group, and then use that in every application policy where you want to refer to employees. Updates to this Access Group would then be reflected in every policy. This is also a good way to include nested logic (for example, users with a Linux device and has antivirus software enabled) @@ -364,7 +364,7 @@ The key benefit here is centralizing security policy enforcement across your ent In the context of this use case, it is important to protect Salesforce — which contains sensitive customer data — against misuse, and to secure access only to authorized users. We are going to design a secure access policy that can cover both of these objectives. -The first step is to configure an [egress IP policy under Cloudflare Gateway](/cloudflare-one/policies/gateway/egress-policies/). This allows you to purchase and assign specific IPs to your users that have their traffic filtered via Gateway. Then in Salesforce, you can enforce that access is only permitted for traffic with a source IP that matches the one in your egress policy. This combination ensures that the only way to get access to Salesforce is via Cloudflare. +The first step is to configure an [egress IP policy under Cloudflare Gateway](/cloudflare-one/traffic-policies/egress-policies/). This allows you to purchase and assign specific IPs to your users that have their traffic filtered via Gateway. Then in Salesforce, you can enforce that access is only permitted for traffic with a source IP that matches the one in your egress policy. This combination ensures that the only way to get access to Salesforce is via Cloudflare. | Egress Policy | | | :---------------------------------- | :--------------- | @@ -470,7 +470,7 @@ Define the policy: Inside the policy, we have made this application available to our new access group for IT Admins. Under "Require," we are enforcing the use of Cloudflare WARP specifically (as opposed to only Cloudflare Gateway). The user must be on a company-managed device, with an active device client that is authenticated to the company's instance of Cloudflare, MFA must be used during login, and there is an additional option below for external evaluation. -[External evaluation](/cloudflare-one/policies/access/external-evaluation/) means we have an API endpoint containing some sort of [access logic](https://github.com/cloudflare/workers-access-external-auth-example) — in this case, time of day access. We are making an API call to this endpoint, and defining the key that Cloudflare is using to verify that the response came from the API. This is useful for several reasons: +[External evaluation](/cloudflare-one/access-controls/policies/external-evaluation/) means we have an API endpoint containing some sort of [access logic](https://github.com/cloudflare/workers-access-external-auth-example) — in this case, time of day access. We are making an API call to this endpoint, and defining the key that Cloudflare is using to verify that the response came from the API. This is useful for several reasons: External evaluation allows users to create bespoke security posture checks based on criteria that may not be covered by the default set of posture checks. For this example, we will be using a service built on [Cloudflare Workers](https://workers.cloudflare.com/). diff --git a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx index 9ebc1b519e4988..aa845a100e58d7 100644 --- a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx +++ b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx @@ -1,7 +1,7 @@ --- title: Network-focused migration from VPN concentrators to Zero Trust Network Access pcx_content_type: design-guide -products: [access, gateway, magic-wan, network-interconnect] +products: [access, gateway, magic-wan, network-interconnect] sidebar: label: "Network-focused VPN migration" reviewed: 2024-09-17 @@ -109,13 +109,13 @@ Both employee devices and data center networks will connect to their closest Clo ### Connecting networks to Cloudflare -Figure 4 shows traffic from end user devices to Cloudflare and tunnels routing traffic to private data centers. When user traffic reaches the closest Cloudflare access point, Cloudflare will route traffic destined for private applications directly to the data centers, while processing Internet-bound traffic through Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG). It is possible to leverage existing DNS services to resolve requests to private addresses using Cloudflare [Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/). [Magic WAN](/magic-wan/on-ramps/) is used to create IPsec tunnels between Cloudflare and data centers and is configured with static routes that determine how traffic reaches each existing network and applications. +Figure 4 shows traffic from end user devices to Cloudflare and tunnels routing traffic to private data centers. When user traffic reaches the closest Cloudflare access point, Cloudflare will route traffic destined for private applications directly to the data centers, while processing Internet-bound traffic through Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG). It is possible to leverage existing DNS services to resolve requests to private addresses using Cloudflare [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/). [Magic WAN](/magic-wan/on-ramps/) is used to create IPsec tunnels between Cloudflare and data centers and is configured with static routes that determine how traffic reaches each existing network and applications. ![A high level design of Cloudflare traffic routing for phase 1 of the migration.](~/assets/images/reference-architecture/design-guide-network-vpn-migr/phase-1.svg "Figure 4: A high level design of Cloudflare traffic routing for phase 1 of the migration.") By using existing network or security appliances to terminate IPsec tunnels, secure off-ramps can be created with limited impact on the current infrastructure. These IPsec tunnels also allow for outbound server-initiated traffic to continue flowing. However, depending on the scale of the deployment, the existing appliances might run into bandwidth limitations. It is best to consider this first phase a 'pilot' or low-scale deployment to get up and running quickly and validate user-application connectivity. The next phase will improve on the design using the insights gathered during this phase. -With such a design in place, Cloudflare will be able to filter traffic based on the identity of the requesting user. For example, users authenticated to the corporate identity provider and are members of the "Engineering" group will only be allowed access to the internally hosted source code repository. Furthermore, the user device may need to pass [certain posture checks](/cloudflare-one/identity/devices/) before connecting. There are [example network policies](/cloudflare-one/policies/gateway/network-policies/common-policies/#restrict-access-to-private-networks) in the zero trust documentation you can use as a reference. In essence, this will enable you to define network access policies using user identities instead of their associated IP address ranges. Getting rid of traditional 5-tuple ACLs will be a first step towards a zero trust model. +With such a design in place, Cloudflare will be able to filter traffic based on the identity of the requesting user. For example, users authenticated to the corporate identity provider and are members of the "Engineering" group will only be allowed access to the internally hosted source code repository. Furthermore, the user device may need to pass [certain posture checks](/cloudflare-one/identity/devices/) before connecting. There are [example network policies](/cloudflare-one/traffic-policies/network-policies/common-policies/#restrict-access-to-private-networks) in the zero trust documentation you can use as a reference. In essence, this will enable you to define network access policies using user identities instead of their associated IP address ranges. Getting rid of traditional 5-tuple ACLs will be a first step towards a zero trust model. ### Device agent deployment @@ -148,9 +148,9 @@ For more information about deploying `cloudflared` connectors at scale: ### DNS resolution with Resolver Policies -As you can see in Figure 4, both DNS and general network traffic will flow from the employee device to Cloudflare. By default, the device agent forwards all DNS queries to Cloudflare for inspection and filtering based on [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). This is great, because it will allow administrators to configure [DNS policies to block potential security threats](/cloudflare-one/policies/gateway/dns-policies/common-policies/#block-security-threats) and immediately start to protect employees as they go online. This also applies to situations where Internet traffic is from the tunnel to Cloudflare, but the client still resolves hostname requests via Cloudflare DNS services. +As you can see in Figure 4, both DNS and general network traffic will flow from the employee device to Cloudflare. By default, the device agent forwards all DNS queries to Cloudflare for inspection and filtering based on [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). This is great, because it will allow administrators to configure [DNS policies to block potential security threats](/cloudflare-one/traffic-policies/dns-policies/common-policies/#block-security-threats) and immediately start to protect employees as they go online. This also applies to situations where Internet traffic is from the tunnel to Cloudflare, but the client still resolves hostname requests via Cloudflare DNS services. -For internal domains, however, Cloudflare will need to know how to resolve them. This is where [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) come into play. After the DNS policies are applied to incoming DNS requests, customers can choose to forward requests for internal DNS hostnames to their internal DNS servers. For example, the domain `example.local` might be hosted on a DNS server running at 10.10.10.123. A resolver policy will make sure requests for hostnames part of that domain will be sent to that IP. +For internal domains, however, Cloudflare will need to know how to resolve them. This is where [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) come into play. After the DNS policies are applied to incoming DNS requests, customers can choose to forward requests for internal DNS hostnames to their internal DNS servers. For example, the domain `example.local` might be hosted on a DNS server running at 10.10.10.123. A resolver policy will make sure requests for hostnames part of that domain will be sent to that IP. A tunnel exposing a route to the internal DNS server is needed. `cloudflared` should be deployed on a host that can route DNS traffic to the 10.10.10.123 IP address. Requests for internal domains via the DNS gateway will then be redirected to this DNS server, via the tunnel. @@ -198,7 +198,7 @@ In the example above, subnets X and Y are completely segmented from the rest of In addition to routing traffic for private IP addresses, `cloudflared` can expose internal applications via publicly resolvable hostnames. This makes it possible to connect to such applications without using any software on the device. This can be very useful for use cases where you are unable to install software on the device, such as giving application access to contractors or partners. -In the example below, `erp.example.com` is added as [Public Hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) to the tunnel, routing traffic to port 80 and/or 443 to a specific IP address on the internal subnet Y. Access to this resource from the Internet is then protected using [Cloudflare Access security policies](/cloudflare-one/policies/access/) which also rely on the IdP connection you've set up for onboarding your employees. +In the example below, `erp.example.com` is added as [Public Hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) to the tunnel, routing traffic to port 80 and/or 443 to a specific IP address on the internal subnet Y. Access to this resource from the Internet is then protected using [Cloudflare Access security policies](/cloudflare-one/access-controls/policies/) which also rely on the IdP connection you've set up for onboarding your employees. ![Adding a public hostname to a tunnel for clientless access to internal applications.](~/assets/images/reference-architecture/design-guide-network-vpn-migr/clientless-access.svg "Figure 7: Adding a public hostname to a tunnel for clientless access to internal applications.") @@ -215,4 +215,4 @@ The flexibility of the Cloudflare connectivity cloud to connect any device, appl ### Further reading - Magic WAN integration: [WARP on-ramp to Magic WAN](/magic-wan/zero-trust/warp/) -- Policy configuration: [Gateway Network policies](/cloudflare-one/policies/gateway/network-policies/) +- Policy configuration: [Gateway Network policies](/cloudflare-one/traffic-policies/network-policies/) diff --git a/src/content/docs/reference-architecture/design-guides/securing-guest-wireless-networks.mdx b/src/content/docs/reference-architecture/design-guides/securing-guest-wireless-networks.mdx index 4bc3c91d2ead6d..c96e217bf986cb 100644 --- a/src/content/docs/reference-architecture/design-guides/securing-guest-wireless-networks.mdx +++ b/src/content/docs/reference-architecture/design-guides/securing-guest-wireless-networks.mdx @@ -49,7 +49,7 @@ Cloudflare offers an enhanced, protected DNS resolver service for Zero Trust cus ### DNS locations -Cloudflare [DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes or data centers. [Gateway](/cloudflare-one/policies/gateway/) identifies locations differently depending on the DNS query protocol. IPv4 traffic is identified from the source IP address from which a DNS query originated. IPv6 traffic can be identified by the unique IPv6 resolver address created in the Cloudflare dashboard. The following sections describe how to ensure DNS queries are appropriately mapped to your physical locations depending on the network environment and protocols being used. Later in this document you will learn how to use the location's IP address as an attribute which you can apply to Gateway DNS policies. +Cloudflare [DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes or data centers. [Gateway](/cloudflare-one/traffic-policies/) identifies locations differently depending on the DNS query protocol. IPv4 traffic is identified from the source IP address from which a DNS query originated. IPv6 traffic can be identified by the unique IPv6 resolver address created in the Cloudflare dashboard. The following sections describe how to ensure DNS queries are appropriately mapped to your physical locations depending on the network environment and protocols being used. Later in this document you will learn how to use the location's IP address as an attribute which you can apply to Gateway DNS policies. The goal is to have DNS requests from your Wi-Fi networks be sent via Cloudflare's secure DNS and secure web gateway service, where your DNS policies can filter requests and block those you deem risky. This guide walks through the different possible network architectures you might have for guest networks and gives guidance on how to implement Cloudflare to protect devices on those guest Wi-Fi networks. @@ -128,7 +128,7 @@ To get started, navigate to **DNS Locations** in the Zero Trust dashboard. For d ### Creating DNS policies -To get started, navigate to firewall policies and select DNS in the Zero Trust dashboard. For detailed, step-by-step instructions, refer to the [DNS Policies](/cloudflare-one/policies/gateway/dns-policies/) guide. +To get started, navigate to firewall policies and select DNS in the Zero Trust dashboard. For detailed, step-by-step instructions, refer to the [DNS Policies](/cloudflare-one/traffic-policies/dns-policies/) guide. To keep your policies organized, we recommend using meaningful names that clearly indicate their purpose. For instance, a policy named **Guest-Security-Block** conveys: @@ -136,7 +136,7 @@ To keep your policies organized, we recommend using meaningful names that clearl - **Security**: The type of content being evaluated. - **Block**: The action being taken. -Cloudflare provides a range of managed categories which you can use to filter a wide range of different types of threats. For example, adding into the DNS policy the [security category](/cloudflare-one/policies/gateway/domain-categories/#security-categories) Malware will prevent a connected device from making a DNS request to any site that Cloudflare has tagged as being known as part of a malware campaign or might be hosting malware. As well as security categories, we also have [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories) which identify sites such as Cryptocurrency, P2P sharing sites or adult themed sites. Cloudflare also manages a list of [applications](/cloudflare-one/policies/gateway/application-app-types/), so you can filter access to public cloud storage or file sharing sites. +Cloudflare provides a range of managed categories which you can use to filter a wide range of different types of threats. For example, adding into the DNS policy the [security category](/cloudflare-one/traffic-policies/domain-categories/#security-categories) Malware will prevent a connected device from making a DNS request to any site that Cloudflare has tagged as being known as part of a malware campaign or might be hosting malware. As well as security categories, we also have [content categories](/cloudflare-one/traffic-policies/domain-categories/#content-categories) which identify sites such as Cryptocurrency, P2P sharing sites or adult themed sites. Cloudflare also manages a list of [applications](/cloudflare-one/traffic-policies/application-app-types/), so you can filter access to public cloud storage or file sharing sites. Cloudflare also allows [custom feeds](/security-center/indicator-feeds/#publicly-available-feeds) where you can either subscribe to another vendor to provide a list of sites to filter, or you can use some of the built in government based threat feeds. This allows you to be very selective about what sites you wish to filter. @@ -177,7 +177,7 @@ For these reasons you should also consider applying security in layers and add n To provide network level filtering, Cloudflare must be in the traffic path for more than just the DNS request. This is achieved by routing Internet-bound traffic over an [IPsec](https://www.cloudflare.com/learning/network-layer/what-is-ipsec/) tunnel to Cloudflare. Cloudflare's [Magic WAN](/magic-wan/) service allows third-party devices to establish IPsec or GRE tunnels to the Cloudflare network. It is also possible to just deploy our [Magic WAN Connector](/magic-wan/configuration/connector/), a pre-configured lightweight network appliance that automatically creates the tunnel back to Cloudflare and can be managed remotely. Once traffic reaches Cloudflare multiple security controls can be overlaid such as: - Cloud based network firewall ([Magic Firewall](/magic-firewall/)) -- Secure web gateway ([Gateway](/cloudflare-one/policies/gateway/)) +- Secure web gateway ([Gateway](/cloudflare-one/traffic-policies/)) Below is the high level traffic flow that correlates to the above diagram: @@ -196,4 +196,4 @@ If you are interested in learning more about Gateway, or other aspects of the Cl - [Evolving to a SASE architecture with Cloudflare](/reference-architecture/architectures/sase/) - [Magic WAN Connector deployment options · Cloudflare Reference Architecture docs](/reference-architecture/diagrams/sase/magic-wan-connector-deployment/) -- [DNS policies \- Cloudflare Zero Trust](/cloudflare-one/policies/gateway/dns-policies/) +- [DNS policies \- Cloudflare Zero Trust](/cloudflare-one/traffic-policies/dns-policies/) diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx index 01e0b876baf336..bb5bed4d8cd5c0 100644 --- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx +++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx @@ -1,7 +1,17 @@ --- title: Using a zero trust framework to secure SaaS applications pcx_content_type: design-guide -products: [access, browser-isolation, cloudflare-one, casb, dlp, email-security-cf1, gateway, magic-wan] +products: + [ + access, + browser-isolation, + cloudflare-one, + casb, + dlp, + email-security-cf1, + gateway, + magic-wan, + ] sidebar: order: 1 label: Zero Trust for SaaS applications @@ -75,7 +85,7 @@ Note a section later in this document will cover how to gain visibility into, an One simple method for securing access to SaaS applications, is to only allow access from a specific set of IP addresses. This forces users to have to connect to, and have their traffic exit from a specific network and therefore ensure whatever access controls are in place on that network are applied to that traffic. -Organizations that already use IP allow lists to secure access to SaaS applications can easily migrate to Cloudflare using [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/). User traffic egresses from Cloudflare to the Internet and onto the SaaS application, sourced from a set of IP addresses unique to the organization. This approach supports various ways in which users access Cloudflare before gaining access to the SaaS application: +Organizations that already use IP allow lists to secure access to SaaS applications can easily migrate to Cloudflare using [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/). User traffic egresses from Cloudflare to the Internet and onto the SaaS application, sourced from a set of IP addresses unique to the organization. This approach supports various ways in which users access Cloudflare before gaining access to the SaaS application: - **Hybrid employees:** Connecting to Cloudflare using our Zero Trust client, [WARP](/cloudflare-one/team-and-resources/devices/warp/). - **Office-based users:** Connecting to a local network which routes Internet bound traffic to Cloudflare through GRE or IPsec [Magic WAN tunnels](/magic-wan/). @@ -85,20 +95,20 @@ Organizations add the new dedicated egress IPs to the existing SaaS IP allow lis There are several advantages to using Cloudflare's dedicated egress IPs when compared with using IPs from on-prem infrastructure: -- [Dedicated egress IPs can be geolocated](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#ip-geolocation) to one or more Cloudflare data centers in a geography of your choosing, instead of being restricted to the geographic locations of your existing Internet breakout data centers. -- Users will always connect to Cloudflare [through the closest Cloudflare Data Center and Cloudflare will optimize the path towards the SaaS application](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#egress-location). -- Dedicated egress IPs are assigned to user traffic using policies that follow zero trust principles. [Egress policies](/cloudflare-one/policies/gateway/egress-policies/) can be defined that will only assign a dedicated egress IP to a user if they belong to the correct IdP group and/or pass [device posture](/cloudflare-one/identity/devices/) checks. Otherwise, traffic will be sourced from Cloudflare's public IP range, which may not be part of the SaaS IP allowlist, preventing access to the SaaS application while still allowing Internet usage. +- [Dedicated egress IPs can be geolocated](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#ip-geolocation) to one or more Cloudflare data centers in a geography of your choosing, instead of being restricted to the geographic locations of your existing Internet breakout data centers. +- Users will always connect to Cloudflare [through the closest Cloudflare Data Center and Cloudflare will optimize the path towards the SaaS application](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#egress-location). +- Dedicated egress IPs are assigned to user traffic using policies that follow zero trust principles. [Egress policies](/cloudflare-one/traffic-policies/egress-policies/) can be defined that will only assign a dedicated egress IP to a user if they belong to the correct IdP group and/or pass [device posture](/cloudflare-one/identity/devices/) checks. Otherwise, traffic will be sourced from Cloudflare's public IP range, which may not be part of the SaaS IP allowlist, preventing access to the SaaS application while still allowing Internet usage. - Dedicated egress IPs imply that traffic needs to flow through Cloudflare before reaching the SaaS application. This makes it easy to add secure web gateway policies to protect data in the SaaS applications once users have authenticated. ![Figure 3: Enforce only traffic that has been secured by Cloudflare is accepted by the SaaS application.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-03.svg "Figure 3: Enforce only traffic that has been secured by Cloudflare is accepted by the SaaS application.") #### Using Cloudflare as an identity proxy -With Cloudflare, [Zero Trust Network Access (ZTNA)](https://www.cloudflare.com/en-gb/learning/access-management/what-is-ztna/) can be applied to managed SaaS applications. In this scenario, Cloudflare acts as the [Single Sign-On (SSO)](https://www.cloudflare.com/en-gb/learning/access-management/what-is-sso/) service for an application, proxying user authentication requests to the organization's existing identity providers (IdPs). This allows for additional restrictions to be layered on before granting access, such as requiring [multi-factor authentication](https://www.cloudflare.com/en-gb/learning/access-management/what-is-multi-factor-authentication/), implementing [device posture checks](/cloudflare-one/identity/devices/), or [evaluating the country](/cloudflare-one/policies/access/#selectors) the request is coming from. +With Cloudflare, [Zero Trust Network Access (ZTNA)](https://www.cloudflare.com/en-gb/learning/access-management/what-is-ztna/) can be applied to managed SaaS applications. In this scenario, Cloudflare acts as the [Single Sign-On (SSO)](https://www.cloudflare.com/en-gb/learning/access-management/what-is-sso/) service for an application, proxying user authentication requests to the organization's existing identity providers (IdPs). This allows for additional restrictions to be layered on before granting access, such as requiring [multi-factor authentication](https://www.cloudflare.com/en-gb/learning/access-management/what-is-multi-factor-authentication/), implementing [device posture checks](/cloudflare-one/identity/devices/), or [evaluating the country](/cloudflare-one/access-controls/policies/#selectors) the request is coming from. ![Figure 4: Cloudflare can act as an identity proxy, providing a consistent authentication experience for all SaaS applications.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-04.svg "Figure 4: Cloudflare can act as an identity proxy, providing a consistent authentication experience for all SaaS applications.") -Most organizations initially use Cloudflare's [ZTNA service](/cloudflare-one/policies/access/) for self-hosted applications. Extending it to SaaS applications simplifies IT management in several ways, as both self-hosted and SaaS apps will: +Most organizations initially use Cloudflare's [ZTNA service](/cloudflare-one/access-controls/policies/) for self-hosted applications. Extending it to SaaS applications simplifies IT management in several ways, as both self-hosted and SaaS apps will: - Use the same access policies - Leverage the same IdP and device posture integrations @@ -128,10 +138,10 @@ To mitigate these risks, controls should be implemented for both data in transit #### Data in transit -As mentioned before, all traffic can be forced through Cloudflare using the device agent, Magic WAN (MWAN) tunnels, or the remote browser. This allows [secure web gateway](/cloudflare-one/policies/gateway/) policies to manage and protect data as it is uploaded or downloaded from SaaS applications. Common use cases include: +As mentioned before, all traffic can be forced through Cloudflare using the device agent, Magic WAN (MWAN) tunnels, or the remote browser. This allows [secure web gateway](/cloudflare-one/traffic-policies/) policies to manage and protect data as it is uploaded or downloaded from SaaS applications. Common use cases include: -- Restricting the ability to download [all](/cloudflare-one/policies/gateway/http-policies/common-policies/#block-google-drive-downloads) or a [subset of files](/cloudflare-one/policies/gateway/http-policies/common-policies/#block-file-types) from managed SaaS applications to specific groups of users within the organization. -- Using [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/#_top) profiles to limit the download of data containing sensitive information from managed SaaS applications. +- Restricting the ability to download [all](/cloudflare-one/traffic-policies/http-policies/common-policies/#block-google-drive-downloads) or a [subset of files](/cloudflare-one/traffic-policies/http-policies/common-policies/#block-file-types) from managed SaaS applications to specific groups of users within the organization. +- Using [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/#_top) profiles to limit the download of data containing sensitive information from managed SaaS applications. For more information about securing data in transit, refer to our [reference architecture center](/reference-architecture/diagrams/security/securing-data-in-transit/). @@ -159,7 +169,7 @@ As described already, implementing ZTNA to secure your email platform offers num #### Tenant control -Organizations with stringent requirements about email communications for compliance or regulatory reasons, operational control or accountability, or to reduce the potential for data leaks can block access to email tenants other than the organization's own. This can be achieved by using [Cloudflare Gateway SaaS tenant controls](/cloudflare-one/policies/gateway/http-policies/tenant-control/). Cloudflare injects custom HTTP headers into the traffic flow, informing Microsoft 365 and Google Workspace of the specific tenant users are allowed to authenticate into and blocking any access attempts to any other tenant. +Organizations with stringent requirements about email communications for compliance or regulatory reasons, operational control or accountability, or to reduce the potential for data leaks can block access to email tenants other than the organization's own. This can be achieved by using [Cloudflare Gateway SaaS tenant controls](/cloudflare-one/traffic-policies/http-policies/tenant-control/). Cloudflare injects custom HTTP headers into the traffic flow, informing Microsoft 365 and Google Workspace of the specific tenant users are allowed to authenticate into and blocking any access attempts to any other tenant. ![Figure 7: Cloudflare can enforce access to only specific cloud email tenants.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-07.svg "Figure 7: Cloudflare can enforce access to only specific cloud email tenants.") @@ -187,7 +197,7 @@ Cloudflare also helps ensure the availability of cloud email services. It auto-s Organizations using Microsoft 365 can enhance protection against sensitive information leaks through email by integrating a Cloudflare add-in into their environment. This integration enables IT administrators to establish [outbound Data Loss Prevention (DLP) policies](/cloudflare-one/email-security/outbound-dlp/) that leverage the same DLP profiles used with the Secure Web Gateway (SWG) and API Cloud Access Security Broker (CASB). -Moreover, organizations that utilize [Microsoft Purview Sensitivity Labels](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/) for classifying and safeguarding sensitive documents can incorporate these labels into Cloudflare's DLP profiles. This capability allows the creation of targeted policies, such as blocking emails containing Microsoft Office documents marked as 'Highly Confidential' in Microsoft Outlook from being sent to external recipients. These DLP profiles can also be applied across SWG and API CASB. +Moreover, organizations that utilize [Microsoft Purview Sensitivity Labels](/cloudflare-one/data-loss-prevention/dlp-profiles/integration-profiles/) for classifying and safeguarding sensitive documents can incorporate these labels into Cloudflare's DLP profiles. This capability allows the creation of targeted policies, such as blocking emails containing Microsoft Office documents marked as 'Highly Confidential' in Microsoft Outlook from being sent to external recipients. These DLP profiles can also be applied across SWG and API CASB. ## Regain control over unmanaged SaaS applications @@ -212,10 +222,10 @@ With this information, IT teams can analyze and decide how to handle each unmana Data protection for unmanaged SaaS applications is similar to that for managed SaaS applications, but the focus shifts from mitigating the downloading of data to preventing the uploading of sensitive information. Policies can be configured using Cloudflare Gateway to address these risks. Common use cases include: -- Restricting the ability to [upload certain file types](/cloudflare-one/policies/data-loss-prevention/dlp-policies/common-policies/#block-file-types) to SaaS applications, limiting this capability to specific groups of users within the organization. +- Restricting the ability to [upload certain file types](/cloudflare-one/data-loss-prevention/dlp-policies/common-policies/#block-file-types) to SaaS applications, limiting this capability to specific groups of users within the organization. - Using Data Loss Prevention (DLP) profiles to block the upload of data containing sensitive information. -In addition to these measures, [remote browser isolation](/cloudflare-one/policies/browser-isolation/#_top) can be considered for unmanaged SaaS applications. This approach allows users to access certain unmanaged SaaS applications while [restricting their actions within those applications](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings) to prevent misuse. +In addition to these measures, [remote browser isolation](/cloudflare-one/remote-browser-isolation/#_top) can be considered for unmanaged SaaS applications. This approach allows users to access certain unmanaged SaaS applications while [restricting their actions within those applications](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings) to prevent misuse. ![Figure 10: DLP policies can be combined with browser isolation, to protect company data.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-10.svg "Figure 10: DLP policies can be combined with browser isolation, to protect company data.") @@ -223,7 +233,7 @@ In addition to these measures, [remote browser isolation](/cloudflare-one/polici Many SaaS applications offer a free version as part of their business model to encourage users to integrate them into their work. This helps demonstrate the application's usefulness and facilitates its adoption at the corporate level ([Cloudflare follows this model as well](https://www.cloudflare.com/en-gb/plans/zero-trust-services/)). When a previously unmanaged SaaS application is officially adopted by the organization, IT teams take over its management to ensure proper support and adherence to best practices. This involves aligning the new SaaS application with all the aspects discussed in the Securing Managed SaaS Applications section. -After fully adopting the new SaaS application, access to the consumer version may be restricted. If the corporate SaaS version has a unique domain, access to other tenant domains or the consumer domain can be blocked using Cloudflare DNS and/or HTTP policies. Some SaaS solutions offer [native tenant control](/cloudflare-one/policies/gateway/http-policies/tenant-control/) through HTTP headers, which can be enforced by injecting these headers for data in transit using Cloudflare Gateway HTTP policies. +After fully adopting the new SaaS application, access to the consumer version may be restricted. If the corporate SaaS version has a unique domain, access to other tenant domains or the consumer domain can be blocked using Cloudflare DNS and/or HTTP policies. Some SaaS solutions offer [native tenant control](/cloudflare-one/traffic-policies/http-policies/tenant-control/) through HTTP headers, which can be enforced by injecting these headers for data in transit using Cloudflare Gateway HTTP policies. ## Summary diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx index 2768ce2b6f13ec..f2865b5700bfe9 100644 --- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx +++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx @@ -1,7 +1,18 @@ --- title: Building zero trust architecture into your startup pcx_content_type: design-guide -products: [access, browser-isolation, casb, dlp, email-security-cf1, gateway, magic-firewall, magic-transit, magic-wan] +products: + [ + access, + browser-isolation, + casb, + dlp, + email-security-cf1, + gateway, + magic-firewall, + magic-transit, + magic-wan, + ] sidebar: label: Zero trust architecture for startups reviewed: 2024-04-25 @@ -306,7 +317,7 @@ In a Zero Trust security framework, this kind of access should be explicitly sco Cloudflare can help provide scoped secure access for both web and network connectivity to your third-party users in a Zero Trust framework. -- **Cloudflare Access can integrate and use [multiple identity providers simultaneously](/cloudflare-one/integrations/identity-providers/).** This can be scoped to a single application and a singular policy, and can have granular capabilities to 'force' some user access to authenticate in specific ways. There are also many third-party specific workflows — like [purpose justification](/cloudflare-one/policies/access/require-purpose-justification/) — that can ensure that user access is both easy for third parties, and documented and controllable for administrators. +- **Cloudflare Access can integrate and use [multiple identity providers simultaneously](/cloudflare-one/integrations/identity-providers/).** This can be scoped to a single application and a singular policy, and can have granular capabilities to 'force' some user access to authenticate in specific ways. There are also many third-party specific workflows — like [purpose justification](/cloudflare-one/access-controls/policies/require-purpose-justification/) — that can ensure that user access is both easy for third parties, and documented and controllable for administrators. - **Cloudflare Zero Trust can be deployed with flexible endpoint agent parameters and [logical groupings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) for contractor and third-party users.** If you have external users with internal access needs, they can be both tightly-scoped and limit potential conflict with other external systems. - **[Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) can act as a unidirectional access model to provide corporate users access to scoped customer resources.** It is lightweight, easy to deploy, and can even be built into your deployment packages and deployed alongside the services you manage in customer environments. - **Cloudflare WARP Connector can help you build secure, extensible networks relevant for each of your client controls.** This is particularly helpful when bidirectional (site-to-site) traffic flows are a necessity for the way that you engage with your customers, interact with their applications, or address other management concerns. WARP Connector has all of the same inline security policy application and auditability controls as the rest of your deployment, so you can maintain a Zero Trust security posture while achieving customer connectivity. @@ -387,7 +398,7 @@ This framework can also give your IT organization direction on which tools to co ### Where does Cloudflare fit in? -Cloudflare can help set a foundation for visibility and management of your [shadow IT](/cloudflare-one/insights/analytics/shadow-it-discovery/) environment and subsequent discoveries. User traffic to the Internet can be audited and organized from the WARP client and our [Secure Web Gateway (SWG)](/cloudflare-one/policies/gateway/), and can you understand where your sensitive data moves outside of your corporate-accepted SaaS tenants. +Cloudflare can help set a foundation for visibility and management of your [shadow IT](/cloudflare-one/insights/analytics/shadow-it-discovery/) environment and subsequent discoveries. User traffic to the Internet can be audited and organized from the WARP client and our [Secure Web Gateway (SWG)](/cloudflare-one/traffic-policies/), and can you understand where your sensitive data moves outside of your corporate-accepted SaaS tenants. This can then be an opportunity to further expand your Zero Trust strategy by ensuring those newly-discovered tools are either explicitly blocked or explicitly allowed, setting specific data security controls on them, or integrating them with your Zero Trust vendor (using something like [Access for SaaS](/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas/) to apply security policies). diff --git a/src/content/docs/reference-architecture/diagrams/ai/bigquery-workers-ai.mdx b/src/content/docs/reference-architecture/diagrams/ai/bigquery-workers-ai.mdx index 447b51f4b1c125..c868d38a861c8a 100644 --- a/src/content/docs/reference-architecture/diagrams/ai/bigquery-workers-ai.mdx +++ b/src/content/docs/reference-architecture/diagrams/ai/bigquery-workers-ai.mdx @@ -19,7 +19,7 @@ This version of the integration is aimed at workflows that require interaction w ![Figure 1: Ingesting Google BigQuery Data into Workers AI (user-based)](~/assets/images/reference-architecture/bigquery-workers-ai/user-based-architecture.svg "Figure 1: Ingesting Google BigQuery Data into Workers AI (user-based)") -1. A user makes a request to a [Worker](https://workers.cloudflare.com/) endpoint. (Which can optionally incorporate [Access](/cloudflare-one/policies/access/) in front of it to authenticate users). +1. A user makes a request to a [Worker](https://workers.cloudflare.com/) endpoint. (Which can optionally incorporate [Access](/cloudflare-one/access-controls/policies/) in front of it to authenticate users). 2. Worker fetches [securely stored](/workers/configuration/secrets/) Google Cloud Platform service account information such as service key and generates a JSON Web Token to issue an authenticated API request to BigQuery. 3. Worker receives the data from BigQuery and [transforms it into a format](/workers-ai/guides/tutorials/using-bigquery-with-workers-ai/#6-format-results-from-the-query) that will make it easier to iterate when interacting with Workers AI. 4. Using its [native integration](/workers-ai/configuration/bindings/) with Workers AI, the Worker forwards the data from BigQuery which is then run against one of Cloudflare's hosted AI models. diff --git a/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx b/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx index 1791161bac874a..345b09debcf792 100644 --- a/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx +++ b/src/content/docs/reference-architecture/diagrams/network/optimizing-roaming-experience-with-geolocated-ips.mdx @@ -25,9 +25,9 @@ In this document, we'll discuss how Cloudflare can be used to solve this problem Cloudflare addresses these challenges by routing device traffic from the Internet breakout to our global network, where traffic is processed at a Cloudflare data center close to the Internet breakout. This allows for two benefits: 1. Cloudflare can analyse the traffic, determine the original country of origin, and then ensure that traffic egresses onto the Internet from an IP address that is geolocated to the same country of origin. -2. Cloudflare can filter traffic based on [secure web gateway](/cloudflare-one/policies/gateway/) policies, allowing you to protect devices from accessing risky Internet hosts. It also allows you to lock down access for devices to specific Internet hosts, such as only allow devices to make requests to APIs that support their function. +2. Cloudflare can filter traffic based on [secure web gateway](/cloudflare-one/traffic-policies/) policies, allowing you to protect devices from accessing risky Internet hosts. It also allows you to lock down access for devices to specific Internet hosts, such as only allow devices to make requests to APIs that support their function. -The architecture diagram below provides a visual representation of this solution, showing how traffic from various countries — routed via different mobile network APN — is directed through Internet breakouts. Cloudflare optimizes and secures the Internet connection by leveraging [geolocated public IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/), ensuring that the traffic is secure and regionally localized to the device location. +The architecture diagram below provides a visual representation of this solution, showing how traffic from various countries — routed via different mobile network APN — is directed through Internet breakouts. Cloudflare optimizes and secures the Internet connection by leveraging [geolocated public IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/), ensuring that the traffic is secure and regionally localized to the device location. This diagram is intended for network engineers, IT architects, and decision-makers looking to improve service relevance and performance for end-users. Key use cases include multinational corporations aiming to provide faster, region-specific Internet access and services in users' native languages, ensuring a superior user experience across diverse geographical locations. @@ -48,19 +48,19 @@ This diagram is intended for network engineers, IT architects, and decision-make - [**IPsec tunnels**](/magic-wan/reference/gre-ipsec-tunnels/) for encrypted communication. - [**Cloudflare Network Interconnect (CNI)**](/magic-wan/network-interconnect/) for direct, high-performance connections. -4. **Localized Internet breakout using [Magic WAN](/magic-wan/) and [Gateway](/cloudflare-one/policies/gateway/)**. +4. **Localized Internet breakout using [Magic WAN](/magic-wan/) and [Gateway](/cloudflare-one/traffic-policies/)**. - With Magic WAN and using [dedicated egress](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) with our [secure web gateway](/cloudflare-one/policies/gateway/), Cloudflare enables Internet traffic to exit with source IPs registered in the desired country. This ensures end-users benefit from geolocalized content and services, such as access to region-specific platforms, tailored to their location. + With Magic WAN and using [dedicated egress](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) with our [secure web gateway](/cloudflare-one/traffic-policies/), Cloudflare enables Internet traffic to exit with source IPs registered in the desired country. This ensures end-users benefit from geolocalized content and services, such as access to region-specific platforms, tailored to their location. 5. **Advanced security and filtering options**. Cloudflare enhances the security of Internet breakouts with advanced features, including: - - [**DNS filtering**](/cloudflare-one/policies/gateway/initial-setup/dns/) to manage and block access to unwanted, high risk domains. - - [**Network firewalling**](/cloudflare-one/policies/gateway/network-policies/) for enforcing detailed security policies. For example, you can restrict vehicles to only send data over the Internet to a designated set of cloud telemetry systems while blocking all other traffic. - - [**Full SSL inspection**](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) to protect against sophisticated threats and provide traffic visibility on encrypted traffic. It enables additional protections such as antivirus scanning, malware prevention, and file sandboxing. + - [**DNS filtering**](/cloudflare-one/traffic-policies/initial-setup/dns/) to manage and block access to unwanted, high risk domains. + - [**Network firewalling**](/cloudflare-one/traffic-policies/network-policies/) for enforcing detailed security policies. For example, you can restrict vehicles to only send data over the Internet to a designated set of cloud telemetry systems while blocking all other traffic. + - [**Full SSL inspection**](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) to protect against sophisticated threats and provide traffic visibility on encrypted traffic. It enables additional protections such as antivirus scanning, malware prevention, and file sandboxing. # Related Resources -- [Gateway](/cloudflare-one/policies/gateway/) +- [Gateway](/cloudflare-one/traffic-policies/) - [Magic WAN](/magic-wan/) - [Cloudflare servers don't own IPs anymore](https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-anymore/) diff --git a/src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx b/src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx index b6765ab5e2740c..a5364926fdb361 100644 --- a/src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx +++ b/src/content/docs/reference-architecture/diagrams/network/protect-data-center-networks.mdx @@ -16,12 +16,12 @@ Network security teams have traditionally used various network firewalls or secu But these firewalls and security appliances are often expensive, complex to configure and manage, difficult to scale to handle large attacks, and require upgrades and patches to defend against newly discovered threats and vulnerabilities. -[Cloudflare Magic Transit](/magic-transit/), [Magic WAN](/magic-wan/), [Magic Firewall](/magic-firewall/) and [Cloudflare Gateway](/cloudflare-one/policies/gateway/) services running natively on [Cloudflare's massive global network](https://www.cloudflare.com/network/) provide solutions to all the shortcomings described above and more. These services offer in-line, scalable and performant global protection for your data center networks, all from a single cloud network platform. +[Cloudflare Magic Transit](/magic-transit/), [Magic WAN](/magic-wan/), [Magic Firewall](/magic-firewall/) and [Cloudflare Gateway](/cloudflare-one/traffic-policies/) services running natively on [Cloudflare's massive global network](https://www.cloudflare.com/network/) provide solutions to all the shortcomings described above and more. These services offer in-line, scalable and performant global protection for your data center networks, all from a single cloud network platform. - [Magic Transit](https://www.cloudflare.com/network-services/products/magic-transit/) provides instant detection and mitigation against network-layer DDoS attacks on your public, Internet-facing networks. - [Magic WAN](https://www.cloudflare.com/network-services/products/magic-wan/) provides any-to-any, hybrid/multi-cloud secure connectivity between your private, enterprise networks. - [Magic Firewall](/magic-firewall/) is a cloud-native network firewall service that can be used to filter traffic that is routed to and from your networks that are protected by Magic Transit. It also supports functionalities such as [Intrusion Detection](/magic-firewall/about/ids/) (IDS) and [packet capture](/magic-firewall/packet-captures/). -- [Gateway](https://www.cloudflare.com/zero-trust/products/gateway/) is a secure web gateway (SWG) service that allows you to inspect and control both Internet-bound traffic that is originated from your networks, as well as private network-to-private network traffic (that is, east-west), by proxying such traffic through Cloudflare's global network while applying DNS, network and HTTP based [policies](/cloudflare-one/policies/gateway/). +- [Gateway](https://www.cloudflare.com/zero-trust/products/gateway/) is a secure web gateway (SWG) service that allows you to inspect and control both Internet-bound traffic that is originated from your networks, as well as private network-to-private network traffic (that is, east-west), by proxying such traffic through Cloudflare's global network while applying DNS, network and HTTP based [policies](/cloudflare-one/traffic-policies/). This document focuses specifically on the reference architectures of using Cloudflare Magic Transit, Magic WAN, Magic Firewall and Cloudflare Gateway services to protect both external and internal communications to your data center networks. For details of how Magic Transit, Magic WAN, Magic Firewall and Cloudflare Gateway works and how it can be architected for various use cases, see the linked resources at the end of the document. @@ -61,8 +61,8 @@ The reference architecture diagram below illustrates how Cloudflare services - M 1. Each site network routes outbound Internet traffic originating from the public-facing networks to Cloudflare, via the same CNIs that inbound traffic traverses. This can be done at your site through routing techniques of your choice, such as policy based routing (PBR). 2. Upon entering the Cloudflare network, outbound Internet traffic is first routed through Magic Firewall where it is subject to any configured network firewall policies. -3. Outbound Internet traffic is subsequently sent to [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our secure web gateway service where various [policies](/cloudflare-one/policies/gateway/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks. For example, Gateway DNS and HTTP policies can both be configured to prevent your servers from connecting to questionable Internet sites and from downloading malware or other malicious content. -4. Once traffic clears inspection, Gateway proxies the outbound traffic to their destinations on the Internet. The source IP addresses of the outbound traffic are the Cloudflare owned IP addresses associated with the Gateway service, which if you want you can purchase and set your [own egress IP](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/) +3. Outbound Internet traffic is subsequently sent to [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our secure web gateway service where various [policies](/cloudflare-one/traffic-policies/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks. For example, Gateway DNS and HTTP policies can both be configured to prevent your servers from connecting to questionable Internet sites and from downloading malware or other malicious content. +4. Once traffic clears inspection, Gateway proxies the outbound traffic to their destinations on the Internet. The source IP addresses of the outbound traffic are the Cloudflare owned IP addresses associated with the Gateway service, which if you want you can purchase and set your [own egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) 5. Return traffic from the Internet, destined to Cloudflare's IP addresses linked to the Gateway service, is routed into Cloudflare's global network. 6. Traffic is inspected against Gateway policies. 7. Return traffic that passes Gateway inspection is routed to Magic Firewall for further packet filtering. @@ -91,8 +91,8 @@ For the use case where you do want to apply application level policy for fine-gr 1. Each site routes private network traffic destined to the other data center location to Cloudflare Magic WAN via the corresponding CNI connections. This can be done at your site through routing techniques of your choice, such as policy based routing (PBR). 2. Upon entering the Cloudflare network, traffic is routed through Magic Firewall where it is subject to any configured network firewall policies. -3. After clearing Magic Firewall, traffic is subsequently routed to [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our secure web gateway service. -4. Cloudflare Gateway subjects traffic to any configured L3-7 [policies](/cloudflare-one/policies/gateway/) that enforce a comprehensive set of security and control measures, ensuring the utmost protection for your networks. Once traffic clears inspection, Gateway proxies the traffic to its destination private network. The source IP addresses of the proxied traffic are the Cloudflare owned IP addresses associated with the Gateway service. +3. After clearing Magic Firewall, traffic is subsequently routed to [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our secure web gateway service. +4. Cloudflare Gateway subjects traffic to any configured L3-7 [policies](/cloudflare-one/traffic-policies/) that enforce a comprehensive set of security and control measures, ensuring the utmost protection for your networks. Once traffic clears inspection, Gateway proxies the traffic to its destination private network. The source IP addresses of the proxied traffic are the Cloudflare owned IP addresses associated with the Gateway service. 5. The proxied traffic, en-route to its destination private network, is routed through Magic Firewall once again for further packet filtering. 6. Traffic that passes Magic Firewall filtering is routed from Cloudflare to your network locations via the corresponding CNIs that transport private network traffic. @@ -104,7 +104,7 @@ The reference architecture diagram below illustrates how Cloudflare services — 1. Each site routes outbound Internet traffic originating from its private networks to Cloudflare Magic WAN via the corresponding CNI connections. This can be done at your site through routing techniques of your choice, such as policy based routing (PBR). 2. Upon entering the Cloudflare network, outbound Internet traffic is first routed through Magic Firewall where it is subject to any configured network firewall policies. -3. Traffic that clears Magic Firewall is subsequently sent to [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our secure web gateway service where any configured L3-7 [policies](/cloudflare-one/policies/gateway/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks. +3. Traffic that clears Magic Firewall is subsequently sent to [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our secure web gateway service where any configured L3-7 [policies](/cloudflare-one/traffic-policies/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks. 4. Once traffic clears inspection, Gateway proxies the outbound traffic to their destinations on the Internet. The source IP addresses of the outbound traffic are the Cloudflare owned IP addresses associated with the Gateway service. 5. Return traffic from the Internet, destined to Cloudflare's IP addresses linked to the Gateway service, is routed into Cloudflare's global network. 6. Traffic is inspected against Gateway policies. @@ -119,5 +119,5 @@ The reference architecture diagram below illustrates how Cloudflare services — - [Cloudflare Network Interconnect](/network-interconnect/) - [Cloudflare Magic Firewall](/magic-firewall/) - [Cloudflare Magic WAN](/magic-wan/) -- [Cloudflare Gateway](/cloudflare-one/policies/gateway/) +- [Cloudflare Gateway](/cloudflare-one/traffic-policies/) - [Integration of Cloudflare Magic services and Cloudflare Gateway](/magic-wan/zero-trust/cloudflare-gateway/) diff --git a/src/content/docs/reference-architecture/diagrams/network/protect-public-networks-with-cloudflare.mdx b/src/content/docs/reference-architecture/diagrams/network/protect-public-networks-with-cloudflare.mdx index 2fc1525e66718f..4354be50b37ddc 100644 --- a/src/content/docs/reference-architecture/diagrams/network/protect-public-networks-with-cloudflare.mdx +++ b/src/content/docs/reference-architecture/diagrams/network/protect-public-networks-with-cloudflare.mdx @@ -14,11 +14,11 @@ description: >- Network security teams have traditionally used various network firewalls or security appliances at the perimeter of their network to protect their public-facing networks against both external and internal threats like DDoS attacks, malware, ransomware, phishing, and leaking of sensitive information. However, these firewalls and security appliances are often expensive, complex to configure and manage, difficult to scale to handle large attacks, and lack the flexibility to quickly incorporate upgrades and patches to defend against newly discovered threats and vulnerabilities. -[Cloudflare Magic Transit](/magic-transit/), [Magic Firewall](/magic-firewall/), and [Cloudflare Gateway](/cloudflare-one/policies/gateway/) services running natively on [Cloudflare's massive global network](https://www.cloudflare.com/network/) provide solutions to all the shortcomings described above and more. These services offer in-line, automatic, scalable network protection for all your Internet-facing networks, without slowing down performance, regardless of where they are deployed, whether on-premises, in the cloud, or a combination of the two (that is, a hybrid architecture). +[Cloudflare Magic Transit](/magic-transit/), [Magic Firewall](/magic-firewall/), and [Cloudflare Gateway](/cloudflare-one/traffic-policies/) services running natively on [Cloudflare's massive global network](https://www.cloudflare.com/network/) provide solutions to all the shortcomings described above and more. These services offer in-line, automatic, scalable network protection for all your Internet-facing networks, without slowing down performance, regardless of where they are deployed, whether on-premises, in the cloud, or a combination of the two (that is, a hybrid architecture). - [Magic Transit](https://www.cloudflare.com/network-services/products/magic-transit/) provides instant detection and mitigation against network-layer DDoS attacks on your public, Internet-facing networks. - [Magic Firewall](/magic-firewall/) is a cloud-native network firewall service that can be used to filter traffic that is routed to and from your networks that are protected by Magic Transit. It also supports functionalities such as [Intrusion Detection](/magic-firewall/about/ids/) (IDS) and [packet capture](/magic-firewall/packet-captures/). -- [Gateway](https://www.cloudflare.com/zero-trust/products/gateway/) is a secure web gateway (SWG) service that allows you to inspect and control Internet bound traffic originating from your network by proxying this traffic through Cloudflare's global network while applying DNS, network and HTTP based [policies](/cloudflare-one/policies/gateway/). +- [Gateway](https://www.cloudflare.com/zero-trust/products/gateway/) is a secure web gateway (SWG) service that allows you to inspect and control Internet bound traffic originating from your network by proxying this traffic through Cloudflare's global network while applying DNS, network and HTTP based [policies](/cloudflare-one/traffic-policies/). The details of how Magic Transit, Magic Firewall, and Gateway work and how these products can be architected for various use cases can be found in the linked resources at the end of the document. This document will focus specifically on the reference architectures of using Cloudflare Magic Transit, Magic Firewall, and Cloudflare Gateway services to protect public, Internet-facing network infrastructure. @@ -59,7 +59,7 @@ The reference architecture diagram below illustrates how Cloudflare services \- 1. Each site network routes outbound Internet traffic originating from the public networks to Cloudflare, via the same CNIs and IP tunnels that inbound traffic traverses. This can be done at your site through routing techniques of your choice, such as policy based routing (PBR). 2. Upon entering the Cloudflare network, outbound Internet traffic is first routed through Magic Firewall where it is subject to any configured network firewall policies. -3. Outbound Internet traffic is subsequently sent to [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our secure web gateway service where various [policies](/cloudflare-one/policies/gateway/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks. +3. Outbound Internet traffic is subsequently sent to [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our secure web gateway service where various [policies](/cloudflare-one/traffic-policies/) enforce a comprehensive set of security and control measures on the outbound traffic, ensuring the utmost protection for your networks. 4. Once traffic clears inspection, Gateway proxies the outbound traffic to their destinations on the Internet. The source IP addresses of the outbound traffic are the Cloudflare owned IP addresses associated with the Gateway service. 5. Return traffic from the Internet, destined to Cloudflare's IP addresses linked to the Gateway service, is routed into Cloudflare's global network. 6. Traffic is inspected against Gateway policies. @@ -73,5 +73,5 @@ The reference architecture diagram below illustrates how Cloudflare services \- - [Magic Transit Reference Architecture](/reference-architecture/architectures/magic-transit/) - [Cloudflare Network Interconnect](/network-interconnect/) - [Cloudflare Magic Firewall](/magic-firewall/) -- [Cloudflare Gateway](/cloudflare-one/policies/gateway/) +- [Cloudflare Gateway](/cloudflare-one/traffic-policies/) - [Integration of Cloudflare Magic services and Cloudflare Gateway](/magic-wan/zero-trust/cloudflare-gateway/) diff --git a/src/content/docs/reference-architecture/diagrams/sase/augment-access-with-serverless.mdx b/src/content/docs/reference-architecture/diagrams/sase/augment-access-with-serverless.mdx index 3fd20b3998dc23..09b89d0e212c58 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/augment-access-with-serverless.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/augment-access-with-serverless.mdx @@ -9,13 +9,13 @@ reviewed: 2024-10-10 description: Cloudflare's ZTNA enhances access policies using external API calls and Workers for robust security. It verifies user authentication and authorization, ensuring only legitimate access to protected resources. --- -import { RelatedProduct, LinkCard} from "~/components"; +import { RelatedProduct, LinkCard } from "~/components"; ## Introduction Companies using Zero Trust Network Access (ZTNA) services build policies to determine if a user can access a protected resource such as a privately hosted Wiki server or source code repository. Policies typically use group membership, authentication methods, device security posture to determine which users can access which resources. -Secure access requires a range of attributes being available to the policy engine for evaluation. With Cloudflare's ZTNA service, [Access](/cloudflare-one/policies/access/), it is possible to include in the policy an external request to another API that provides part of the data required for the access decision. +Secure access requires a range of attributes being available to the policy engine for evaluation. With Cloudflare's ZTNA service, [Access](/cloudflare-one/access-controls/policies/), it is possible to include in the policy an external request to another API that provides part of the data required for the access decision. For example, you might have a policy which states all members of the group "Engineers", who have authenticated with credentials that required a hard token, can have access to the self-hosted source code repository. But you also want to only allow engineers who have completed security training. That data might be available in another system, so Cloudflare allows you to, as part of the policy check, make a call using [Workers](https://workers.cloudflare.com/) to the training system to determine if this user has passed security training. @@ -28,11 +28,18 @@ This document outlines how to combine both solutions to enhance Cloudflare Acces ## Showcased products - Build serverless applications and deploy instantly across the globe for exceptional performance, reliability, and scale. + Build serverless applications and deploy instantly across the globe for + exceptional performance, reliability, and scale. - - Cloudflare Zero Trust replaces legacy security perimeters with Cloudflare's global network, making the Internet faster and safer for teams around the world + + Cloudflare Zero Trust replaces legacy security perimeters with Cloudflare's + global network, making the Internet faster and safer for teams around the + world ## Use-cases @@ -41,8 +48,6 @@ This document outlines how to combine both solutions to enhance Cloudflare Acces - **Augmented [JSON Web Token (JWT)](/cloudflare-one/identity/authorization-cookie/validating-json/)**: Using Cloudflare's own authentication JWT material, for example, adding posture details as part of an incoming request. - **Serverless augmented apps protected with Zero-trust**: Allowing anyone building serverless applications to benefit from native ZTNA features - - ![Figure 1: Showing a request to a private resource and where Access can be customized for AuthZ and AuthN](~/assets/images/reference-architecture/augment-access-with-serverless/diagram1.svg "Figure 1: Showing a request to a private resource and where Access can be customized for AuthZ and AuthN") ## Getting started @@ -51,14 +56,14 @@ The following outlines how organizations can run their own custom business logic ### 1. Custom authorization process using your own rules -During policy evaluation, the [external evaluation](/cloudflare-one/policies/access/external-evaluation/) rule allows for executing your own code during access policy evaluation. In this example an API exposed by Cloudflare Workers receives data about the user making the request, the important part being their username. +During policy evaluation, the [external evaluation](/cloudflare-one/access-controls/policies/external-evaluation/) rule allows for executing your own code during access policy evaluation. In this example an API exposed by Cloudflare Workers receives data about the user making the request, the important part being their username. The code typically makes calls to either a [database](/d1/) or another API to evaluate if the passed username has access to the application. The external evaluation rule requires that the call returns either a True or False, and this is combined with the policy to determine access. ### 2. Analyze and validate the authentication material (JWT) @@ -67,22 +72,19 @@ When a user successfully authenticates and is authorized to access a protected a Here is an example of a JWT sent to an origin (use [JWT.io](http://jwt.io) to read the contents of a JWT) - ```json title="JWT content" { - "aud": [ - "264063895705477af73bfbaed1bf401981f4812eefcdb9fea33f5e10e666e282" - ], - "email": "john.doe@cloudflare.com", - "exp": 1728551137, - "iat": 1728464737, - "nbf": 1728464737, - "iss": "https://myorg.cloudflareaccess.com", - "type": "app", - "identity_nonce": "IA0hPRvwILtbUXSQ", - "sub": "ce40d564-c72f-475f-a9b8-f395f19ad986", - "device_id": "8469d7c4-83a9-11ee-b559-76e6e80876db", - "country": "FR" + "aud": ["264063895705477af73bfbaed1bf401981f4812eefcdb9fea33f5e10e666e282"], + "email": "john.doe@cloudflare.com", + "exp": 1728551137, + "iat": 1728464737, + "nbf": 1728464737, + "iss": "https://myorg.cloudflareaccess.com", + "type": "app", + "identity_nonce": "IA0hPRvwILtbUXSQ", + "sub": "ce40d564-c72f-475f-a9b8-f395f19ad986", + "device_id": "8469d7c4-83a9-11ee-b559-76e6e80876db", + "country": "FR" } ``` @@ -90,18 +92,17 @@ Cloudflare exposes a specific [endpoint](/cloudflare-one/identity/authorization- Cloudflare's Workers are a great candidate for interacting with incoming JSON Web Tokens (JWTs), enabling additional processing directly within the serverless platform without introducing any added latency. - ### 3. Augment the authentication material (JWT) with extra authentication details In some situations, it is beneficial to elaborate on this JWT in order to execute additional processing on the protected destination application (for example, adding device [posture details](/cloudflare-one/identity/devices/) as part of an incoming request). -In the following example, we want to make sure the exposed application is aware of the status of the device's firewall and disk encryption (Note that the WARP client needs to be installed on the client machine for these signals to be collected). +In the following example, we want to make sure the exposed application is aware of the status of the device's firewall and disk encryption (Note that the WARP client needs to be installed on the client machine for these signals to be collected). ![Figure 2: Modified origin request including posture details](~/assets/images/reference-architecture/augment-access-with-serverless/diagram2.svg "Figure 2: Modified origin request including posture details") @@ -176,13 +177,13 @@ When a JSON Web Token (JWT) is expanded, the details of the attached authenticat Using the details in the JWT, you can use a Worker to extract the details of the device posture and then reinsert them into HTTP headers which the application uses for its own authorization logic. Below is a guided tutorial explaining how this request modification can be performed with Cloudflare Developer platform. ## Related Resources -- [External Evaluation rules](/cloudflare-one/policies/access/external-evaluation/) +- [External Evaluation rules](/cloudflare-one/access-controls/policies/external-evaluation/) - [SASE reference architecture](/reference-architecture/architectures/sase/) - [External Evaluation blog post](https://blog.cloudflare.com/access-external-validation-rules/) diff --git a/src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx b/src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx index be5d509dfe2e9d..87e6bc6201b819 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx @@ -29,7 +29,7 @@ The diagram above shows the WARP Connector and our device agent deployed to esta 1. VoIP server resides on a private network with no public IP. 2. WARP Connector creates a secure tunnel to Cloudflare and is configured as a virtual router in the private network. 3. Allow traffic from Cloudflare to reach the VoIP server, but also allow private network initiated traffic, such as an outbound VoIP call from the server, to route over the Cloudflare tunnel. In the above diagram, we add a static route on the default gateway of `100.96.0.0/12` (the WARP CGNAT range) via `10.0.50.10` (the WARP Connector virtual router). -4. Traffic passes through our [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG), which applies network level firewall rules to both inbound and outbound traffic. +4. Traffic passes through our [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG), which applies network level firewall rules to both inbound and outbound traffic. 5. A device agent is installed on remote user devices. The agent establishes a secure tunnel to Cloudflare, which allows VoIP software to both receive and make calls. ## Call flow examples diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx index c5a1181e68493e..241a5c79edaa3b 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx @@ -14,7 +14,7 @@ description: >- Internet service providers are constantly exploring new revenue opportunities to expand their business, and many are now turning to security as a value-added service alongside their connectivity offerings. Traditionally, integrating security with connectivity posed significant challenges due to the reliance on legacy solutions that required costly on-premises hardware. This makes it difficult to deploy and manage and introduces post-deployment struggles with scalability and availability. -Today these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow service providers to offer enhanced security as a value-added service for residential and mobile subscribers or B2B clients. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), service providers can effectively safeguard their customers from accessing potentially [harmful domains](/cloudflare-one/policies/gateway/domain-categories/#security-categories). +Today these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow service providers to offer enhanced security as a value-added service for residential and mobile subscribers or B2B clients. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), service providers can effectively safeguard their customers from accessing potentially [harmful domains](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Moreover, Cloudflare Gateway eliminates concerns around availability, performance, and scalability, as it is built on [Cloudflare's 1.1.1.1 public DNS resolver](/1.1.1.1/), one of the [fastest](https://www.dnsperf.com/#!dns-providers) and most widely-used DNS resolvers in the world. @@ -34,13 +34,13 @@ To distinguish queries originating from the service provider from those coming f If stable and defined source IPv4 addresses cannot be assigned to the on-premises DNS servers, service providers can instead use unique destination location endpoints. Each location is assigned a distinct [DoT](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-over-tls-dot) and [DoH](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-over-https-doh) hostname, as well as a unique [destination IPv6 address](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#ipv4ipv6-address). Additionally, Cloudflare can provide unique [destination IPv4 addresses upon request](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip). ::: -DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an `[Override](/cloudflare-one/policies/gateway/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. +DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/traffic-policies/block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. ![Figure 2: A DNS policy to prevent users from navigating to malicious domains. The action is to override and redirect the DNS query to a block page hosted by the service provider.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg) -To achieve more precise control over which domains are allowed or blocked, the service provider can configure additional Allowed Domain and Blocked Domains policies. By setting these policies with [lower precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the service provider can override the Security Risks policy for specific domains. +To achieve more precise control over which domains are allowed or blocked, the service provider can configure additional Allowed Domain and Blocked Domains policies. By setting these policies with [lower precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the service provider can override the Security Risks policy for specific domains. -To streamline the management of allowed and blocked domains, use [lists](/cloudflare-one/policies/gateway/lists/). Lists are easily updated through the dashboard or via [APIs](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/update/), making policy adjustments more efficient. +To streamline the management of allowed and blocked domains, use [lists](/cloudflare-one/traffic-policies/lists/). Lists are easily updated through the dashboard or via [APIs](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/update/), making policy adjustments more efficient. ![Figure 3: DNS policies are applied according to their order of precedence. In this example, the 'Allow List Policy' and 'Block List Policy' will be considered before the 'Security List' policy.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-03.svg) @@ -52,7 +52,7 @@ In cases of a miscategorization of domains, raise a [categorization change reque ## Additional offerings based on DNS filtering capabilities -Service providers can enhance their offerings by using Cloudflare Gateway DNS policies to deliver additional value-added services alongside the base DNS security service. By using the same solution, service providers can develop customized content category filtering services. These services can be easily constructed using Cloudflare's built-in [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories) and [application types](/cloudflare-one/policies/gateway/application-app-types/), as well as the service provider's own custom allow and block lists. +Service providers can enhance their offerings by using Cloudflare Gateway DNS policies to deliver additional value-added services alongside the base DNS security service. By using the same solution, service providers can develop customized content category filtering services. These services can be easily constructed using Cloudflare's built-in [content categories](/cloudflare-one/traffic-policies/domain-categories/#content-categories) and [application types](/cloudflare-one/traffic-policies/application-app-types/), as well as the service provider's own custom allow and block lists. Some potential applications include: @@ -64,6 +64,6 @@ To differentiate these additional services from the core DNS security offering, ## Related resources -- [Cloudflare Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/) +- [Cloudflare Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/) - [Cloudflare Blog: Using the power of Cloudflare's global network to detect malicious domains using machine learning](https://blog.cloudflare.com/threat-detection-machine-learning-models/) - [Protect ISP and telecommunications networks from DDoS attacks](/reference-architecture/diagrams/network/protecting-sp-networks-from-ddos/) diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx index 4149a7f31909e7..46c6131c557d66 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx @@ -14,7 +14,7 @@ description: >- Protective DNS services are security services that analyze DNS queries and block access to malicious websites and other harmful online content. As technology becomes increasingly vital for public sector operations, government departments are looking to adopt these cybersecurity services to bolster incident detection and response, and to build more resilient enterprise networks. Traditionally, deploying this type of solution posed significant challenges due to the reliance on legacy systems that required costly on-premises hardware. This makes it difficult to deploy and manage, and introduces post-deployment struggles with scalability and availability. -Today, these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow administrators to offer enhanced security. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), government agencies can effectively safeguard their end users from accessing potentially [harmful domains](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Additionally, agencies can further strengthen these defenses by [integrating their own threat intelligence data](https://developers.cloudflare.com/security-center/indicator-feeds/) into the policies. +Today, these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/traffic-policies/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow administrators to offer enhanced security. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), government agencies can effectively safeguard their end users from accessing potentially [harmful domains](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Additionally, agencies can further strengthen these defenses by [integrating their own threat intelligence data](https://developers.cloudflare.com/security-center/indicator-feeds/) into the policies. Finally, Cloudflare Gateway eliminates concerns around availability, performance, and scalability, as it is built on [Cloudflare's 1.1.1.1 public DNS resolver](/1.1.1.1/), one of the [fastest](https://www.dnsperf.com/#!dns-providers) and most widely used DNS resolvers in the world. @@ -30,7 +30,7 @@ IT administrators forward public DNS requests to Cloudflare where they are filte To distinguish queries originating from the government departments and agencies they are responsible for, admins configure a location in the Cloudflare dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DNS over TLS/HTTPS (DoT/DoH) hostnames for that location. These IP addresses and hostnames are then used by the admins to send DNS queries for resolution. In turn, the administrator configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location. -DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an [Override](/cloudflare-one/policies/gateway/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. +DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/traffic-policies/block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. Cloudflare's own threat intelligence can be seamlessly integrated with threat intelligence data provided by the agency or third-party sources. In this setup, the agency or the third-party entity acts as a [threat feed provider](/security-center/indicator-feeds/) to Cloudflare. This enables IT admins to create DNS policies that combine Cloudflare's security risk categories with the data sourced by the agency, for a unified and enhanced security posture (see diagram below). Additionally, [publicly available custom indicator feeds](/security-center/indicator-feeds/#publicly-available-feeds) can be accessed by eligible public and private sector organizations without the need to establish a provider relationship, further expanding security capabilities. @@ -52,9 +52,9 @@ The device agent is compatible with the [leading desktop and mobile operating sy ### Additional controls -To achieve more precise control over which domains are allowed or blocked, the administrator can configure additional Allowed Domain and Blocked Domain policies. By setting these policies with [lower precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the agency can override the Security Risks policy for specific domains. +To achieve more precise control over which domains are allowed or blocked, the administrator can configure additional Allowed Domain and Blocked Domain policies. By setting these policies with [lower precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the agency can override the Security Risks policy for specific domains. -To streamline the management of allowed and blocked domains, use [lists](/cloudflare-one/policies/gateway/lists/). Lists are easily updated through the dashboard or via [APIs](/api/operations/zero-trust-lists-update-zero-trust-list), making policy adjustments more efficient. +To streamline the management of allowed and blocked domains, use [lists](/cloudflare-one/traffic-policies/lists/). Lists are easily updated through the dashboard or via [APIs](/api/operations/zero-trust-lists-update-zero-trust-list), making policy adjustments more efficient. ![Figure 5: Show how lists can be used to provide custom hostname lists in the policy.](~/assets/images/reference-architecture/gateway-for-protective-dns/gateway-for-protective-dns-image-05.svg "Figure 5: Show how lists can be used to provide custom hostname lists in the policy.") @@ -80,21 +80,21 @@ When inspecting HTTP traffic, Cloudflare prevents interference by decrypting, in When Cloudflare Gateway is performing HTTP inspection, it extends protection beyond DNS security by enabling additional capabilities to safeguard users as they browse the Internet: -- **Anti-virus scanning (AV):** Users are protected when downloading or uploading files to or from the Internet. [Files are scanned](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) in real time to detect malicious content. -- **Sandboxing:** For files not previously seen, Cloudflare Gateway can [quarantine them in a secure sandbox environment for analysis](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/). In this sandbox, Cloudflare monitors the file's actions and compares them against known malware patterns. Files are only released to users if no malicious content is detected. -- **Remote Browser Isolation (RBI):** [Isolation policies](/cloudflare-one/policies/browser-isolation/) can be configured to safeguard users when accessing potentially risky websites. For example, [if a user attempts to visit a newly seen domain that triggers an isolation policy](/cloudflare-one/policies/browser-isolation/isolation-policies/), the website's active content is executed in a secure, isolated browser hosted in the nearest Cloudflare data center. This ensures that zero-day attacks and malware are mitigated before they can impact the user. This remote browsing experience is seamless and transparent, allowing users to continue using their preferred browsers and workflows. Every browser tab and window is automatically isolated, and sessions are deleted when closed. +- **Anti-virus scanning (AV):** Users are protected when downloading or uploading files to or from the Internet. [Files are scanned](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) in real time to detect malicious content. +- **Sandboxing:** For files not previously seen, Cloudflare Gateway can [quarantine them in a secure sandbox environment for analysis](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). In this sandbox, Cloudflare monitors the file's actions and compares them against known malware patterns. Files are only released to users if no malicious content is detected. +- **Remote Browser Isolation (RBI):** [Isolation policies](/cloudflare-one/remote-browser-isolation/) can be configured to safeguard users when accessing potentially risky websites. For example, [if a user attempts to visit a newly seen domain that triggers an isolation policy](/cloudflare-one/remote-browser-isolation/isolation-policies/), the website's active content is executed in a secure, isolated browser hosted in the nearest Cloudflare data center. This ensures that zero-day attacks and malware are mitigated before they can impact the user. This remote browsing experience is seamless and transparent, allowing users to continue using their preferred browsers and workflows. Every browser tab and window is automatically isolated, and sessions are deleted when closed. ### Data protection In addition to threat protection, Cloudflare Gateway enables the implementation of robust data protection policies during HTTP inspection, including: -- **File upload controls:** Administrators can enforce policies that monitor and [restrict file uploads](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types) to the Internet, preventing the inadvertent sharing of sensitive data. -- **Data Loss Prevention (DLP):** [DLP policies](/cloudflare-one/policies/data-loss-prevention/) can be deployed to identify and block unauthorized sharing of confidential or classified information. For more details, see [securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/). -- **Remote Browser Isolation (RBI):** Beyond threat protection, [isolation policies](/cloudflare-one/policies/browser-isolation/) can enforce [user action restrictions](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings), such as disabling copy/paste functionality or keyboard inputs, to safeguard sensitive information. For additional information, refer to [securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/). +- **File upload controls:** Administrators can enforce policies that monitor and [restrict file uploads](/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) to the Internet, preventing the inadvertent sharing of sensitive data. +- **Data Loss Prevention (DLP):** [DLP policies](/cloudflare-one/data-loss-prevention/) can be deployed to identify and block unauthorized sharing of confidential or classified information. For more details, see [securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/). +- **Remote Browser Isolation (RBI):** Beyond threat protection, [isolation policies](/cloudflare-one/remote-browser-isolation/) can enforce [user action restrictions](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings), such as disabling copy/paste functionality or keyboard inputs, to safeguard sensitive information. For additional information, refer to [securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/). ## Adopting Cloudflare Gateway as Secure Web Gateway -Expanding Cloudflare Gateway from a protective DNS service to a full-featured Secure Web Gateway is a straightforward process. Using Cloudflare's dashboard, IT administrators would configure [HTTP policies](/cloudflare-one/policies/gateway/http-policies/) in addition to existing DNS policies. These HTTP policies would enable the additional protections, namely, Antivirus Scanning, Sandboxing, Remote Browser Isolation (RBI), and Data Loss Prevention (DLP). +Expanding Cloudflare Gateway from a protective DNS service to a full-featured Secure Web Gateway is a straightforward process. Using Cloudflare's dashboard, IT administrators would configure [HTTP policies](/cloudflare-one/traffic-policies/http-policies/) in addition to existing DNS policies. These HTTP policies would enable the additional protections, namely, Antivirus Scanning, Sandboxing, Remote Browser Isolation (RBI), and Data Loss Prevention (DLP). From the user's perspective, remote Workers would continue using the same device agent. To leverage these enhanced protections, they simply need to switch the device agent mode to [Gateway with WARP](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-warp-default). This mode can also be enforced when using device management to deploy the agent. diff --git a/src/content/docs/reference-architecture/diagrams/sase/magic-wan-connector-deployment.mdx b/src/content/docs/reference-architecture/diagrams/sase/magic-wan-connector-deployment.mdx index f303e4fea50292..4672f089a6da1e 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/magic-wan-connector-deployment.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/magic-wan-connector-deployment.mdx @@ -82,7 +82,7 @@ All traffic towards internal locations and self-hosted applications follows the ### Split tunneling -In some deployments, customers might want to protect only specific protocols using Cloudflare security services such as our [secure web gateway](/cloudflare-one/policies/gateway/), while the rest of the traffic routes through the existing edge device (router or firewall). Figure 5 illustrates such a use case. +In some deployments, customers might want to protect only specific protocols using Cloudflare security services such as our [secure web gateway](/cloudflare-one/traffic-policies/), while the rest of the traffic routes through the existing edge device (router or firewall). Figure 5 illustrates such a use case. ![Figure 5. 'Split Tunneling' use case.](~/assets/images/reference-architecture/magic-wan-connector-deployment/figure05.svg "Figure 5. 'Split Tunneling' use case.") diff --git a/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx index 39827e6f3f035d..c0fd2818464e04 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/sase-clientless-access-private-dns.mdx @@ -24,7 +24,7 @@ Typically, to provide access to internal resources, you use Cloudflare Zero Trus Some organizations don't like the idea of public DNS records which reference internal services, even though the ZTNA services provide strong access security, sometimes just the existence of a service name in public DNS is not desired. Exposing IP addresses directly to users is also a bad idea, they are hard to remember, and IP addresses can change. Unlike accessing a web application via a public DNS record through our proxy, applications exposed via private IP addresses also require the user to install an agent on their device to capture and route the traffic to Cloudflare which in turn routes it to the application. Installing this agent can be a challenge with third parties like partners or contractors. -So how do you allow access to private resources, without creating public DNS records and without requiring the user install software on their device? Cloudflare solved this challenge with [Resolver Policies](/cloudflare-one/policies/gateway/resolver-policies/) where internal DNS services can be used. When combined with agentless [Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/), it is possible to create Zero Trust access to private web applications with only a modern web browser. Policies to control access to apps are then written in our Secure Web Gateway (SWG) service as [network firewall](/cloudflare-one/policies/gateway/network-policies/) policies. This method supports HTTP based applications, although Cloudflare does provide a browser rendering service for SSH and VNC services. +So how do you allow access to private resources, without creating public DNS records and without requiring the user install software on their device? Cloudflare solved this challenge with [Resolver Policies](/cloudflare-one/traffic-policies/resolver-policies/) where internal DNS services can be used. When combined with agentless [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/), it is possible to create Zero Trust access to private web applications with only a modern web browser. Policies to control access to apps are then written in our Secure Web Gateway (SWG) service as [network firewall](/cloudflare-one/traffic-policies/network-policies/) policies. This method supports HTTP based applications, although Cloudflare does provide a browser rendering service for SSH and VNC services. Follow this [tutorial](/cloudflare-one/tutorials/clientless-access-private-dns/) for information on how to configure secure access to private web-based resources without having to deploy client agents. @@ -32,7 +32,7 @@ Follow this [tutorial](/cloudflare-one/tutorials/clientless-access-private-dns/) 1. Users start their access by authenticating to the [Cloudflare Browser Isolation](https://your_team_domain.cloudflareaccess.com/browser) service. Note this is a browser running on Cloudflare’s edge network, therefore all requests will by default be handled by Cloudflare. The contents are rendered back to the users’ browser via secure encrypted vector streams that use HTTPS and WebRTC channels. 2. Once the user has authenticated to the remote browser, they make a request to an internal hostname which is a record in the internal DNS service. e.g. [https://app.company.internal](https://app.company.internal) -3. Cloudflare looks up the internal hostname using [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/), and gets the private IP address from the internal DNS server. This DNS resolution takes place within the Cloudflare network and requires no DNS client changes on the user's device. +3. Cloudflare looks up the internal hostname using [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/), and gets the private IP address from the internal DNS server. This DNS resolution takes place within the Cloudflare network and requires no DNS client changes on the user's device. 4. Cloudflare evaluates the network firewall policies and verifies if the user has permission to reach the destination addresses. 5. If the request passes the policy, it is sent via secure [QUIC](https://blog.cloudflare.com/getting-cloudflare-tunnels-to-connect-to-the-cloudflare-network-with-quic) tunnels to the Cloudflared connectors which then is reverse proxied to the application servers. All data is transmitted securely through Cloudflare back to the users’ browser via encrypted vector streams. diff --git a/src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx b/src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx index 5174a741fb4e1f..95255633f3a54b 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/secure-access-to-saas-applications-with-sase.mdx @@ -30,8 +30,8 @@ Cloudflare's SASE platform offers the ability to bring a more Zero Trust orienta The diagram below shows how Cloudflare sits between your users, devices and networks that require access to any SaaS application. The two main services proving security capabilities are: -- [Zero Trust Network Access](/cloudflare-one/policies/access/). Allows Cloudflare to become an identity proxy, so that you can easily enable authentication with a wide variety of identity providers to a single SaaS application. This service also incorporates the ability to evaluate access based on device posture and network location. -- [Secure Web Gateway](/cloudflare-one/policies/gateway/). Once all traffic to access the SaaS application flows through our gateway, HTTPS connections are terminated at Cloudflare and you have the ability to inspect the data flowing to and from the SaaS application. This allows you to block sensitive data from being exported to insecure locations. +- [Zero Trust Network Access](/cloudflare-one/access-controls/policies/). Allows Cloudflare to become an identity proxy, so that you can easily enable authentication with a wide variety of identity providers to a single SaaS application. This service also incorporates the ability to evaluate access based on device posture and network location. +- [Secure Web Gateway](/cloudflare-one/traffic-policies/). Once all traffic to access the SaaS application flows through our gateway, HTTPS connections are terminated at Cloudflare and you have the ability to inspect the data flowing to and from the SaaS application. This allows you to block sensitive data from being exported to insecure locations. ![Figure 1: Only traffic that has passed the Cloudflare network and relevant policies is authorized to access the SaaS application.](~/assets/images/reference-architecture/secure-access-to-saas-applications-with-sase/figure1.svg "Figure 1: Only traffic that has passed the Cloudflare network and relevant policies is authorized to access the SaaS application.") @@ -55,7 +55,7 @@ When integrating with an XDR platform such as Crowdstrike, Sentinel One or Micro The following is an example set of policies which demonstrate how you can use Cloudflare to secure access to Salesforce. -The first step is using an [egress IP policy under Cloudflare Gateway](/cloudflare-one/policies/gateway/egress-policies/). This allows you to purchase and assign specific IPs to users that have their traffic filtered via Gateway. Then in Salesforce, you enforce that access is only permitted for traffic with a source IP that matches the one in your egress policy. This combination ensures that the only way to get access to Salesforce is via Cloudflare. +The first step is using an [egress IP policy under Cloudflare Gateway](/cloudflare-one/traffic-policies/egress-policies/). This allows you to purchase and assign specific IPs to users that have their traffic filtered via Gateway. Then in Salesforce, you enforce that access is only permitted for traffic with a source IP that matches the one in your egress policy. This combination ensures that the only way to get access to Salesforce is via Cloudflare. | Egress Policy | | | :---------------------------------- | :------------- | diff --git a/src/content/docs/reference-architecture/diagrams/sase/zero-trust-and-virtual-desktop-infrastructure.mdx b/src/content/docs/reference-architecture/diagrams/sase/zero-trust-and-virtual-desktop-infrastructure.mdx index fb9d0abe36e302..ad88df8b31b8ab 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/zero-trust-and-virtual-desktop-infrastructure.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/zero-trust-and-virtual-desktop-infrastructure.mdx @@ -41,7 +41,7 @@ The diagram above shows the general flow of how user traffic goes from their loc **Option 1: Clientless RBI** - Device agent not required -- RBI URL can be protected by an [Access policy](/cloudflare-one/policies/access/) with authentication +- RBI URL can be protected by an [Access policy](/cloudflare-one/access-controls/policies/) with authentication - A simpler way to begin rolling out Cloudflare Zero trust while transitioning away from VDI - A great option for third party contractor access who cannot install software on their device @@ -82,14 +82,14 @@ Cloudflare's SASE platform is capable of much more than replacing VPNs and bolst ## Summary -As shown, we have seen several ways to incorporate Cloudflare's Zero Trust services with your existing VDI, either by replacing it completely in favor of Remote Browser Isolation technology or further securing it with our [Access](/cloudflare-one/policies/access/) or [Gateway](/cloudflare-one/policies/gateway/) services. +As shown, we have seen several ways to incorporate Cloudflare's Zero Trust services with your existing VDI, either by replacing it completely in favor of Remote Browser Isolation technology or further securing it with our [Access](/cloudflare-one/access-controls/policies/) or [Gateway](/cloudflare-one/traffic-policies/) services. For more thorough background, explanation and action steps to a smooth migration be sure to read the following resources: - [Decommissioning your VDI Blog Post](https://blog.cloudflare.com/decommissioning-virtual-desktop/) - [Leveraging Cloudflare's Secure Web Gateway with PAC files for VDI](/learning-paths/secure-internet-traffic/configure-device-agent/pac-files/#use-cases) - [Connect to private network services with Browser Isolation](https://blog.cloudflare.com/browser-isolation-private-network/) -- [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation) +- [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation) - [Determine When to use PAC Files](/learning-paths/secure-internet-traffic/configure-device-agent/pac-files/#use-cases) - [Agentless DNS Configurations](/cloudflare-one/team-and-resources/devices/agentless/dns/) - [PAC Files for Agentless HTTP Filtering](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx index e76fbb4b33cd33..2e0f541203b9a6 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx @@ -21,7 +21,7 @@ Cloudflare's API-driven [Cloud Access Security Broker](/cloudflare-one/applicati [DLP profiles](/cloudflare-one/applications/casb/casb-dlp/) are used to discover if files stored in your SaaS application contain sensitive data. Matches are then compared with access controls and findings are generated, such as findings to alert you to a spreadsheet that contains credit card information that is accessible by anyone on the Internet. -When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) service, which inspects all the traffic going to and from a SaaS application, customers can achieve comprehensive visibility into both data in transit and data at rest for SaaS applications. +When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) service, which inspects all the traffic going to and from a SaaS application, customers can achieve comprehensive visibility into both data in transit and data at rest for SaaS applications. ![Figure 1: Overall solution of user access controls to, and the discovery of, sensitive data.](~/assets/images/reference-architecture/securing-data-at-rest/securing-data-at-rest-fig1.svg "Figure 1: Overall solution of user access controls to, and the discovery of, sensitive data.") @@ -31,9 +31,9 @@ When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudfl 1. For managed endpoints, we recommend deploying our [device agent](/cloudflare-one/team-and-resources/devices/warp/) to maximize visibility and control of all traffic between the end user’s device and the resources being requested. 2. For unmanaged endpoints, we have [client-less solutions](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/) which all you to still have visibility over and inspection into the data accessed by users. -2. Cloudflare's [Zero Trust Network Access](/cloudflare-one/policies/access/) (ZTNA) service can integrate directly with your [SaaS applications](/cloudflare-one/applications/configure-apps/saas-apps/) using standard protocols (e.g. SAML or OIDC) to become the initial enforcement point for user access. Access calls your [identity provider](/cloudflare-one/integrations/identity-providers/) (IdP) of choice and uses additional security signals about your users and devices to make policy decisions. +2. Cloudflare's [Zero Trust Network Access](/cloudflare-one/access-controls/policies/) (ZTNA) service can integrate directly with your [SaaS applications](/cloudflare-one/applications/configure-apps/saas-apps/) using standard protocols (e.g. SAML or OIDC) to become the initial enforcement point for user access. Access calls your [identity provider](/cloudflare-one/integrations/identity-providers/) (IdP) of choice and uses additional security signals about your users and devices to make policy decisions. -3. As an extension of what was covered in Securing data in use, Cloudflare [Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/) (RBI) can also be used with [dedicated egress IPs](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/), so that even remote clientless user’s traffic can arrive at the requested SaaS application from predictable and consistent IP addresses. +3. As an extension of what was covered in Securing data in use, Cloudflare [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/) (RBI) can also be used with [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/), so that even remote clientless user’s traffic can arrive at the requested SaaS application from predictable and consistent IP addresses. ## Discovering and protecting the data at rest diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index cce3609dd6582c..918fcc40a22206 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -49,7 +49,7 @@ When traffic from the device, to the hosted application, all flows via Cloudflar A common challenge is trying to determine what data is sensitive and requires policy intervention. Data Loss Prevention services are used to inspect the contents of a piece of traffic, and then provide metadata to the policy to impact enforcement. -For example, when a user attempts to upload a file to a SaaS application and the traffic route has been configured to always go via the Cloudflare network, [Cloudflare DLP](/cloudflare-one/policies/data-loss-prevention/) inspects the file by using DLP profiles assigned to a Gateway policy. After a DLP profile matches, the Gateway policy will allow or block the traffic, and the activity will be written to the logs. A DLP profile is a collection of regular expressions (also known as detection entries) that define the data patterns you want to detect. Cloudflare DLP provides [predefined profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#configure-a-predefined-profile) for common detections, or you can build [custom profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile) specific to your data, and even the ability to leverage [Exact Data Match](/cloudflare-one/policies/data-loss-prevention/detection-entries/#exact-data-match) (EDM). +For example, when a user attempts to upload a file to a SaaS application and the traffic route has been configured to always go via the Cloudflare network, [Cloudflare DLP](/cloudflare-one/data-loss-prevention/) inspects the file by using DLP profiles assigned to a Gateway policy. After a DLP profile matches, the Gateway policy will allow or block the traffic, and the activity will be written to the logs. A DLP profile is a collection of regular expressions (also known as detection entries) that define the data patterns you want to detect. Cloudflare DLP provides [predefined profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/#configure-a-predefined-profile) for common detections, or you can build [custom profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile) specific to your data, and even the ability to leverage [Exact Data Match](/cloudflare-one/data-loss-prevention/detection-entries/#exact-data-match) (EDM). DLP profiles are then used in combination with other policy attributes to specifically identify the traffic, such as only enforcing the policy when sensitive data is being uploaded to approved Cloud based storage services. @@ -60,9 +60,9 @@ The following diagram shows a common flow for how Cloudflare inspects a request ![Figure 4: Upload of file containing sensitive data blocked by Cloudflare DLP](~/assets/images/reference-architecture/securing-data-in-transit/securing-data-in-transit-fig4.svg "Figure 4: Upload of file containing sensitive data blocked by Cloudflare DLP") 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/team-and-resources/devices/warp/download-warp/)). [Clientless](/cloudflare-one/team-and-resources/devices/agentless/) options are supported as well. -2. Cloudflare's [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/policies/data-loss-prevention/). +2. Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The Gateway policy is configured with a [Block action](/cloudflare-one/policies/gateway/http-policies/#block), so the attempt is [logged](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/policies/gateway/block-page/) returned to the end user's web browser. +4. The Gateway policy is configured with a [Block action](/cloudflare-one/traffic-policies/http-policies/#block), so the attempt is [logged](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/traffic-policies/block-page/) returned to the end user's web browser. ## Related resources diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx index c34b7b638efc32..634079c12d4c1b 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-use.mdx @@ -16,7 +16,7 @@ Data in use refers to data that is being actively interacted with, processed, or Today, a vast majority of a user’s interactions with operationally-critical data takes place inside a modern Internet browser, which today enables entire client applications, such as email clients, word processors, and spreadsheets, to be served to an end-user. This also means no software needs to be installed on the device, and also makes user interactions, such as copy and paste, and downloading sensitive data, relatively easy. Such interactions can pose a persistent risk to organizations whose employees and contractors are working with critical and/or sensitive data every day. -One method to secure data in use is to leverage greater control over the browsers themselves, and how employees use them to access applications and data. Cloudflare has approached this by building a headless browser solution on top of our massive global edge network, called [Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/) (RBI). When a user attempts to access, for example, a privately hosted resource, or a resource on the public Internet, instead of directly serving it to the user’s browser without any other safeguards, Cloudflare first renders the resource in a sandboxed environment hosted on the Cloudflare global network. Then, without any perceptible difference to the end-user, a small Javascript client is run within their local browser to safely and securely retrieve and render the remotely loaded web content using a novel, patented technology unique to Cloudflare, called Network Vector Rendering (NVR). +One method to secure data in use is to leverage greater control over the browsers themselves, and how employees use them to access applications and data. Cloudflare has approached this by building a headless browser solution on top of our massive global edge network, called [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/) (RBI). When a user attempts to access, for example, a privately hosted resource, or a resource on the public Internet, instead of directly serving it to the user’s browser without any other safeguards, Cloudflare first renders the resource in a sandboxed environment hosted on the Cloudflare global network. Then, without any perceptible difference to the end-user, a small Javascript client is run within their local browser to safely and securely retrieve and render the remotely loaded web content using a novel, patented technology unique to Cloudflare, called Network Vector Rendering (NVR). ## Protecting data in use with Cloudflare RBI @@ -26,19 +26,19 @@ Even more, organizations can enforce specific data in use access controls, like Common policies used with RBI: -- Content category - [Social Networks](/cloudflare-one/policies/gateway/domain-categories/) (e.g. Facebook): Given the large volumes of data that popular social media platforms collect, these apps are an attractive target and yet another attack vector for malicious entities. RBI allows for limiting what data, especially if that data matches a DLP profile, from being pasted into these applications. -- Application - [Artificial Intelligence](/cloudflare-one/policies/gateway/application-app-types/) (e.g. ChatGPT): Generative AI tools can boost employee productivity, but understanding who is using them and for what is imperative at this stage of the generative AI evolution. Again, DLP profiles here can be applied to prevent the copy and pasting of sensitive data into public AI tools. -- Application - [SaaS](/cloudflare-one/policies/gateway/application-app-types/) (e.g. Salesforce, Zendesk, etc): These applications can often contain highly confidential data. RBI can be used to really lock down access for risky users that require some access, such as contractors or partners. Controls such as preventing printing, or even preventing any keyboard input at all, can result in third party users only looking at a read only view of the application, as if RBI is a pane of glass between the user and the data. +- Content category - [Social Networks](/cloudflare-one/traffic-policies/domain-categories/) (e.g. Facebook): Given the large volumes of data that popular social media platforms collect, these apps are an attractive target and yet another attack vector for malicious entities. RBI allows for limiting what data, especially if that data matches a DLP profile, from being pasted into these applications. +- Application - [Artificial Intelligence](/cloudflare-one/traffic-policies/application-app-types/) (e.g. ChatGPT): Generative AI tools can boost employee productivity, but understanding who is using them and for what is imperative at this stage of the generative AI evolution. Again, DLP profiles here can be applied to prevent the copy and pasting of sensitive data into public AI tools. +- Application - [SaaS](/cloudflare-one/traffic-policies/application-app-types/) (e.g. Salesforce, Zendesk, etc): These applications can often contain highly confidential data. RBI can be used to really lock down access for risky users that require some access, such as contractors or partners. Controls such as preventing printing, or even preventing any keyboard input at all, can result in third party users only looking at a read only view of the application, as if RBI is a pane of glass between the user and the data. The following diagram visualizes a typical interaction between a user, RBI and a website such as ChatGPT. ![Figure 1: Text copy/paste blocked by Cloudflare RBI.](~/assets/images/reference-architecture/securing-data-in-use/securing-data-in-use-fig1.svg "Figure 1: Text copy/paste blocked by Cloudflare RBI.") 1. User attempts to login to ChatGPT, and the request goes via Cloudflare since the user is running our [device agent](/cloudflare-one/team-and-resources/devices/warp/download-warp/) to maximize visibility and control of all traffic between the end user’s device and the resources being requested. [Clientless](/cloudflare-one/team-and-resources/devices/agentless/) options are supported as well. -2. Cloudflare’s [Secure Web Gateway](/cloudflare-one/policies/gateway/) (SWG) will first verify that the user is permitted to access ChatGPT. +2. Cloudflare’s [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG) will first verify that the user is permitted to access ChatGPT. 3. Cloudflare’s patented Network Vector Rendering (NVR) process begins as a headless browser on our edge network starts and rasterizes the web app, which involves writing SKIA draw commands. 4. NVR intercepts those draw commands > tokenizes them > compresses them > encrypts them > and sends them to the local web browser. -5. Because this request is running isolated, the policy also enforces preventing the user from [copying and pasting](/cloudflare-one/policies/browser-isolation/isolation-policies/#copy-from-remote-to-client) sensitive content to ChatGPT from their local machine. Additional [policy settings](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings), such as ‘Disable printing’, ‘Disable upload / download’, and more are available as well. +5. Because this request is running isolated, the policy also enforces preventing the user from [copying and pasting](/cloudflare-one/remote-browser-isolation/isolation-policies/#copy-from-remote-to-client) sensitive content to ChatGPT from their local machine. Additional [policy settings](/cloudflare-one/remote-browser-isolation/isolation-policies/#policy-settings), such as ‘Disable printing’, ‘Disable upload / download’, and more are available as well. ## Related resources diff --git a/src/content/docs/ruleset-engine/reference/phases-list.mdx b/src/content/docs/ruleset-engine/reference/phases-list.mdx index aac9865f26b3df..f71353deb83fb2 100644 --- a/src/content/docs/ruleset-engine/reference/phases-list.mdx +++ b/src/content/docs/ruleset-engine/reference/phases-list.mdx @@ -13,14 +13,13 @@ The following tables list the [phases](/ruleset-engine/about/phases/) of Cloudfl [Network-layer](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) phases apply to packets received on the Cloudflare global network. - -| Phase name | Used in product/feature | -| ---------------- | ------------------------------------------------------------------------------------------------ | -| `ddos_l4` | [Network-layer DDoS Attack Protection](/ddos-protection/managed-rulesets/network/network-overrides/configure-api/) | -| `magic_transit` | [Magic Firewall](/magic-firewall/how-to/add-rules/) | -| `magic_transit_managed` | [Magic Firewall managed rulesets](/magic-firewall/how-to/enable-managed-rulesets/) | -| `magic_transit_ratelimit` | [Magic Firewall rate limiting rules](/magic-firewall/how-to/create-rate-limiting-rules/)| -| `magic_transit_ids_managed` | [Magic Firewall Intrusion Detection System (IDS)](/magic-firewall/about/ids/) | +| Phase name | Used in product/feature | +| --------------------------- | ------------------------------------------------------------------------------------------------------------------ | +| `ddos_l4` | [Network-layer DDoS Attack Protection](/ddos-protection/managed-rulesets/network/network-overrides/configure-api/) | +| `magic_transit` | [Magic Firewall](/magic-firewall/how-to/add-rules/) | +| `magic_transit_managed` | [Magic Firewall managed rulesets](/magic-firewall/how-to/enable-managed-rulesets/) | +| `magic_transit_ratelimit` | [Magic Firewall rate limiting rules](/magic-firewall/how-to/create-rate-limiting-rules/) | +| `magic_transit_ids_managed` | [Magic Firewall Intrusion Detection System (IDS)](/magic-firewall/about/ids/) | ## Application layer @@ -45,7 +44,7 @@ The phases execute in the order they appear in the table. | `http_request_api_gateway_late` | [API Shield](/api-shield/) | | `http_request_firewall_managed` | [WAF Managed Rules](/waf/managed-rules/) | | `http_request_sbfm` | [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/) | -| _N/A_ (internal phase) | [Cloudflare Access](/cloudflare-one/policies/access/) | +| _N/A_ (internal phase) | [Cloudflare Access](/cloudflare-one/access-controls/policies/) | | `http_request_redirect` | [Bulk Redirects](/rules/url-forwarding/bulk-redirects/) | | _N/A_ (internal phase) | [Managed Transforms](/rules/transform/managed-transforms/) | | `http_request_late_transform` | [Request Header Transform Rules](/rules/transform/request-header-modification/) | @@ -69,4 +68,4 @@ The phases execute in the order they appear in the table. | `http_ratelimit` | [Rate limiting rules](/waf/rate-limiting-rules/) (when they use response information) | | `http_response_compression` | [Compression Rules](/rules/compression-rules/) | | `http_response_firewall_managed` | [Cloudflare Sensitive Data Detection](/waf/managed-rules/) (Data Loss Prevention) | -| `http_log_custom_fields` | [Logpush custom fields](/logs/logpush/logpush-job/custom-fields/) | +| `http_log_custom_fields` | [Logpush custom fields](/logs/logpush/logpush-job/custom-fields/) | diff --git a/src/content/docs/security-center/indicator-feeds.mdx b/src/content/docs/security-center/indicator-feeds.mdx index 8ecccd78a3025d..1bd1c68c6c0b50 100644 --- a/src/content/docs/security-center/indicator-feeds.mdx +++ b/src/content/docs/security-center/indicator-feeds.mdx @@ -130,7 +130,7 @@ Providers can create and manage a Custom Indicator Feed with the [Custom Indicat ### Use a feed in Gateway -Once an account is granted access to a feed, it will be available to match traffic as a [selector in Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/#indicator-feeds). +Once an account is granted access to a feed, it will be available to match traffic as a [selector in Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/#indicator-feeds). 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. Select **DNS**. 2. To create a new DNS policy, select **Add a policy**. @@ -143,4 +143,4 @@ Once an account is granted access to a feed, it will be available to match traff 5. Select **Create policy**. -For more information on creating Gateway policies, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +For more information on creating Gateway policies, refer to [DNS policies](/cloudflare-one/traffic-policies/dns-policies/). diff --git a/src/content/docs/security-center/investigate/change-categorization.mdx b/src/content/docs/security-center/investigate/change-categorization.mdx index 500dd303c53cc0..a401f1dde2229f 100644 --- a/src/content/docs/security-center/investigate/change-categorization.mdx +++ b/src/content/docs/security-center/investigate/change-categorization.mdx @@ -10,7 +10,7 @@ import { DashButton } from "~/components"; Cloudflare sorts domains into categories based on their content and security type. You can request categorization changes via the [dashboard](#via-the-cloudflare-dashboard), [Cloudflare Radar](#via-cloudflare-radar), or the [API](#via-the-api). -For a detailed list of categories, refer to [Domain categories](/cloudflare-one/policies/gateway/domain-categories/). +For a detailed list of categories, refer to [Domain categories](/cloudflare-one/traffic-policies/domain-categories/). ## Via the Cloudflare dashboard @@ -24,7 +24,7 @@ To request a categorization change via the Cloudflare dashboard: 3. In **Domain overview**, select **Request to change categorization**. -4. Choose whether to change a [security category](/cloudflare-one/policies/gateway/domain-categories/#security-categories) or a [content category](/cloudflare-one/policies/gateway/domain-categories/#content-categories). +4. Choose whether to change a [security category](/cloudflare-one/traffic-policies/domain-categories/#security-categories) or a [content category](/cloudflare-one/traffic-policies/domain-categories/#content-categories). 5. Choose which categories you want to add or remove from the domain. diff --git a/src/content/docs/security-center/investigate/investigate-threats.mdx b/src/content/docs/security-center/investigate/investigate-threats.mdx index 4302b0d91d5694..53d407ef59c2d5 100644 --- a/src/content/docs/security-center/investigate/investigate-threats.mdx +++ b/src/content/docs/security-center/investigate/investigate-threats.mdx @@ -35,7 +35,7 @@ When you search for a domain name, Cloudflare will provide an overview of the do {/* TODO: Reintroduce */} {/* */} -For a detailed list of categories, refer to [Domain categories](/cloudflare-one/policies/gateway/domain-categories/). +For a detailed list of categories, refer to [Domain categories](/cloudflare-one/traffic-policies/domain-categories/). A domain can have multiple categories. Cloudflare displays both the parent category and the detailed child category. You can [request category changes](/security-center/investigate/change-categorization/) for a domain. Miscategorized domains can also request to have a category added. This request goes through an approval process with the Cloudflare team. diff --git a/src/content/docs/security-center/security-insights/index.mdx b/src/content/docs/security-center/security-insights/index.mdx index e58962665a6123..fd71bb042d95c9 100644 --- a/src/content/docs/security-center/security-insights/index.mdx +++ b/src/content/docs/security-center/security-insights/index.mdx @@ -36,7 +36,7 @@ Listed below are the specific insights currently available: | [Mixed-authentication API endpoints detected](/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | Not all of the successful requests against API endpoints carried session identifiers. | | [New API endpoints detected](/api-shield/security/api-discovery/) | API Discovery detects new API endpoints in your zone's traffic. | | [New CASB integrations found](/cloudflare-one/applications/casb/casb-integrations/) | New CASB integrations have been found. | -| [Overprovisioned Access Policies](/cloudflare-one/policies/access/) | We detect an Access policy to allow everyone access to your application. | +| [Overprovisioned Access Policies](/cloudflare-one/access-controls/policies/) | We detect an Access policy to allow everyone access to your application. | | [Page Shield not enabled](/page-shield/get-started/) | Page Shield helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3. | | [SPF Record Errors](/dns/manage-dns-records/reference/dns-record-types/#spf) | We detect an incorrect or missing `SPF` record. | | [Schema Validation missing from eligible API endpoints](/api-shield/security/schema-validation/) | Apply the learned schema to protect your API against fuzzing attacks. | diff --git a/src/content/docs/ssl/client-certificates/forward-a-client-certificate.mdx b/src/content/docs/ssl/client-certificates/forward-a-client-certificate.mdx index 1aebe5abe0b61c..507cd2bab2d09c 100644 --- a/src/content/docs/ssl/client-certificates/forward-a-client-certificate.mdx +++ b/src/content/docs/ssl/client-certificates/forward-a-client-certificate.mdx @@ -5,7 +5,7 @@ sidebar: order: 6 --- -Customers using [Cloudflare Access](/cloudflare-one/policies/access/) also have the option to forward client certificates to their origin server. +Customers using [Cloudflare Access](/cloudflare-one/access-controls/policies/) also have the option to forward client certificates to their origin server. import { Render } from "~/components"; diff --git a/src/content/docs/ssl/post-quantum-cryptography/index.mdx b/src/content/docs/ssl/post-quantum-cryptography/index.mdx index 94d33ed19d196b..578cdb2028bf35 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/index.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/index.mdx @@ -19,7 +19,7 @@ To protect you against the risk of [harvest now, decrypt later attacks](https:// Refer to [Cloudflare Radar](https://radar.cloudflare.com/adoption-and-usage#post-quantum-encryption-adoption) for current statistics on the adoption of PQ encryption in requests to Cloudflare, and visit [pq.cloudflareresearch.com](https://pq.cloudflareresearch.com) to check if your connection is secured using PQ key agreement. :::caution[TLS 1.3] -Cloudflare post-quantum key agreements are only supported in protocols based on TLS 1.3 (including HTTP/3) and are disabled for websites in [FIPS mode](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#fips-compliance). +Cloudflare post-quantum key agreements are only supported in protocols based on TLS 1.3 (including HTTP/3) and are disabled for websites in [FIPS mode](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#fips-compliance). ::: ## Three building blocks of TLS @@ -43,9 +43,9 @@ In response to this, Cloudflare is an early adopter of ML-KEM, the post-quantum Cloudflare has deployed the following hybrid key agreements: - [X25519MLKEM768](https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/) (Recommended) - - TLS identifier: `0x11ec` + - TLS identifier: `0x11ec` - [X25519Kyber768Draft00](https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/) (Obsolete) - - TLS identifier: `0x6399` + - TLS identifier: `0x6399` A hybrid key agreement lays the groundwork as more and more [clients](#1-visitor-to-cloudflare) adopt post-quantum cryptography, while also maintaining the current security provided by X25519. It is a safer path in case of an unexpected breakthrough that renders all variants of ML-KEM insecure. @@ -91,4 +91,4 @@ Refer to [Post-quantum cryptography between Cloudflare and origin servers](/ssl/ ## Protect corporate network traffic -With [Zero Trust](/cloudflare-one/), Cloudflare allows organizations to upgrade their sensitive network traffic to PQC without the hassle of individually upgrading each and every corporate application, system, or network connection. Refer to [Post-quantum cryptography in Cloudflare's Zero Trust platform](/ssl/post-quantum-cryptography/pqc-and-zero-trust/) for details. \ No newline at end of file +With [Zero Trust](/cloudflare-one/), Cloudflare allows organizations to upgrade their sensitive network traffic to PQC without the hassle of individually upgrading each and every corporate application, system, or network connection. Refer to [Post-quantum cryptography in Cloudflare's Zero Trust platform](/ssl/post-quantum-cryptography/pqc-and-zero-trust/) for details. diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx index 5295165ebbfa87..6a93bad752c27a 100644 --- a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx +++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx @@ -12,7 +12,7 @@ Refer to the sections below to learn about the use cases supported by the Zero T ## Agentless Cloudflare Access -You can use [Cloudflare Access](/cloudflare-one/policies/access/) [self-hosted applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Refer to the [learning path](/learning-paths/clientless-access/initial-setup/) for detailed guidance. +You can use [Cloudflare Access](/cloudflare-one/access-controls/policies/) [self-hosted applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Refer to the [learning path](/learning-paths/clientless-access/initial-setup/) for detailed guidance. Even if the applications themselves have not yet migrated to post-quantum (PQ) cryptography, they will be protected against quantum threats. @@ -38,7 +38,7 @@ Putting it together, Cloudflare Access can provide end-to-end quantum safety for A [secure web gateway (SWG)](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) is used to secure access to third-party websites on the public Internet by intercepting and inspecting TLS traffic. -[Cloudflare Gateway](/cloudflare-one/policies/gateway/http-policies/) is now a [quantum-safe SWG for HTTPS traffic](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#post-quantum-support). As long as the third-party website that is being inspected supports post-quantum key agreement, then Cloudflare's SWG also supports post-quantum key agreement. This is true regardless of the on-ramp that you use to get to Cloudflare's network, and only requires the use of a browser that supports post-quantum key agreement. +[Cloudflare Gateway](/cloudflare-one/traffic-policies/http-policies/) is now a [quantum-safe SWG for HTTPS traffic](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#post-quantum-support). As long as the third-party website that is being inspected supports post-quantum key agreement, then Cloudflare's SWG also supports post-quantum key agreement. This is true regardless of the on-ramp that you use to get to Cloudflare's network, and only requires the use of a browser that supports post-quantum key agreement. ![Diagram of how post-quantum cryptography works with Cloudflare's Secure Web Gateway](~/assets/images/ssl/pqc-secure-web-gateway.png). @@ -53,4 +53,3 @@ A TLS connection is initiated from the user's browser to a data center in Cloudf A TLS connection is initiated from a data center in Cloudflare's network to the origin server, which is typically controlled by a third party. The connection from Cloudflare's SWG currently supports post-quantum key agreement, as long as the third-party's origin server also already supports post-quantum key agreement. You can test this out by using https://pq.cloudflareresearch.com/ as your third-party origin server. Putting it together, Cloudflare Gateway is quantum-ready to support secure access to any third-party website that is quantum ready today or in the future. - diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504.mdx index 5a056585b28f45..f34ac3292f5ac1 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504.mdx @@ -53,6 +53,6 @@ If you need further assistance from our Support team, provide the following deta ### Known Cloudflare issues leading to HTTP Error 502 or 504 -- Using [Gateway](/cloudflare-one/policies/gateway/) can lead to an HTTP Error `502` if the origin only partially supports HTTP/2. Refer to [Gateway FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-504-when-browsing-to-a-website) for more details and resolution. +- Using [Gateway](/cloudflare-one/traffic-policies/) can lead to an HTTP Error `502` if the origin only partially supports HTTP/2. Refer to [Gateway FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-504-when-browsing-to-a-website) for more details and resolution. - You may see an influx of HTTP Error `504` with the `RequestSource` of `earlyHintsCache` in Cloudflare Logs when Early Hints is enabled, which is expected and benign. Refer to [the Early Hints article](/cache/advanced-configuration/early-hints/#emit-early-hints) for more details and resolution. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx index 9b0c338da9e8dd..ef0d87a5edf22b 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx @@ -35,14 +35,11 @@ Here are some options to fix or workaround this issue: ![Screen showing an SSL certificate with no errors.](~/assets/images/support/hc-import-troubleshooting_5xx_errors_sslshopper_output.png) - - ### Error 526 in the Zero Trust context -When using [Cloudflare Gateway](/cloudflare-one/policies/gateway/), an HTTP Error `526` might be returned in the [following cases](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website): +When using [Cloudflare Gateway](/cloudflare-one/traffic-policies/), an HTTP Error `526` might be returned in the [following cases](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website): - **An untrusted certificate is presented from the origin to Gateway.** Gateway will consider a certificate is untrusted if any of these conditions are true: - - The server certificate issuer is unknown or is not trusted by the service. - The server certificate is revoked and fails a CRL check. - There is at least one expired certificate in the certificate chain for the server certificate. @@ -50,12 +47,10 @@ When using [Cloudflare Gateway](/cloudflare-one/policies/gateway/), an HTTP Erro - The common name on the certificate contains invalid characters (such as underscores). Gateway uses [BoringSSL](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=Google&CertificateStatus=Active&ValidationYear=0) to validate certificates. Chrome's [validation logic](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/cert/x509_certificate.cc#429) allows non-RFC 1305 compliant certificates, which is why the website may load when you turn off WARP. - **The connection from Gateway to the origin is insecure.** Gateway does not trust origins which: - - Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the [SSL Server Test tool](https://www.ssllabs.com/ssltest/index.html) to check which ciphers are supported by the origin. - - Do not support [FIPS-compliant ciphers](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). + - Do not support [FIPS-compliant ciphers](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). - Redirect all HTTPS requests to HTTP. - ### Error 526 in the Workers context Workers subrequests to any hostname outside your Cloudflare zone that is not proxied by Cloudflare are always made using the **[Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/)** SSL mode, regardless of the Workers zone configuration. @@ -64,12 +59,5 @@ Workers subrequests to any hostname outside your Cloudflare zone that is not pro - Make sure the SSL certificate configured at the origin is valid. -- Add your self-signed SSL certificate to the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) and enable the [`cots_on_external_fetch` compatibility flag](/workers/configuration/compatibility-flags/#do-not-use-the-custom-origin-trust-store-for-external-subrequests) in your Worker's configuration. -This flag enables the use of the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) when making external (grey-clouded) subrequests from a Cloudflare Worker. - - - - - - - +- Add your self-signed SSL certificate to the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) and enable the [`cots_on_external_fetch` compatibility flag](/workers/configuration/compatibility-flags/#do-not-use-the-custom-origin-trust-store-for-external-subrequests) in your Worker's configuration. + This flag enables the use of the [Custom Origin Trust Store](/ssl/origin-configuration/custom-origin-trust-store/) when making external (grey-clouded) subrequests from a Cloudflare Worker. diff --git a/src/content/docs/tenant/reference/subscriptions.mdx b/src/content/docs/tenant/reference/subscriptions.mdx index b0836100262db7..b0770959cee731 100644 --- a/src/content/docs/tenant/reference/subscriptions.mdx +++ b/src/content/docs/tenant/reference/subscriptions.mdx @@ -35,7 +35,7 @@ The following table lists sample values for various Zero Trust subscriptions. | Feature | Subscription IDs | | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------- | | [Access](/cloudflare-one/identity/) | `PARTNERS_ACCESS_BASIC`, `PARTNERS_ACCESS_ENT`, `PARTNERS_ACCESS_PREMIUM`, `TEAMS_ACCESS_ENT`, `TEAMS_ACCESS` | -| [Gateway](/cloudflare-one/policies/gateway/) | `TEAMS_GATEWAY_ENT`, `TEAMS_GATEWAY` | +| [Gateway](/cloudflare-one/traffic-policies/) | `TEAMS_GATEWAY_ENT`, `TEAMS_GATEWAY` | | [Cloudflare Zero Trust](/cloudflare-one/) | `TEAMS_ENT`, `TEAMS_FREE`, `TEAMS_STANDARD` | ### Developer subscriptions diff --git a/src/content/docs/waf/detections/malicious-uploads/index.mdx b/src/content/docs/waf/detections/malicious-uploads/index.mdx index e272f565dc96c1..c80b7ddf1bcb39 100644 --- a/src/content/docs/waf/detections/malicious-uploads/index.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/index.mdx @@ -23,7 +23,7 @@ Once enabled, content scanning will run for all incoming traffic, identifying **Domains & Routes**. 4. For Preview URLs, click **Enable Cloudflare Access**. -5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/policies/access/#selectors) to learn about configuring alternate rules. +5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/access-controls/policies/#selectors) to learn about configuring alternate rules. 6. [Validate the Access JWT](https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/#cloudflare-workers-example) in your Worker script using the audience (`aud`) tag and JWKs URL provided. ## Toggle Preview URLs (Enable or Disable) diff --git a/src/content/docs/workers/configuration/routing/workers-dev.mdx b/src/content/docs/workers/configuration/routing/workers-dev.mdx index a9d499fdf8196f..66e7abdae90845 100644 --- a/src/content/docs/workers/configuration/routing/workers-dev.mdx +++ b/src/content/docs/workers/configuration/routing/workers-dev.mdx @@ -23,7 +23,7 @@ All Workers are assigned a `workers.dev` route when they are created or renamed ## Manage access to `workers.dev` -When enabled, your `workers.dev` URL is available publicly. You can use [Cloudflare Access](/cloudflare-one/policies/access/) to require visitors to authenticate before accessing preview URLs. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your [access policy](/cloudflare-one/policies/access). +When enabled, your `workers.dev` URL is available publicly. You can use [Cloudflare Access](/cloudflare-one/access-controls/policies/) to require visitors to authenticate before accessing preview URLs. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your [access policy](/cloudflare-one/access-controls/policies/). To limit your `workers.dev` URL to authorized emails only: @@ -34,7 +34,7 @@ To limit your `workers.dev` URL to authorized emails only: 2. In **Overview**, select your Worker. 3. Go to **Settings** > **Domains & Routes**. 4. For `workers.dev`, click **Enable Cloudflare Access**. -5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/policies/access/#selectors) to learn about configuring alternate rules. +5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/access-controls/policies/#selectors) to learn about configuring alternate rules. 6. [Validate the Access JWT](https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/#cloudflare-workers-example) in your Worker script using the audience (`aud`) tag and JWKs URL provided. ## Disabling `workers.dev` diff --git a/src/content/docs/workers/platform/storage-options.mdx b/src/content/docs/workers/platform/storage-options.mdx index f27b531423670c..fe780e4e64c927 100644 --- a/src/content/docs/workers/platform/storage-options.mdx +++ b/src/content/docs/workers/platform/storage-options.mdx @@ -31,9 +31,9 @@ Storage options can also be used by your front-end application built with Cloudf There are three options for SQL-based databases available when building applications with Workers. -* **Hyperdrive** if you have an existing Postgres or MySQL database, require large (1TB, 100TB or more) single databases, and/or want to use your existing database tools. You can also connect Hyperdrive to database platforms like [PlanetScale](https://planetscale.com/) or [Neon](https://neon.tech/). -* **D1** for lightweight, serverless applications that are read-heavy, have global users that benefit from D1's [read replication](/d1/best-practices/read-replication/), and do not require you to manage and maintain a traditional RDBMS. -* **Durable Objects** for stateful serverless workloads, per-user or per-customer SQL state, and building distributed systems (D1 and Queues are built on Durable Objects) where Durable Object's [strict serializability](https://blog.cloudflare.com/durable-objects-easy-fast-correct-choose-three/) enables global ordering of requests and storage operations. +- **Hyperdrive** if you have an existing Postgres or MySQL database, require large (1TB, 100TB or more) single databases, and/or want to use your existing database tools. You can also connect Hyperdrive to database platforms like [PlanetScale](https://planetscale.com/) or [Neon](https://neon.tech/). +- **D1** for lightweight, serverless applications that are read-heavy, have global users that benefit from D1's [read replication](/d1/best-practices/read-replication/), and do not require you to manage and maintain a traditional RDBMS. +- **Durable Objects** for stateful serverless workloads, per-user or per-customer SQL state, and building distributed systems (D1 and Queues are built on Durable Objects) where Durable Object's [strict serializability](https://blog.cloudflare.com/durable-objects-easy-fast-correct-choose-three/) enables global ordering of requests and storage operations. ### Session storage @@ -41,7 +41,7 @@ We recommend using [Workers KV](/kv/) for storing session data, credentials (API Frequently read keys benefit from KV's [internal cache](/kv/concepts/how-kv-works/), and repeated reads to these "hot" keys will typically see latencies in the 500µs to 10ms range. -Authentication frameworks like [OpenAuth](https://openauth.js.org/docs/storage/cloudflare/) use Workers KV as session storage when deployed to Cloudflare, and [Cloudflare Access](/cloudflare-one/policies/access/) uses KV to securely store and distribute user credentials so that they can be validated as close to the user as possible and reduce overall latency. +Authentication frameworks like [OpenAuth](https://openauth.js.org/docs/storage/cloudflare/) use Workers KV as session storage when deployed to Cloudflare, and [Cloudflare Access](/cloudflare-one/access-controls/policies/) uses KV to securely store and distribute user credentials so that they can be validated as close to the user as possible and reduce overall latency. ## Product overviews @@ -201,7 +201,3 @@ To get started with Vectorize: - Learn more about [how vector databases work](/vectorize/reference/what-is-a-vector-database/). - - - - diff --git a/src/content/notifications/index.yaml b/src/content/notifications/index.yaml index 56a7d2817d89b8..3100f5d31f1a73 100644 --- a/src/content/notifications/index.yaml +++ b/src/content/notifications/index.yaml @@ -1,6 +1,6 @@ entries: - name: Expiring Access Service Token Alert - audience: "[Access](/cloudflare-one/policies/access/) customers who want to receive a notification when their service token is about to expire." + audience: "[Access](/cloudflare-one/access-controls/policies/) customers who want to receive a notification when their service token is about to expire." availability: Purchase of Access associatedProducts: Cloudflare Access nextSteps: Extend the expiration date of the service token. For more details, refer to [Renew your service token](/cloudflare-one/identity/service-tokens/#renew-service-tokens). @@ -341,7 +341,7 @@ entries: otherFilters: None. - name: Access mTLS Certificate Expiration Alert - audience: "[Access](/cloudflare-one/policies/access/) customers that use client certificates for mutual TLS authentication. This notification will be sent 30 and 14 days before the expiration of the certificate." + audience: "[Access](/cloudflare-one/access-controls/policies/) customers that use client certificates for mutual TLS authentication. This notification will be sent 30 and 14 days before the expiration of the certificate." availability: Purchase of [Access](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) and/or [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/). associatedProducts: SSL/TLS nextSteps: Upload a [renewed certificate](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). @@ -620,4 +620,4 @@ entries: availability: Purchase of Cloudflare Network Interconnect (CNI). associatedProducts: Network Interconnect nextSteps: No action is needed. - otherFilters: None. \ No newline at end of file + otherFilters: None. diff --git a/src/content/partials/cloudflare-one/access/add-access-policies.mdx b/src/content/partials/cloudflare-one/access/add-access-policies.mdx index d497342ed365f0..c4065e6a6ce003 100644 --- a/src/content/partials/cloudflare-one/access/add-access-policies.mdx +++ b/src/content/partials/cloudflare-one/access/add-access-policies.mdx @@ -2,4 +2,4 @@ {} --- -Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. \ No newline at end of file +Add [Access policies](/cloudflare-one/access-controls/policies/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx index 783053fbf35300..396d0172e91f1d 100644 --- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx +++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx @@ -2,10 +2,17 @@ {} --- -import { Tabs, TabItem, Render, APIRequest, GlossaryTooltip } from "~/components"; +import { + Tabs, + TabItem, + Render, + APIRequest, + GlossaryTooltip, +} from "~/components"; + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. 2. Select **Add an application**. 3. Select **Infrastructure**. @@ -13,65 +20,62 @@ import { Tabs, TabItem, Render, APIRequest, GlossaryTooltip } from "~/components 5. In **Target criteria**, select the target hostname(s) that you want to secure. This application definition will apply to all targets that share the selected hostname, including any targets added in the future. Similarly, if you later decide to change the hostname for a target, the renamed target will no longer be covered by this application. 6. Enter the **Protocol** and **Port** that will be used to connect to the server. 7. (Optional) If a protocol runs on more than one port, select **Add new target criteria** and reconfigure the same target hostname and protocol with a different port number. - :::note - Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol. - ::: + :::note + Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol. + ::: 8. Select **Next**. 9. To secure your targets, configure a policy that defines who can connect and how they can connect: - 1. Enter any name for your policy. - 2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/policies/access/) and review the list of [infrastructure policy selectors](/cloudflare-one/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors). - 3. In **Connection context**, configure the following settings: - - **SSH user**: Enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`). - - **Allow users to log in as their email alias**: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, `Jdoe@company.com` could log in as `jdoe`. - - :::note - Cloudflare will not create new users on the target. UNIX users must already be present on the server. - ::: -4. Select **Add application**. + 1. Enter any name for your policy. + 2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/access-controls/policies/) and review the list of [infrastructure policy selectors](/cloudflare-one/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors). + 3. In **Connection context**, configure the following settings: + - **SSH user**: Enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`). + - **Allow users to log in as their email alias**: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, `Jdoe@company.com` could log in as `jdoe`. + + :::note + Cloudflare will not create new users on the target. UNIX users must already be present on the server. + ::: + +10. Select **Add application**. + Make a `POST` request to the [Access applications](/api/resources/zero_trust/subresources/access/subresources/applications/methods/create/) endpoint: @@ -81,49 +85,50 @@ Make a `POST` request to the [Access applications](/api/resources/zero_trust/sub The following example requires Cloudflare provider version `>=4.45.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): - - `Access: Apps and Policies Write` - -2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application: - - ```tf - resource "cloudflare_zero_trust_access_application" "infra-app" { - account_id = var.cloudflare_account_id - name = "Example infrastructure app" - type = "infrastructure" - - target_criteria { - port = 22 - protocol = "SSH" - target_attributes { - name = "hostname" - values = ["infra-access-target"] - } - } - } - ``` - -3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: - - ```tf - resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { - application_id = cloudflare_zero_trust_access_application.infra-app.id - account_id = var.cloudflare_account_id - name = "Allow a specific email" - decision = "allow" - precedence = 1 - - include { - email = ["jdoe@company.com"] - } - - connection_rules { - ssh { - usernames = ["root", "ec2-user"] - } - } - } - ``` +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): + - `Access: Apps and Policies Write` + +2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application: + + ```tf + resource "cloudflare_zero_trust_access_application" "infra-app" { + account_id = var.cloudflare_account_id + name = "Example infrastructure app" + type = "infrastructure" + + target_criteria { + port = 22 + protocol = "SSH" + target_attributes { + name = "hostname" + values = ["infra-access-target"] + } + } + } + ``` + +3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: + + ```tf + resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { + application_id = cloudflare_zero_trust_access_application.infra-app.id + account_id = var.cloudflare_account_id + name = "Allow a specific email" + decision = "allow" + precedence = 1 + + include { + email = ["jdoe@company.com"] + } + + connection_rules { + ssh { + usernames = ["root", "ec2-user"] + } + } + } + ``` + diff --git a/src/content/partials/cloudflare-one/access/app-launcher.mdx b/src/content/partials/cloudflare-one/access/app-launcher.mdx index 214fe491c5f7ba..d287ca2a9e7223 100644 --- a/src/content/partials/cloudflare-one/access/app-launcher.mdx +++ b/src/content/partials/cloudflare-one/access/app-launcher.mdx @@ -22,7 +22,7 @@ To enable the App Launcher: 2. Under the **App Launcher** card, select **Manage**. -3. On the **Rules** tab, [build a rule](/cloudflare-one/policies/access/) to define who can access your App Launcher portal. These rules do not impact permissions for the applications secured behind Access. +3. On the **Rules** tab, [build a rule](/cloudflare-one/access-controls/policies/) to define who can access your App Launcher portal. These rules do not impact permissions for the applications secured behind Access. 4. On the **Authentication** tab, choose the identity providers users can authenticate with. @@ -36,23 +36,23 @@ Tiles have a one-to-one relationship with each application you create in Access. To show an Access application in the App Launcher: -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. -2. Select an application and select **Configure**. -3. Go to **Experience settings**. -4. Select **Show application in App Launcher**. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**. +2. Select an application and select **Configure**. +3. Go to **Experience settings**. +4. Select **Show application in App Launcher**. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher. - :::note + :::note - This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application. - ::: + This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application. + ::: -5. (Optional) To use a custom logo for the application tile, select **Use custom logo** and enter a link to your desired image. +5. (Optional) To use a custom logo for the application tile, select **Use custom logo** and enter a link to your desired image. - :::note - If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. - ::: + :::note + If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. + ::: -6. In **Application domains**, choose a domain to use for the App Launcher link. +6. In **Application domains**, choose a domain to use for the App Launcher link. ## Customize App Launcher appearance @@ -80,7 +80,6 @@ We recommend lighter background colors because the font defaults to black. ::: 4. Next, customize the landing page that users will see when they login to the App Launcher. Available properties include: - - A custom title - A custom subtitle - An image diff --git a/src/content/partials/cloudflare-one/access/block-page.mdx b/src/content/partials/cloudflare-one/access/block-page.mdx index 3d75fb6b091a68..a7de815903a685 100644 --- a/src/content/partials/cloudflare-one/access/block-page.mdx +++ b/src/content/partials/cloudflare-one/access/block-page.mdx @@ -5,7 +5,7 @@ You can customize the block page that displays when users fail to authenticate to an Access application. Each application can have a different block page. :::note[Gateway block page] -To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/policies/gateway/block-page/). +To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/traffic-policies/block-page/). ::: ## Types of block pages diff --git a/src/content/partials/cloudflare-one/access/enable-isolation.mdx b/src/content/partials/cloudflare-one/access/enable-isolation.mdx index 9717d8b73b5a79..587338bfc5f6d7 100644 --- a/src/content/partials/cloudflare-one/access/enable-isolation.mdx +++ b/src/content/partials/cloudflare-one/access/enable-isolation.mdx @@ -1,19 +1,18 @@ --- {} - --- -import { Render } from "~/components" +import { Render } from "~/components"; 3. Go to **Access** > **Applications**. 4. Choose a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) and select **Configure**. 5. Go to **Policies**. -6. Choose an [Allow policy](/cloudflare-one/policies/access/) and select **Configure**. +6. Choose an [Allow policy](/cloudflare-one/access-controls/policies/) and select **Configure**. 7. Under **Additional settings**, turn on **Isolate application**. 8. Save the policy. -Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to [Check if a web page is isolated](/cloudflare-one/policies/browser-isolation/setup/#3-check-if-a-web-page-is-isolated). +Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to [Check if a web page is isolated](/cloudflare-one/remote-browser-isolation/setup/#3-check-if-a-web-page-is-isolated). You can optionally add another Allow policy for users on managed devices who do not require isolation. diff --git a/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx b/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx index 920ec573070396..6644d6b4ff349c 100644 --- a/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx +++ b/src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx @@ -8,7 +8,7 @@ By default, Cloudflare will evaluate Access application policies after evaluatin
  1. -Create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/): +Create the following [Gateway network policy](/cloudflare-one/traffic-policies/network-policies/): | Selector | Operator | Value | Action | | ---------------------------- | -------- | --------- | ------ | @@ -18,7 +18,7 @@ Create the following [Gateway network policy](/cloudflare-one/policies/gateway/n { props.protocol === "rdp" && (<>
  2. Ensure that Enforce WARP client session duration is turned off, otherwise users will be blocked from accessing RDP targets.
    3. )}
  3. -Update the policy's [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) using the dashboard or API. +Update the policy's [order of precedence](/cloudflare-one/traffic-policies/order-of-enforcement/#order-of-precedence) using the dashboard or API.
diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/choose-domain.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/choose-domain.mdx index bf5c7dae842e9f..38ee13d875c41b 100644 --- a/src/content/partials/cloudflare-one/access/self-hosted-app/choose-domain.mdx +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/choose-domain.mdx @@ -1,10 +1,9 @@ --- {} - --- -import { Render } from "~/components" +import { Render } from "~/components"; -In the **Domain** dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) to protect multiple parts of an application that share a root path. +In the **Domain** dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use [wildcards](/cloudflare-one/access-controls/policies/app-paths/) to protect multiple parts of an application that share a root path. - Alternatively, to use a [Cloudflare for SaaS custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/), set **Input method** to _Custom_ and enter your custom hostname. \ No newline at end of file + Alternatively, to use a [Cloudflare for SaaS custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/), set **Input method** to _Custom_ and enter your custom hostname. diff --git a/src/content/partials/cloudflare-one/app-library-review-apps.mdx b/src/content/partials/cloudflare-one/app-library-review-apps.mdx index 1512745778e41d..3f2b621276c15d 100644 --- a/src/content/partials/cloudflare-one/app-library-review-apps.mdx +++ b/src/content/partials/cloudflare-one/app-library-review-apps.mdx @@ -22,5 +22,5 @@ To set the status of an application: Once you mark the status of an application, its badge will change. You can filter applications by their status to review each application in the list for your organization. The review status for an application in the App Library and Shadow IT Discovery will update within one hour. :::note -Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](/cloudflare-one/policies/access/) and [Gateway policies](/cloudflare-one/policies/gateway/). To filter traffic based on approval status, use the [_Application Status_](/cloudflare-one/policies/gateway/http-policies/#application-approval-status) selector. +Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](/cloudflare-one/access-controls/policies/) and [Gateway policies](/cloudflare-one/traffic-policies/). To filter traffic based on approval status, use the [_Application Status_](/cloudflare-one/traffic-policies/http-policies/#application-approval-status) selector. ::: diff --git a/src/content/partials/cloudflare-one/aws-resolver.mdx b/src/content/partials/cloudflare-one/aws-resolver.mdx index 5c783c4bf99956..7e08e635975f2e 100644 --- a/src/content/partials/cloudflare-one/aws-resolver.mdx +++ b/src/content/partials/cloudflare-one/aws-resolver.mdx @@ -3,7 +3,7 @@ --- -Avoid configuring your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/policies/gateway/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver. +Avoid configuring your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/traffic-policies/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver. Some AWS endpoints (such as `ssm.us-east-1.amazonaws.com`) are public AWS endpoints that are not resolvable via internal VPC resolution. This can break AWS Console features for users on WARP. diff --git a/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx b/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx index 33424d36b18415..1b37a1e7230690 100644 --- a/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx +++ b/src/content/partials/cloudflare-one/data-loss-prevention/custom-profile.mdx @@ -28,7 +28,7 @@ import { Details } from "~/components";
- Existing entries include [predefined](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) and [user-defined](/cloudflare-one/policies/data-loss-prevention/detection-entries/) detection entries. + Existing entries include [predefined](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and [user-defined](/cloudflare-one/data-loss-prevention/detection-entries/) detection entries. 1. Select **Add existing entries**. 2. Choose which entries you want to add, then select **Confirm**. @@ -36,6 +36,6 @@ import { Details } from "~/components";
-5. (Optional) Configure [**profile settings**](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. +5. (Optional) Configure [**profile settings**](/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings/) for the profile. 6. Select **Save profile**. diff --git a/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx b/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx index 1ea27ebf76489e..2cd91d0c898386 100644 --- a/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx +++ b/src/content/partials/cloudflare-one/data-loss-prevention/predefined-profile.mdx @@ -3,6 +3,6 @@ --- 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **DLP profiles**. -2. Choose a [predefined profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Configure**. +2. Choose a [predefined profile](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/) and select **Configure**. 3. Enable one or more **Detection entries** according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries. 4. Select **Save profile**. diff --git a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx index a07640b5deb11f..ab243e83db993f 100644 --- a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx @@ -10,7 +10,7 @@ import { Markdown } from "~/components"; 2. Select **Add a policy** to create a new policy, or choose the policy you want to customize and select **Edit**. You can only edit the block page for policies with a Block action. 3. Under **Configure policy settings**, {props.blockBehaviorAction} **Modify Gateway block behavior**. 4. Choose your block behavior: - - **Use account-level block setting**: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an [HTTP redirect](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page), or a [custom Gateway block page](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page). + - **Use account-level block setting**: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an [HTTP redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page), or a [custom Gateway block page](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page). - **Override account setting with URL redirect**: Redirect users with a `307` HTTP redirect to a URL you specify on a policy level. 5. (Optional) If your account-level block page setting uses a custom Gateway block page, you can turn on **Add an additional message to your custom block page when traffic matches this policy** to add a custom message to your custom block page when traffic is blocked by this policy. This option will replace the **Message** field. 6. Select **Save policy**. diff --git a/src/content/partials/cloudflare-one/gateway/client-notifications.mdx b/src/content/partials/cloudflare-one/gateway/client-notifications.mdx index 8aa0acbc9fff0f..7762ac20352799 100644 --- a/src/content/partials/cloudflare-one/gateway/client-notifications.mdx +++ b/src/content/partials/cloudflare-one/gateway/client-notifications.mdx @@ -24,7 +24,7 @@ import { Details, Render, Markdown } from "~/components"; Turn on to display notifications for Gateway block events. Blocked users will receive an operating system notification from the WARP client with a custom message you set. If you do not set a custom message, the WARP client will display a default message. Custom messages must be 100 characters or less. WARP will only display one notification per minute. -Upon selecting the notification, WARP will direct your users to the [Gateway block page](/cloudflare-one/policies/gateway/block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. +Upon selecting the notification, WARP will direct your users to the [Gateway block page](/cloudflare-one/traffic-policies/block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. diff --git a/src/content/partials/cloudflare-one/gateway/comparison-operators.mdx b/src/content/partials/cloudflare-one/gateway/comparison-operators.mdx index 24039d60dba6b1..873631dc549b21 100644 --- a/src/content/partials/cloudflare-one/gateway/comparison-operators.mdx +++ b/src/content/partials/cloudflare-one/gateway/comparison-operators.mdx @@ -11,8 +11,8 @@ Comparison operators are the way Gateway matches traffic to a selector. When you | is not | does not equal the defined value | | in | matches at least one of the defined values | | not in | does not match any of the defined values | -| in list | in a pre-defined [list](/cloudflare-one/policies/gateway/lists/) of values | -| not in list | not in a pre-defined [list](/cloudflare-one/policies/gateway/lists/) of values | +| in list | in a pre-defined [list](/cloudflare-one/traffic-policies/lists/) of values | +| not in list | not in a pre-defined [list](/cloudflare-one/traffic-policies/lists/) of values | | matches regex | regex evaluates to true | | does not match regex | regex evaluates to false | | greater than | exceeds the defined number | diff --git a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx index 0ce7d828295467..aba67691d8128b 100644 --- a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx @@ -14,10 +14,10 @@ To customize your block page: 2. Under **Account Gateway block page**, select **Customize**. 3. Choose **Custom Gateway block page**. Gateway will display a preview of your custom block page. Available customizations include: - Your organization's name - - [Logo](/cloudflare-one/policies/gateway/block-page/#add-a-logo-image) + - [Logo](/cloudflare-one/traffic-policies/block-page/#add-a-logo-image) - Header text - Global block message, which will be displayed above the policy-specific block message - - [Mailto link](/cloudflare-one/policies/gateway/block-page/#allow-users-to-email-an-administrator) + - [Mailto link](/cloudflare-one/traffic-policies/block-page/#allow-users-to-email-an-administrator) - Background color 4. Select **Save**. diff --git a/src/content/partials/cloudflare-one/gateway/debugging-policies.mdx b/src/content/partials/cloudflare-one/gateway/debugging-policies.mdx index 1e98434dd3b845..485d3c50660349 100644 --- a/src/content/partials/cloudflare-one/gateway/debugging-policies.mdx +++ b/src/content/partials/cloudflare-one/gateway/debugging-policies.mdx @@ -5,4 +5,4 @@ 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall Policies**. 2. Disable all DNS, Network, and HTTP policies and see if the issue persists. It may take up to two minutes for the change to take effect. Note that all policy enforcement happens on the Cloudflare global network, not on your local device. -3. Slowly re-enable your policies. Once you have narrowed down the issue, modify the policies or their [order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/). +3. Slowly re-enable your policies. Once you have narrowed down the issue, modify the policies or their [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/). diff --git a/src/content/partials/cloudflare-one/gateway/egress-selector-onramps.mdx b/src/content/partials/cloudflare-one/gateway/egress-selector-onramps.mdx index 0fac14f0d46a46..ce1b507722f145 100644 --- a/src/content/partials/cloudflare-one/gateway/egress-selector-onramps.mdx +++ b/src/content/partials/cloudflare-one/gateway/egress-selector-onramps.mdx @@ -9,7 +9,7 @@ import { Render, Details, GlossaryTooltip } from "~/components" | ------------------------------------------------------------------------------------------ | ------------- | | [WARP](/cloudflare-one/team-and-resources/devices/warp/) | ✅ | | [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) | ✅ | -| [Browser Isolation](/cloudflare-one/policies/browser-isolation/) | ✅ | +| [Browser Isolation](/cloudflare-one/remote-browser-isolation/) | ✅ | | [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | ✅ | | [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/) | 🚧[^1] | diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx index 1bceb4bf023d70..3177058722e567 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -12,14 +12,14 @@ To create a new HTTP policy: 2. In the **HTTP** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: +5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: - Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: + Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/traffic-policies/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: -For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/). +For more information, refer to [HTTP policies](/cloudflare-one/traffic-policies/http-policies/). diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx index 76e64de8f521d8..7fb98c0ee66810 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx @@ -64,4 +64,4 @@ The API will respond with a summary of the policy and the result of your request -For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/). +For more information, refer to [network policies](/cloudflare-one/traffic-policies/network-policies/). diff --git a/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx b/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx index dd079135eede19..d619d4866ff216 100644 --- a/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx +++ b/src/content/partials/cloudflare-one/gateway/inspect-on-all-ports.mdx @@ -5,8 +5,8 @@ params: import { Markdown } from "~/components"; -By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`. +By default, Gateway will only inspect HTTP traffic through port `80`. Additionally, if you [turn on TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption), Gateway will inspect HTTPS traffic through port `443`. To detect and inspect HTTP and HTTPS traffic on ports in addition to `80` and `443`, . -Inspecting traffic on all ports works best if you allow all traffic by default. If your organization uses a Network policy to block all traffic by default, Gateway will allow all non-HTTPS TLS traffic, and you will not be able to filter this traffic. To use HTTP policies to filter all TLS traffic on all ports when using a default Block Network policy, [create a Network policy to explicitly allow HTTP and TLS traffic](/cloudflare-one/policies/gateway/network-policies/common-policies/#filter-http-traffic-when-inspecting-on-all-ports). +Inspecting traffic on all ports works best if you allow all traffic by default. If your organization uses a Network policy to block all traffic by default, Gateway will allow all non-HTTPS TLS traffic, and you will not be able to filter this traffic. To use HTTP policies to filter all TLS traffic on all ports when using a default Block Network policy, [create a Network policy to explicitly allow HTTP and TLS traffic](/cloudflare-one/traffic-policies/network-policies/common-policies/#filter-http-traffic-when-inspecting-on-all-ports). diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx index 30e7992ddad4df..6710af672d2088 100644 --- a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx +++ b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx @@ -99,7 +99,7 @@ DNS and resolver policies are standalone. For example, if you block a site with ### HTTP/3 traffic -For proxied [HTTP/3 traffic](/cloudflare-one/policies/gateway/http-policies/http3/), Gateway applies your policies in the following order: +For proxied [HTTP/3 traffic](/cloudflare-one/traffic-policies/http-policies/http3/), Gateway applies your policies in the following order: 1. DNS policies 2. Network policies @@ -120,7 +120,7 @@ When DNS queries are received, Gateway evaluates policies with pre-resolution se Despite an explicit Allow policy ordered first, policy 2 takes precedence because the _Domain_ selector is evaluated before DNS resolution. -If a policy contains both pre-resolution and post-resolution selectors, Gateway will evaluate the entire policy after DNS resolution. For information on when each selector is evaluated, refer to the [list of DNS selectors](/cloudflare-one/policies/gateway/dns-policies/#selectors). +If a policy contains both pre-resolution and post-resolution selectors, Gateway will evaluate the entire policy after DNS resolution. For information on when each selector is evaluated, refer to the [list of DNS selectors](/cloudflare-one/traffic-policies/dns-policies/#selectors). ### Network policies @@ -128,7 +128,7 @@ Gateway evaluates network policies in [order of precedence](#order-of-precedence ### HTTP policies -Gateway applies HTTP policies based on a combination of [action type](/cloudflare-one/policies/gateway/http-policies/#actions) and [order of precedence](#order-of-precedence): +Gateway applies HTTP policies based on a combination of [action type](/cloudflare-one/traffic-policies/http-policies/#actions) and [order of precedence](#order-of-precedence): 1. All Do Not Inspect policies are evaluated first, in order of precedence. 2. If no policies match, all Isolate policies are evaluated in order of precedence. @@ -138,10 +138,10 @@ Gateway applies HTTP policies based on a combination of [action type](/cloudflar This order of enforcement allows Gateway to first determine whether decryption should occur. If a site matches a Do Not Inspect policy, it is automatically allowed through Gateway and bypasses all other HTTP policies. :::note -The only exception is if you are using [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) — all sites within the clientless remote browser are implicitly isolated even if they match a Do Not Inspect policy. +The only exception is if you are using [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) — all sites within the clientless remote browser are implicitly isolated even if they match a Do Not Inspect policy. ::: -Next, Gateway checks decrypted traffic against your Isolate policies. When a user makes a request which triggers an Isolate policy, the request will be rerouted to a [remote browser](/cloudflare-one/policies/browser-isolation/). +Next, Gateway checks decrypted traffic against your Isolate policies. When a user makes a request which triggers an Isolate policy, the request will be rerouted to a [remote browser](/cloudflare-one/remote-browser-isolation/). Next, Gateway evaluates all Allow, Block, and Do Not Scan policies. These policies apply to both isolated and non-isolated traffic. For example, if `example.com` is isolated and `example.com/subpage` is blocked, Gateway will block the subpage (`example.com/subpage`) inside of the remote browser. @@ -149,7 +149,7 @@ Lastly, Gateway inspects the body of the HTTP request by evaluating it against D ### Resolver policies -When [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) are present, Gateway first evaluates any DNS policies with pre-resolution selectors, then routes any DNS queries according to the [order of precedence](#order-of-precedence) of your resolver policies, and lastly evaluates any DNS policies with post-resolution selectors. +When [resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) are present, Gateway first evaluates any DNS policies with pre-resolution selectors, then routes any DNS queries according to the [order of precedence](#order-of-precedence) of your resolver policies, and lastly evaluates any DNS policies with post-resolution selectors. ### Order of precedence diff --git a/src/content/partials/cloudflare-one/gateway/policies/check-user-identity.mdx b/src/content/partials/cloudflare-one/gateway/policies/check-user-identity.mdx index 93114e5b33c53b..7453985d099bd8 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/check-user-identity.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/check-user-identity.mdx @@ -2,4 +2,4 @@ {} --- -Configure access on a per user or group basis by adding [identity-based conditions](/cloudflare-one/policies/gateway/identity-selectors/) to your policies. +Configure access on a per user or group basis by adding [identity-based conditions](/cloudflare-one/traffic-policies/identity-selectors/) to your policies. diff --git a/src/content/partials/cloudflare-one/gateway/policy-context.mdx b/src/content/partials/cloudflare-one/gateway/policy-context.mdx index a4aa75f18babee..d99157e8e079ae 100644 --- a/src/content/partials/cloudflare-one/gateway/policy-context.mdx +++ b/src/content/partials/cloudflare-one/gateway/policy-context.mdx @@ -12,7 +12,7 @@ When you turn on **Send policy context**, Gateway will append details of the mat | --------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | | User email | Email of the user that made the query. | `&cf_user_email=user@example.com` | | Site URL | Full URL of the original HTTP request or domain name in DNS query. | `&cf_site_uri=https%3A%2F%2Fmalware.testcategory.com%2F` | -| URL category | [Domain categories](/cloudflare-one/policies/gateway/domain-categories/) of the URL to be redirected. | `&cf_request_categories=New%20Domains,Newly%20Seen%20Domains` | +| URL category | [Domain categories](/cloudflare-one/traffic-policies/domain-categories/) of the URL to be redirected. | `&cf_request_categories=New%20Domains,Newly%20Seen%20Domains` | | Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | `&cf_referer=https%3A%2F%2Fexample.com%2F` | | Rule ID | ID of the Gateway policy that matched the request. | `&cf_rule_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1` | | Source IP | Source IP address of the device that matched the policy. | `&cf_source_ip=203.0.113.5` | diff --git a/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx b/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx index 18e26f0da22632..b23ff64f7475ed 100644 --- a/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx +++ b/src/content/partials/cloudflare-one/gateway/resolver-policies-intro.mdx @@ -3,4 +3,4 @@ --- -[Resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) provide similar functionality to Local Domain Fallback but occur in Cloudflare Gateway rather than on the local device. This option is recommended if you want more granular control over private DNS resolution. For example, you can ensure that all users in a specific geography use the private DNS server closest to them, ensure that specific conditions are met before resolving private DNS traffic, and apply [Gateway DNS policies](/cloudflare-one/policies/gateway/dns-policies/) to private DNS traffic. +[Resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) provide similar functionality to Local Domain Fallback but occur in Cloudflare Gateway rather than on the local device. This option is recommended if you want more granular control over private DNS resolution. For example, you can ensure that all users in a specific geography use the private DNS server closest to them, ensure that specific conditions are met before resolving private DNS traffic, and apply [Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/) to private DNS traffic. diff --git a/src/content/partials/cloudflare-one/gateway/selectors/application-dns.mdx b/src/content/partials/cloudflare-one/gateway/selectors/application-dns.mdx index 062901c43f3eda..19f296980f5b96 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/application-dns.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/application-dns.mdx @@ -3,7 +3,7 @@ params: - policyType --- -You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information. +You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | Evaluation phase | | ----------- | -------------------------- | --------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/application-http.mdx b/src/content/partials/cloudflare-one/gateway/selectors/application-http.mdx index 37f35f2db289c2..beef435b44ae20 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/application-http.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/application-http.mdx @@ -3,7 +3,7 @@ params: - policyType --- -You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information. +You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | | ----------- | -------------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/application.mdx b/src/content/partials/cloudflare-one/gateway/selectors/application.mdx index 062901c43f3eda..19f296980f5b96 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/application.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/application.mdx @@ -3,7 +3,7 @@ params: - policyType --- -You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/policies/gateway/application-app-types/) for more information. +You can apply {props.policyType} policies to a growing list of popular web applications. Refer to [Application and app types](/cloudflare-one/traffic-policies/application-app-types/) for more information. | UI name | API example | Evaluation phase | | ----------- | -------------------------- | --------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/category-options.mdx b/src/content/partials/cloudflare-one/gateway/selectors/category-options.mdx index e0f3aff9c520df..64bfa9b16dc161 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/category-options.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/category-options.mdx @@ -3,4 +3,4 @@ --- -When using an Allow or Block action, you can optionally [block IP addresses](/cloudflare-one/policies/gateway/domain-categories/#filter-traffic-by-resolved-ip-category) or [filter categories for `CNAME` records](/cloudflare-one/policies/gateway/domain-categories/#ignore-cname-domain-categories). +When using an Allow or Block action, you can optionally [block IP addresses](/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category) or [filter categories for `CNAME` records](/cloudflare-one/traffic-policies/domain-categories/#ignore-cname-domain-categories). diff --git a/src/content/partials/cloudflare-one/gateway/selectors/dns-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/selectors/dns-content-categories.mdx index fb9ce93b26eb58..cff14b5c534a38 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/dns-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/dns-content-categories.mdx @@ -2,7 +2,7 @@ {} --- -Use this selector to filter domains belonging to specific [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories). +Use this selector to filter domains belonging to specific [content categories](/cloudflare-one/traffic-policies/domain-categories/#content-categories). | UI name | API example | Evaluation phase | | ------------------ | ------------------------------------- | --------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx b/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx index 8e5d40b17674b8..d4f587e44a7ca4 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx @@ -2,4 +2,4 @@ {} --- -This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](/cloudflare-one/policies/gateway/egress-policies/#selector-prerequisites). +This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). diff --git a/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx index c196a63bb15d9d..ea6c54238f6214 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx @@ -3,7 +3,7 @@ params: - APIendpoint --- -Applications within a specific [security category](/cloudflare-one/policies/gateway/domain-categories/#content-categories) as categorized by [Cloudflare Radar](/radar/glossary/#content-categories). +Applications within a specific [security category](/cloudflare-one/traffic-policies/domain-categories/#content-categories) as categorized by [Cloudflare Radar](/radar/glossary/#content-categories). | UI name | API example | | ------------------ | ------------------------------------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/non-latin-characters.mdx b/src/content/partials/cloudflare-one/gateway/selectors/non-latin-characters.mdx index 22ea19575fe457..aedeeab6a189e9 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/non-latin-characters.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/non-latin-characters.mdx @@ -3,4 +3,4 @@ params: - inputType --- -Gateway policies do not support {props.inputType}s with non-Latin characters directly. To use a {props.inputType} with non-Latin characters, add it to a [list](/cloudflare-one/policies/gateway/lists/). +Gateway policies do not support {props.inputType}s with non-Latin characters directly. To use a {props.inputType} with non-Latin characters, add it to a [list](/cloudflare-one/traffic-policies/lists/). diff --git a/src/content/partials/cloudflare-one/gateway/selectors/security-categories.mdx b/src/content/partials/cloudflare-one/gateway/selectors/security-categories.mdx index 46a4994e131a76..16aa0c58ae0be8 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/security-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/security-categories.mdx @@ -3,7 +3,7 @@ --- -Use this selector to match domains (and optionally, [IP addresses](/cloudflare-one/policies/gateway/domain-categories/#filter-traffic-by-resolved-ip-category)) belonging to specific [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories). +Use this selector to match domains (and optionally, [IP addresses](/cloudflare-one/traffic-policies/domain-categories/#filter-traffic-by-resolved-ip-category)) belonging to specific [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories). | UI name | API example | Evaluation phase | | ------------------- | -------------------------------------- | --------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/security-risks.mdx b/src/content/partials/cloudflare-one/gateway/selectors/security-risks.mdx index 42233d3e5e32dc..4e59b307c26143 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/security-risks.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/security-risks.mdx @@ -5,7 +5,7 @@ params: import { Markdown } from "~/components"; -Applications within a specific [security category](/cloudflare-one/policies/gateway/domain-categories/#security-categories) as categorized by [Cloudflare Radar](/radar/glossary/#content-categories). +Applications within a specific [security category](/cloudflare-one/traffic-policies/domain-categories/#security-categories) as categorized by [Cloudflare Radar](/radar/glossary/#content-categories). | UI name | API example | | -------------- | ------------------------------------------------- | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/users.mdx b/src/content/partials/cloudflare-one/gateway/selectors/users.mdx index 698bc3ad136893..92efb064b9ba46 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/users.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/users.mdx @@ -12,4 +12,4 @@ Identity-based selectors include: * **User Group Names** * **User Name** -To use identity-based selectors, enable **Gateway with WARP** in the Zero Trust WARP client and enroll your user in your organization. For more information, refer to [Identity-based policies](/cloudflare-one/policies/gateway/identity-selectors/). +To use identity-based selectors, enable **Gateway with WARP** in the Zero Trust WARP client and enroll your user in your organization. For more information, refer to [Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/). diff --git a/src/content/partials/cloudflare-one/gateway/value.mdx b/src/content/partials/cloudflare-one/gateway/value.mdx index 8cb6ebc0d83a38..dc9bf7b9cf3b0e 100644 --- a/src/content/partials/cloudflare-one/gateway/value.mdx +++ b/src/content/partials/cloudflare-one/gateway/value.mdx @@ -1,20 +1,19 @@ --- inputParameters: selector;;selectorName - --- -import { Markdown } from "~/components" +import { Markdown } from "~/components"; -In the **Value** field, you can input a single value when using an equality comparison operator (such as *is*) or multiple values when using a containment comparison operator (such as *in*). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. +In the **Value** field, you can input a single value when using an equality comparison operator (such as _is_) or multiple values when using a containment comparison operator (such as _in_). Additionally, you can use [regular expressions](#regular-expressions) (or regex) to specify a range of values for supported selectors. ### Regular expressions -Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](/cloudflare-one/policies/access/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp](https://rustexp.lpil.uk/). +Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for [Wildcards](/cloudflare-one/access-controls/policies/app-paths/#wildcards). To evaluate if your regex matches, you can use [Rustexp](https://rustexp.lpil.uk/). If you want to match multiple values, you can use the pipe symbol (`|`) as an OR operator. In Gateway, you do not need to use an escape character (`\`) before the pipe symbol. For example, the following policy blocks requests to two {props.one} if either appears in a request header: -| Selector | Operator | Value | Action | -| -------- | ------------- | -------------------------------------- | ------ | -| {props.two} | matches regex | `.\*whispersystems.org\|.\*signal.org` | Block | +| Selector | Operator | Value | Action | +| ----------- | ------------- | -------------------------------------- | ------ | +| {props.two} | matches regex | `.\*whispersystems.org\|.\*signal.org` | Block | In addition to regular expressions, you can use [logical operators](#logical-operators) to match multiple values. diff --git a/src/content/partials/cloudflare-one/ssh/usernames.mdx b/src/content/partials/cloudflare-one/ssh/usernames.mdx index cccf2d5a36e593..56f76c22898fb6 100644 --- a/src/content/partials/cloudflare-one/ssh/usernames.mdx +++ b/src/content/partials/cloudflare-one/ssh/usernames.mdx @@ -77,6 +77,6 @@ AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | gr AuthorizedPrincipalsCommandUser nobody ``` -Since this will put the security of your server entirely dependent on your Access configuration, make sure your [Access policies](/cloudflare-one/policies/access/policy-management/) are correctly configured. +Since this will put the security of your server entirely dependent on your Access configuration, make sure your [Access policies](/cloudflare-one/access-controls/policies/policy-management/) are correctly configured.
diff --git a/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx b/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx index 6127430c73a1db..b7f347efadc553 100644 --- a/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx +++ b/src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx @@ -12,7 +12,7 @@ To start logging and filtering network traffic, turn on the Gateway proxy: 2. In **Firewall**, turn on **Proxy**. 3. Select **TCP**. 4. (Recommended) To proxy traffic to internal DNS resolvers, select **UDP**. -5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/policies/gateway/proxy/#icmp) to allow ICMP traffic through `cloudflared`. +5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/traffic-policies/proxy/#icmp) to allow ICMP traffic through `cloudflared`. @@ -33,4 +33,4 @@ To start logging and filtering network traffic, turn on the Gateway proxy: -Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-warp). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/policies/gateway/proxy/). +Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/#3-route-private-network-ips-through-warp). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/traffic-policies/proxy/). diff --git a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx index 611f54676ef05d..1c8bce5dec13b2 100644 --- a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx +++ b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx @@ -22,7 +22,7 @@ If WARP is stuck in the `Disconnected` state or frequently changes between `Conn This step is only needed if users access your application via a private hostname (for example, `wiki.internal.local`). -- If you are using [custom resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) to handle private DNS, go to your Gateway DNS logs (**Logs** > **Gateway** > **DNS**) and search for DNS queries to the hostname. +- If you are using [custom resolver policies](/cloudflare-one/traffic-policies/resolver-policies/) to handle private DNS, go to your Gateway DNS logs (**Logs** > **Gateway** > **DNS**) and search for DNS queries to the hostname. - If you are using [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) to handle private DNS, go to your Gateway Network logs (**Logs** > **Gateway** > **Network**) and search for port `53` traffic to your DNS server IP. @@ -55,7 +55,7 @@ Determine whether the user is matching any policy, or if they are matching a pol - **Date Time Range**: Time period when the user accessed the application 3. In the search box, filter by the destination IP or FQDN. 4. In the results, select a log and note its **Policy Name** value. -2. Go to **Gateway** > **Firewall Policies** and compare the [order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/) of the matched policy versus the expected policy. +2. Go to **Gateway** > **Firewall Policies** and compare the [order of enforcement](/cloudflare-one/traffic-policies/order-of-enforcement/) of the matched policy versus the expected policy. 3. Compare the Gateway log values with the expected policy criteria. - If the mismatched value is related to identity, [check the user registry](/cloudflare-one/insights/logs/users/) and verify the values that are passed to Gateway from your IdP. Cloudflare updates the registry when the user enrolls in the WARP client. If the user's identity is outdated, ask the user to re-authenticate WARP (**Preferences** > **Account** > **Re-Authenticate Session**). @@ -106,7 +106,7 @@ You can also use a packet capture tool such as `tcpdump` or Wireshark to trace w ## 10. Is TLS inspection affecting the connection to your application? -If there is a problem with [TLS inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), the user will get an `Insecure Upstream` error when they access the application in a browser. They will probably not get an error if they access the application outside of a browser. +If there is a problem with [TLS inspection](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), the user will get an `Insecure Upstream` error when they access the application in a browser. They will probably not get an error if they access the application outside of a browser. Customers who have [Logpush](/cloudflare-one/insights/logs/logpush/) enabled can check the [Gateway HTTP dataset](/logs/logpush/logpush-job/datasets/account/gateway_http/) for any hostnames which have an elevated rate of `526` HTTP status codes. @@ -118,10 +118,10 @@ To troubleshoot TLS inspection: | -------------- | -------- | ------------- | -------------- | | Destination IP | in | `10.2.3.4/32` | Do Not Inspect | -2. If the `Do Not Inspect` policy enables the user to connect, verify that the TLS certificate used by your application is trusted by a public CA and not self-signed. Cloudflare Gateway is unable to negotiate TLS with applications that use self-signed certificates. For more information, refer to [TLS inspection limitations](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). +2. If the `Do Not Inspect` policy enables the user to connect, verify that the TLS certificate used by your application is trusted by a public CA and not self-signed. Cloudflare Gateway is unable to negotiate TLS with applications that use self-signed certificates. For more information, refer to [TLS inspection limitations](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). To work around the issue: - - **Option 1:** Create a permanent [`Do Not Inspect` HTTP policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) for this application. - - **Option 2:** Customers who use their [own certificate infrastructure](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) for inspection can opt to create an [Allow _Pass Through_ policy](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) which enables our proxy to accept the TLS negotiation from your application. This will allow requests to flow correctly without the need for a `Do Not Inspect` policy. + - **Option 1:** Create a permanent [`Do Not Inspect` HTTP policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) for this application. + - **Option 2:** Customers who use their [own certificate infrastructure](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) for inspection can opt to create an [Allow _Pass Through_ policy](/cloudflare-one/traffic-policies/http-policies/#untrusted-certificates) which enables our proxy to accept the TLS negotiation from your application. This will allow requests to flow correctly without the need for a `Do Not Inspect` policy. - **Option 3:** If your application uses `HTTPS` or other common protocols, you can add a [published application](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) to your Cloudflare Tunnel and set [noTLSVerify](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/origin-parameters/#notlsverify) to `true`. This will allow `cloudflared` to trust your self-signed certificate. diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx index 7115c47fa16084..8aac443c13fbb1 100644 --- a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx +++ b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx @@ -1,18 +1,17 @@ --- {} - --- -import { Tabs, TabItem } from '~/components'; +import { Tabs, TabItem } from "~/components"; 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. 2. In **Device enrollment permissions**, select **Manage**. -3. In the **Policies** tab, configure one or more [Access policies](/cloudflare-one/policies/access/) to define who can join their device. For example, you could allow all users with a company email address: - | Rule type | Selector | Value | +3. In the **Policies** tab, configure one or more [Access policies](/cloudflare-one/access-controls/policies/) to define who can join their device. For example, you could allow all users with a company email address: + | Rule type | Selector | Value | | --------- | ---------| ------ | - | Include | Emails ending in | `@company.com` | + | Include | Emails ending in | `@company.com` | :::note @@ -21,52 +20,52 @@ Device posture checks are not supported in device enrollment policies. WARP can 4. In the **Login methods** tab: - a. Select the [identity providers](/cloudflare-one/integrations/identity-providers/) users can authenticate with. If you have not integrated an identity provider, you can use the [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/). + a. Select the [identity providers](/cloudflare-one/integrations/identity-providers/) users can authenticate with. If you have not integrated an identity provider, you can use the [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/). - b. (Optional) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event. + b. (Optional) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event. 5. Select **Save**. -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Access: Apps and Policies Write` - -2. Create a reusable Access policy using the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_policy) resource: - - ```tf - resource "cloudflare_zero_trust_access_policy" "allow_company_emails" { - account_id = var.cloudflare_account_id - name = "Allow company emails" - decision = "allow" - include = [ - { - email_domain = { - domain = "@example.com" - } - } - ] - } - ``` - -3. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_application) resource to create an application with type `warp`. - - ```tf - resource "cloudflare_zero_trust_access_application" "device_enrollment" { - account_id = var.cloudflare_account_id - type = "warp" - name = "Warp device enrollment" - allowed_idps = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id] - auto_redirect_to_identity = true - app_launcher_visible = false - policies = [ - { - id = cloudflare_zero_trust_access_policy.allow_company_emails.id - precedence = 1 - } - ] - } - ``` +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): + - `Access: Apps and Policies Write` + +2. Create a reusable Access policy using the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_policy) resource: + + ```tf + resource "cloudflare_zero_trust_access_policy" "allow_company_emails" { + account_id = var.cloudflare_account_id + name = "Allow company emails" + decision = "allow" + include = [ + { + email_domain = { + domain = "@example.com" + } + } + ] + } + ``` + +3. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_application) resource to create an application with type `warp`. + + ```tf + resource "cloudflare_zero_trust_access_application" "device_enrollment" { + account_id = var.cloudflare_account_id + type = "warp" + name = "Warp device enrollment" + allowed_idps = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id] + auto_redirect_to_identity = true + app_launcher_visible = false + policies = [ + { + id = cloudflare_zero_trust_access_policy.allow_company_emails.id + precedence = 1 + } + ] + } + ``` - \ No newline at end of file + diff --git a/src/content/partials/dns/subdomain-setup-access-apps.mdx b/src/content/partials/dns/subdomain-setup-access-apps.mdx index 4f1b5f413b8505..5abf4eab9cd0f3 100644 --- a/src/content/partials/dns/subdomain-setup-access-apps.mdx +++ b/src/content/partials/dns/subdomain-setup-access-apps.mdx @@ -1,10 +1,9 @@ --- {} - --- -To use subdomain setups with [Cloudflare Access](/cloudflare-one/policies/access/), note that: +To use subdomain setups with [Cloudflare Access](/cloudflare-one/access-controls/policies/), note that: - If the child zone is in a pending state when you create the Access application, your configuration will not automatically apply when you activate the zone. You must also re-save the Access application once your subdomain setup is active. -- If you split out a subdomain which already has an Access application, you will also need to re-save the Access application to associate it with the new child zone. \ No newline at end of file +- If you split out a subdomain which already has an Access application, you will also need to re-save the Access application to associate it with the new child zone. diff --git a/src/content/partials/fundamentals/account-permissions-table.mdx b/src/content/partials/fundamentals/account-permissions-table.mdx index 292863146a423c..5ec5ca12d9bc8f 100644 --- a/src/content/partials/fundamentals/account-permissions-table.mdx +++ b/src/content/partials/fundamentals/account-permissions-table.mdx @@ -6,149 +6,149 @@ params: import { Markdown } from "~/components"; -| Name | Description | -| -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Access: Apps and Policies Read | Grants read access to [Cloudflare Access](/cloudflare-one/policies/access/) applications and policies |resources. | -| Access: Apps and Policies Revoke | Grants ability to revoke [Cloudflare Access application tokens](/cloudflare-one/identity/users/session-management/) | -| Access: Apps and Policies {props.editWord} | Grants write access to [Cloudflare Access](/cloudflare-one/policies/access/) applications and policies | -| Access: Audit Logs Read | Grants read access to [Cloudflare Access audit logs](/cloudflare-one/insights/logs/audit-logs/). | -| Access: Custom Pages Read | Grants read access to [Cloudflare Access custom block pages](/cloudflare-one/applications/block-page/). | -| Access: Custom Pages {props.editWord} | Grants write access to [Cloudflare Access custom block pages](/cloudflare-one/applications/block-page/). | -| Access: Device Posture Read | Grants read access to [Cloudflare Access device posture](/cloudflare-one/identity/devices/). | -| Access: Device Posture {props.editWord} | Grants write access to [Cloudflare Access device posture](/cloudflare-one/identity/devices/). | -| Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/). | -| Access: Mutual TLS Certificates {props.editWord} | Grants write access to [Cloudflare Access mTLS certificates](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/). | -| Access: Organizations, Identity Providers, and Groups Read | Grants read access to [Cloudflare Access account resources](/cloudflare-one/identity/). | -| Access: Organizations, Identity Providers, and Groups Revoke | Grants ability to revoke user sessions to [Cloudflare Access account resources](/cloudflare-one/identity/). | -| Access: Organizations, Identity Providers, and Groups {props.editWord} | Grants write access to [Cloudflare Access account resources](/cloudflare-one/identity/). | -| Access: Service Tokens Read | Grants read access to [Cloudflare Access service tokens](/cloudflare-one/identity/service-tokens/). | -| Access: Service Tokens {props.editWord} | Grants write access to [Cloudflare Access service tokens](/cloudflare-one/identity/service-tokens/). | -| Access: SSH Auditing Read | Grants read access to [Cloudflare Access SSH CAs](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). | -| Access: SSH Auditing {props.editWord} | Grants write access to [Cloudflare Access SSH CAs](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). | -| Account Analytics Read | Grants read access to [account analytics](/analytics/account-and-zone-analytics/account-analytics/). | -| Account Custom Pages Read | Grants read access to account-level [Error Pages](/rules/custom-errors/). | -| Account Custom Pages {props.editWord} | Grants write access to account-level [Error Pages](/rules/custom-errors/). | -| Account { props.src === "dash" ? "Filter" : "Rule" } Lists Read | Grants read access to Account Filter Lists. | -| Account { props.src === "dash" ? "Filter" : "Rule" } Lists {props.editWord} | Grants write access to Account Filter Lists. | -| Account Firewall Access Rules Read | Grants read access to account firewall access rules. | -| Account Firewall Access Rules {props.editWord} | Grants write access to account firewall access rules. | -| Account Rulesets Read | Grants read access to [Account Rulesets](/ruleset-engine/about/rulesets/). | -| Account Rulesets {props.editWord} | Grants write access to [Account Rulesets](/ruleset-engine/about/rulesets/). | -| Account Settings Read | Grants read access to [Account resources, account membership, and account level features](/fundamentals/account/). | -| Account Settings {props.editWord} | Grants write access to [Account resources, account membership, and account level features](/fundamentals/account/). | -| Account: SSL and Certificates Read | Grants read access to [SSL and Certificates](/ssl/). | -| Account: SSL and Certificates {props.editWord} | Grants write access to [SSL and Certificates](/ssl/). | -| Account WAF Read | Grants read access to [Account WAF](/waf/). | -| Account WAF {props.editWord} | Grants write access to [Account WAF](/waf/). | -| Address Maps {props.editWord} | Grants write access to [Address Maps](/byoip/address-maps/) | -| Address Maps Read | Grants read access to [Address Maps](/byoip/address-maps/) | -| Allow Request Tracer Read | Grants read access to Request Tracer. | -| { props.src === "api" && "Account" } API Gateway Read | Grants read access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | -| { props.src === "api" && "Account" } API Gateway {props.editWord} | Grants write access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | -| Billing Read | Grants read access to [billing profile, subscriptions, and access to fetch invoices](/billing/) and entitlements. | -| Billing {props.editWord} | Grants write access to [billing profile, subscriptions, and access to fetch invoices and entitlements](/billing/). | -| { props.src === "dash" ? "Bulk" : "Mass" } URL Redirects Read | Grants read access to [Bulk Redirects](/rules/url-forwarding/bulk-redirects/). | -| { props.src === "dash" ? "Bulk" : "Mass" } URL Redirects {props.editWord} | Grants write access to [Bulk Redirects](/rules/url-forwarding/bulk-redirects/). | -| China Network Steering Read | Grants read access to [China Network Steering](/china-network/). | -| China Network Steering {props.editWord} | Grants write access to [China Network Steering](/china-network/). | -| Cloudchamber Read | Grants read access to Cloudchamber deployments. | -| Cloudchamber {props.editWord} | Grants write access to Cloudchamber deployments. | -| { props.src === "dash" && "Cloudflare" } Realtime Read | Grants read access to Cloudflare Realtime. | -| { props.src === "dash" && "Cloudflare" } Realtime {props.editWord} | Grants write access to Cloudflare Realtime. | -| Cloudflare DEX Read | Grants read access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). | -| Cloudflare DEX {props.editWord} | Grants write access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). | -| { props.src === "dash" && "Cloudflare" } Images Read | Grants read access to [Cloudflare Images](/images/). | -| { props.src === "dash" && "Cloudflare" } Images {props.editWord} | Grants write access to [Cloudflare Images](/images/). | -| Cloudflare One Connector: cloudflared Read | Grants read access to [`cloudflared` connectors](/cloudflare-one/networks/connectors/cloudflare-tunnel/) | -| Cloudflare One Connector: cloudflared {props.editWord} | Grants write access to [`cloudflared` connectors](/cloudflare-one/networks/connectors/cloudflare-tunnel/) | -| Cloudflare One Connector: WARP Read | Grants read access to [WARP Connectors](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | -| Cloudflare One Connector: WARP {props.editWord} | Grants write access to [WARP Connectors](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | -| Cloudflare One Connectors Read | Grants read access to Cloudflare One connectors | -| Cloudflare One Connectors {props.editWord} | Grants write access to Cloudflare One connectors | -| Cloudflare One Networks Read | Grants read access to Cloudflare One routes and virtual networks | -| Cloudflare One Networks {props.editWord} | Grants write access to Cloudflare One routes and virtual networks | -| { props.src === "dash" && "Cloudflare" } Pages Read | Grants access to view [Cloudflare Pages](/pages/) projects. | -| { props.src === "dash" && "Cloudflare" } Pages {props.editWord} | Grants access to create, edit and delete [Cloudflare Pages](/pages/) projects. | -| Cloudflare Tunnel Read | Grants access to view [Cloudflare Tunnels](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | -| Cloudflare Tunnel {props.editWord} | Grants access to create and delete [Cloudflare Tunnels](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | -| Cloudforce One Read | Grants read access to Cloudforce One. | -| Cloudforce One {props.editWord} | Grants write access to Cloudforce One. | -| { props.src === "dash" ? "Email Security" : "Cloud Email Security:" } Read | Grants read access to [Cloud Email Security](/email-security/). | -| { props.src === "dash" ? "Email Security" : "Cloud Email Security:" } {props.editWord} | Grants write access to [Email Security](/email-security/). | -| Constellation Read | Grants read access to [Constellation](/constellation/). | -| Constellation {props.editWord} | Grants write access to [Constellation](/constellation/). | -| Containers Read | Grants read access to [Containers](/containers/). | -| Containers {props.editWord} | Grants write access to [Containers](/containers/). | -| D1 Read | Grants read access to [D1](/d1/). | -| D1 {props.editWord} | Grants write access to [D1](/d1/). | -| DDoS Botnet Feed Read | Grants read access to Botnet Feed reports. | -| DDoS Botnet Feed {props.editWord} | Grants write access to Botnet Feed configuration. | -| DDoS Protection Read | Grants read access to [DDoS protection](/ddos-protection/). | -| DDoS Protection {props.editWord} | Grants write access to [DDoS protection](/ddos-protection/). | -| DNS Firewall Read | Grants read access to [DNS Firewall](/dns/dns-firewall/). | -| DNS Firewall {props.editWord} | Grants write access to [DNS Firewall](/dns/dns-firewall/). | -| Email Routing Addresses Read | Grants read access to [Email Routing Addresses](/email-routing/setup/email-routing-addresses/). | -| Email Routing Addresses {props.editWord} | Grants write access to [Email Routing Addresses](/email-routing/setup/email-routing-addresses/). | -| Hyperdrive Read | Grants read access to [Hyperdrive](/hyperdrive/). | -| Hyperdrive {props.editWord} | Grants write access to [Hyperdrive](/hyperdrive/). | -| Intel Read | Grants read access to [Intel](/security-center/intel-apis/). | -| Intel {props.editWord} | Grants write access to [Intel](/security-center/intel-apis/). | -| Integration {props.editWord} | Grants write access to integrations. | -| IOT Read | Grants read access to [IOT](https://blog.cloudflare.com/rethinking-internet-of-things-security/). | -| IOT {props.editWord} | Grants write access to [IOT](https://blog.cloudflare.com/rethinking-internet-of-things-security/). | -| IP Prefixes: Read | Grants access to read IP prefix settings. | -| IP Prefixes: {props.editWord} | Grants access to read/write IP prefix settings. | -| IP Prefixes: BGP On Demand Read | Grants access to read IP prefix BGP configuration. | -| IP Prefixes: BGP On Demand {props.editWord} | Grants access to read and change IP prefix BGP configuration. | -| { props.src === "dash" ? "L3/4" : "L4" } DDoS Managed Ruleset Read | Grants read access to [L3/4 DDoS managed ruleset](/ddos-protection/managed-rulesets/network/). | -| { props.src === "dash" ? "L3/4" : "L4" } DDoS Managed Ruleset {props.editWord} | Grants write access to [L3/4 DDoS managed ruleset](/ddos-protection/managed-rulesets/network/). | -| Load Balancing: Monitors and Pools Read | Grants read access to account level [load balancer resources](/load-balancing/). | -| Load Balancing: Monitors and Pools {props.editWord} | Grants write access to account level [load balancer resources](/load-balancing/). | -| Logs Read | Grants read access to logs using [Logpull or Instant Logs](/logs/). | -| Logs {props.editWord} | Grants read and write access to [Logpull, Logpush, and Instant Logs](/logs/). | -| Magic Firewall Read | Grants read access to [Magic Firewall](/magic-firewall/). | -| Magic Firewall {props.editWord} | Grants write access to [Magic Firewall](/magic-firewall/). | -| Magic Firewall Packet Captures { props.src === "dash" ? "Read" : "- Read PCAPs API" } | Grants read access to [Packet Captures](/magic-firewall/packet-captures/collect-pcaps/). | -| Magic Firewall Packet Captures { props.src === "dash" ? props.editWord : `- ${props.editWord} PCAPs API` } | Grants write access to [Packet Captures](/magic-firewall/packet-captures/collect-pcaps/). | -| Magic Network Monitoring Read | Grants read access to [Magic Network Monitoring](/magic-network-monitoring/). | -| Magic Network Monitoring {props.editWord} | Grants write access to [Magic Network Monitoring](/magic-network-monitoring/). | -| Magic Transit Read | Grants read access to manage a user's [Magic Transit prefixes](/magic-transit/how-to/advertise-prefixes/). | -| Magic Transit {props.editWord} | Grants write access to manage a user's [Magic Transit prefixes](/magic-transit/how-to/advertise-prefixes/). | -| Notifications Read | Grants read access to [Notifications](/notifications/). | -| Notifications {props.editWord} | Grants write access to [Notifications](/notifications/). | -| Page Shield Read | Grants read access to [Page Shield](/page-shield/). | -| Page Shield {props.editWord} | Grants write access to [Page Shield](/page-shield/). | -| { props.src === "dash" && "Workers" } Pipelines Read | Grants read access to Cloudflare Pipelines. | -| { props.src === "dash" && "Workers" } Pipelines {props.editWord} | Grants write access to Cloudflare Pipelines. | -| { props.src === "dash" ? "Pub/Sub" : "Pubsub Configuration" } Read | Grants read access to [Pub/Sub](/pub-sub/). | -| { props.src === "dash" ? "Pub/Sub" : "Pubsub Configuration" } {props.editWord} | Grants write access to [Pub/Sub](/pub-sub/). | -| Queues Read | Grants read access to [Queues](/queues/). | -| Queues {props.editWord} | Grants write access to [Queues](/queues/). | -| Rule Policies Read | Grants read access to Rule Policies. | -| Rule Policies {props.editWord} | Grants write access to Rule Policies. | -| Stream Read | Grants read access to [Cloudflare Stream](/stream/). | -| Stream {props.editWord} | Grants write access to [Cloudflare Stream](/stream/). | -| Transform Rules Read | Grants read access to [Transform Rules](/rules/transform/). | -| Transform Rules {props.editWord} | Grants write access to [Transform Rules](/rules/transform/). | -| Turnstile { props.src === "api" && "Sites" } Read | Grants read access to [Turnstile](/turnstile/). | -| Turnstile { props.src === "api" && "Sites" } {props.editWord} | Grants write access to [Turnstile](/turnstile/). | -| URL Scanner Read | Grants read access to [URL Scanner](/radar/investigate/url-scanner/). | -| URL Scanner {props.editWord} | Grants write access to [URL Scanner](/radar/investigate/url-scanner/). | -| Vectorize Read | Grants read access to [Vectorize](/vectorize/). | -| Vectorize {props.editWord} | Grants write access to [Vectorize](/vectorize/). | -| Workers AI Read | Grants read access to [Workers AI](/workers-ai/). | -| Workers AI {props.editWord} | Grants write access to [Workers AI](/workers-ai/). | -| Workers CI Read | Grants read access to [Workers CI](/workers/). | -| Workers CI {props.editWord} | Grants write access to [Workers CI](/workers). | -| Workers KV Storage Read | Grants read access to [Cloudflare Workers KV Storage](/kv/api/). | -| Workers KV Storage {props.editWord} | Grants write access to [Cloudflare Workers KV Storage](/kv/api/). | -| Workers R2 Storage Read | Grants read access to [Cloudflare R2 Storage](/r2/). | -| Workers R2 Storage {props.editWord} | Grants write access to [Cloudflare R2 Storage](/r2/). | -| Workers Scripts Read | Grants read access to [Cloudflare Workers scripts](/workers/). | -| Workers Scripts {props.editWord} | Grants write access to [Cloudflare Workers scripts](/workers/). | -| Workers Tail Read | Grants [`wrangler tail`](/workers/wrangler/commands/#tail) read permissions. | -| Zero Trust Read | Grants read access to [Cloudflare Zero Trust](/cloudflare-one/) resources. | -| Zero Trust Report | Grants reporting access to [Cloudflare Zero Trust](/cloudflare-one/). | -| Zero Trust {props.editWord} | Grants write access to [Cloudflare Zero Trust](/cloudflare-one/) resources. | -| Zero Trust: PII Read | Grants read access to [Cloudflare Zero Trust](/cloudflare-one/) PII. | -| Zero Trust: Seats {props.editWord} | Grants write access to the number of [Zero Trust seats](/cloudflare-one/identity/users/seat-management/) your organization can use (and be billed for). | +| Name | Description | +| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| Access: Apps and Policies Read | Grants read access to [Cloudflare Access](/cloudflare-one/access-controls/policies/) applications and policies | resources. | +| Access: Apps and Policies Revoke | Grants ability to revoke [Cloudflare Access application tokens](/cloudflare-one/identity/users/session-management/) | +| Access: Apps and Policies {props.editWord} | Grants write access to [Cloudflare Access](/cloudflare-one/access-controls/policies/) applications and policies | +| Access: Audit Logs Read | Grants read access to [Cloudflare Access audit logs](/cloudflare-one/insights/logs/audit-logs/). | +| Access: Custom Pages Read | Grants read access to [Cloudflare Access custom block pages](/cloudflare-one/applications/block-page/). | +| Access: Custom Pages {props.editWord} | Grants write access to [Cloudflare Access custom block pages](/cloudflare-one/applications/block-page/). | +| Access: Device Posture Read | Grants read access to [Cloudflare Access device posture](/cloudflare-one/identity/devices/). | +| Access: Device Posture {props.editWord} | Grants write access to [Cloudflare Access device posture](/cloudflare-one/identity/devices/). | +| Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/). | +| Access: Mutual TLS Certificates {props.editWord} | Grants write access to [Cloudflare Access mTLS certificates](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/). | +| Access: Organizations, Identity Providers, and Groups Read | Grants read access to [Cloudflare Access account resources](/cloudflare-one/identity/). | +| Access: Organizations, Identity Providers, and Groups Revoke | Grants ability to revoke user sessions to [Cloudflare Access account resources](/cloudflare-one/identity/). | +| Access: Organizations, Identity Providers, and Groups {props.editWord} | Grants write access to [Cloudflare Access account resources](/cloudflare-one/identity/). | +| Access: Service Tokens Read | Grants read access to [Cloudflare Access service tokens](/cloudflare-one/identity/service-tokens/). | +| Access: Service Tokens {props.editWord} | Grants write access to [Cloudflare Access service tokens](/cloudflare-one/identity/service-tokens/). | +| Access: SSH Auditing Read | Grants read access to [Cloudflare Access SSH CAs](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). | +| Access: SSH Auditing {props.editWord} | Grants write access to [Cloudflare Access SSH CAs](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). | +| Account Analytics Read | Grants read access to [account analytics](/analytics/account-and-zone-analytics/account-analytics/). | +| Account Custom Pages Read | Grants read access to account-level [Error Pages](/rules/custom-errors/). | +| Account Custom Pages {props.editWord} | Grants write access to account-level [Error Pages](/rules/custom-errors/). | +| Account { props.src === "dash" ? "Filter" : "Rule" } Lists Read | Grants read access to Account Filter Lists. | +| Account { props.src === "dash" ? "Filter" : "Rule" } Lists {props.editWord} | Grants write access to Account Filter Lists. | +| Account Firewall Access Rules Read | Grants read access to account firewall access rules. | +| Account Firewall Access Rules {props.editWord} | Grants write access to account firewall access rules. | +| Account Rulesets Read | Grants read access to [Account Rulesets](/ruleset-engine/about/rulesets/). | +| Account Rulesets {props.editWord} | Grants write access to [Account Rulesets](/ruleset-engine/about/rulesets/). | +| Account Settings Read | Grants read access to [Account resources, account membership, and account level features](/fundamentals/account/). | +| Account Settings {props.editWord} | Grants write access to [Account resources, account membership, and account level features](/fundamentals/account/). | +| Account: SSL and Certificates Read | Grants read access to [SSL and Certificates](/ssl/). | +| Account: SSL and Certificates {props.editWord} | Grants write access to [SSL and Certificates](/ssl/). | +| Account WAF Read | Grants read access to [Account WAF](/waf/). | +| Account WAF {props.editWord} | Grants write access to [Account WAF](/waf/). | +| Address Maps {props.editWord} | Grants write access to [Address Maps](/byoip/address-maps/) | +| Address Maps Read | Grants read access to [Address Maps](/byoip/address-maps/) | +| Allow Request Tracer Read | Grants read access to Request Tracer. | +| { props.src === "api" && "Account" } API Gateway Read | Grants read access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | +| { props.src === "api" && "Account" } API Gateway {props.editWord} | Grants write access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | +| Billing Read | Grants read access to [billing profile, subscriptions, and access to fetch invoices](/billing/) and entitlements. | +| Billing {props.editWord} | Grants write access to [billing profile, subscriptions, and access to fetch invoices and entitlements](/billing/). | +| { props.src === "dash" ? "Bulk" : "Mass" } URL Redirects Read | Grants read access to [Bulk Redirects](/rules/url-forwarding/bulk-redirects/). | +| { props.src === "dash" ? "Bulk" : "Mass" } URL Redirects {props.editWord} | Grants write access to [Bulk Redirects](/rules/url-forwarding/bulk-redirects/). | +| China Network Steering Read | Grants read access to [China Network Steering](/china-network/). | +| China Network Steering {props.editWord} | Grants write access to [China Network Steering](/china-network/). | +| Cloudchamber Read | Grants read access to Cloudchamber deployments. | +| Cloudchamber {props.editWord} | Grants write access to Cloudchamber deployments. | +| { props.src === "dash" && "Cloudflare" } Realtime Read | Grants read access to Cloudflare Realtime. | +| { props.src === "dash" && "Cloudflare" } Realtime {props.editWord} | Grants write access to Cloudflare Realtime. | +| Cloudflare DEX Read | Grants read access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). | +| Cloudflare DEX {props.editWord} | Grants write access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). | +| { props.src === "dash" && "Cloudflare" } Images Read | Grants read access to [Cloudflare Images](/images/). | +| { props.src === "dash" && "Cloudflare" } Images {props.editWord} | Grants write access to [Cloudflare Images](/images/). | +| Cloudflare One Connector: cloudflared Read | Grants read access to [`cloudflared` connectors](/cloudflare-one/networks/connectors/cloudflare-tunnel/) | +| Cloudflare One Connector: cloudflared {props.editWord} | Grants write access to [`cloudflared` connectors](/cloudflare-one/networks/connectors/cloudflare-tunnel/) | +| Cloudflare One Connector: WARP Read | Grants read access to [WARP Connectors](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | +| Cloudflare One Connector: WARP {props.editWord} | Grants write access to [WARP Connectors](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | +| Cloudflare One Connectors Read | Grants read access to Cloudflare One connectors | +| Cloudflare One Connectors {props.editWord} | Grants write access to Cloudflare One connectors | +| Cloudflare One Networks Read | Grants read access to Cloudflare One routes and virtual networks | +| Cloudflare One Networks {props.editWord} | Grants write access to Cloudflare One routes and virtual networks | +| { props.src === "dash" && "Cloudflare" } Pages Read | Grants access to view [Cloudflare Pages](/pages/) projects. | +| { props.src === "dash" && "Cloudflare" } Pages {props.editWord} | Grants access to create, edit and delete [Cloudflare Pages](/pages/) projects. | +| Cloudflare Tunnel Read | Grants access to view [Cloudflare Tunnels](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | +| Cloudflare Tunnel {props.editWord} | Grants access to create and delete [Cloudflare Tunnels](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | +| Cloudforce One Read | Grants read access to Cloudforce One. | +| Cloudforce One {props.editWord} | Grants write access to Cloudforce One. | +| { props.src === "dash" ? "Email Security" : "Cloud Email Security:" } Read | Grants read access to [Cloud Email Security](/email-security/). | +| { props.src === "dash" ? "Email Security" : "Cloud Email Security:" } {props.editWord} | Grants write access to [Email Security](/email-security/). | +| Constellation Read | Grants read access to [Constellation](/constellation/). | +| Constellation {props.editWord} | Grants write access to [Constellation](/constellation/). | +| Containers Read | Grants read access to [Containers](/containers/). | +| Containers {props.editWord} | Grants write access to [Containers](/containers/). | +| D1 Read | Grants read access to [D1](/d1/). | +| D1 {props.editWord} | Grants write access to [D1](/d1/). | +| DDoS Botnet Feed Read | Grants read access to Botnet Feed reports. | +| DDoS Botnet Feed {props.editWord} | Grants write access to Botnet Feed configuration. | +| DDoS Protection Read | Grants read access to [DDoS protection](/ddos-protection/). | +| DDoS Protection {props.editWord} | Grants write access to [DDoS protection](/ddos-protection/). | +| DNS Firewall Read | Grants read access to [DNS Firewall](/dns/dns-firewall/). | +| DNS Firewall {props.editWord} | Grants write access to [DNS Firewall](/dns/dns-firewall/). | +| Email Routing Addresses Read | Grants read access to [Email Routing Addresses](/email-routing/setup/email-routing-addresses/). | +| Email Routing Addresses {props.editWord} | Grants write access to [Email Routing Addresses](/email-routing/setup/email-routing-addresses/). | +| Hyperdrive Read | Grants read access to [Hyperdrive](/hyperdrive/). | +| Hyperdrive {props.editWord} | Grants write access to [Hyperdrive](/hyperdrive/). | +| Intel Read | Grants read access to [Intel](/security-center/intel-apis/). | +| Intel {props.editWord} | Grants write access to [Intel](/security-center/intel-apis/). | +| Integration {props.editWord} | Grants write access to integrations. | +| IOT Read | Grants read access to [IOT](https://blog.cloudflare.com/rethinking-internet-of-things-security/). | +| IOT {props.editWord} | Grants write access to [IOT](https://blog.cloudflare.com/rethinking-internet-of-things-security/). | +| IP Prefixes: Read | Grants access to read IP prefix settings. | +| IP Prefixes: {props.editWord} | Grants access to read/write IP prefix settings. | +| IP Prefixes: BGP On Demand Read | Grants access to read IP prefix BGP configuration. | +| IP Prefixes: BGP On Demand {props.editWord} | Grants access to read and change IP prefix BGP configuration. | +| { props.src === "dash" ? "L3/4" : "L4" } DDoS Managed Ruleset Read | Grants read access to [L3/4 DDoS managed ruleset](/ddos-protection/managed-rulesets/network/). | +| { props.src === "dash" ? "L3/4" : "L4" } DDoS Managed Ruleset {props.editWord} | Grants write access to [L3/4 DDoS managed ruleset](/ddos-protection/managed-rulesets/network/). | +| Load Balancing: Monitors and Pools Read | Grants read access to account level [load balancer resources](/load-balancing/). | +| Load Balancing: Monitors and Pools {props.editWord} | Grants write access to account level [load balancer resources](/load-balancing/). | +| Logs Read | Grants read access to logs using [Logpull or Instant Logs](/logs/). | +| Logs {props.editWord} | Grants read and write access to [Logpull, Logpush, and Instant Logs](/logs/). | +| Magic Firewall Read | Grants read access to [Magic Firewall](/magic-firewall/). | +| Magic Firewall {props.editWord} | Grants write access to [Magic Firewall](/magic-firewall/). | +| Magic Firewall Packet Captures { props.src === "dash" ? "Read" : "- Read PCAPs API" } | Grants read access to [Packet Captures](/magic-firewall/packet-captures/collect-pcaps/). | +| Magic Firewall Packet Captures { props.src === "dash" ? props.editWord : `- ${props.editWord} PCAPs API` } | Grants write access to [Packet Captures](/magic-firewall/packet-captures/collect-pcaps/). | +| Magic Network Monitoring Read | Grants read access to [Magic Network Monitoring](/magic-network-monitoring/). | +| Magic Network Monitoring {props.editWord} | Grants write access to [Magic Network Monitoring](/magic-network-monitoring/). | +| Magic Transit Read | Grants read access to manage a user's [Magic Transit prefixes](/magic-transit/how-to/advertise-prefixes/). | +| Magic Transit {props.editWord} | Grants write access to manage a user's [Magic Transit prefixes](/magic-transit/how-to/advertise-prefixes/). | +| Notifications Read | Grants read access to [Notifications](/notifications/). | +| Notifications {props.editWord} | Grants write access to [Notifications](/notifications/). | +| Page Shield Read | Grants read access to [Page Shield](/page-shield/). | +| Page Shield {props.editWord} | Grants write access to [Page Shield](/page-shield/). | +| { props.src === "dash" && "Workers" } Pipelines Read | Grants read access to Cloudflare Pipelines. | +| { props.src === "dash" && "Workers" } Pipelines {props.editWord} | Grants write access to Cloudflare Pipelines. | +| { props.src === "dash" ? "Pub/Sub" : "Pubsub Configuration" } Read | Grants read access to [Pub/Sub](/pub-sub/). | +| { props.src === "dash" ? "Pub/Sub" : "Pubsub Configuration" } {props.editWord} | Grants write access to [Pub/Sub](/pub-sub/). | +| Queues Read | Grants read access to [Queues](/queues/). | +| Queues {props.editWord} | Grants write access to [Queues](/queues/). | +| Rule Policies Read | Grants read access to Rule Policies. | +| Rule Policies {props.editWord} | Grants write access to Rule Policies. | +| Stream Read | Grants read access to [Cloudflare Stream](/stream/). | +| Stream {props.editWord} | Grants write access to [Cloudflare Stream](/stream/). | +| Transform Rules Read | Grants read access to [Transform Rules](/rules/transform/). | +| Transform Rules {props.editWord} | Grants write access to [Transform Rules](/rules/transform/). | +| Turnstile { props.src === "api" && "Sites" } Read | Grants read access to [Turnstile](/turnstile/). | +| Turnstile { props.src === "api" && "Sites" } {props.editWord} | Grants write access to [Turnstile](/turnstile/). | +| URL Scanner Read | Grants read access to [URL Scanner](/radar/investigate/url-scanner/). | +| URL Scanner {props.editWord} | Grants write access to [URL Scanner](/radar/investigate/url-scanner/). | +| Vectorize Read | Grants read access to [Vectorize](/vectorize/). | +| Vectorize {props.editWord} | Grants write access to [Vectorize](/vectorize/). | +| Workers AI Read | Grants read access to [Workers AI](/workers-ai/). | +| Workers AI {props.editWord} | Grants write access to [Workers AI](/workers-ai/). | +| Workers CI Read | Grants read access to [Workers CI](/workers/). | +| Workers CI {props.editWord} | Grants write access to [Workers CI](/workers). | +| Workers KV Storage Read | Grants read access to [Cloudflare Workers KV Storage](/kv/api/). | +| Workers KV Storage {props.editWord} | Grants write access to [Cloudflare Workers KV Storage](/kv/api/). | +| Workers R2 Storage Read | Grants read access to [Cloudflare R2 Storage](/r2/). | +| Workers R2 Storage {props.editWord} | Grants write access to [Cloudflare R2 Storage](/r2/). | +| Workers Scripts Read | Grants read access to [Cloudflare Workers scripts](/workers/). | +| Workers Scripts {props.editWord} | Grants write access to [Cloudflare Workers scripts](/workers/). | +| Workers Tail Read | Grants [`wrangler tail`](/workers/wrangler/commands/#tail) read permissions. | +| Zero Trust Read | Grants read access to [Cloudflare Zero Trust](/cloudflare-one/) resources. | +| Zero Trust Report | Grants reporting access to [Cloudflare Zero Trust](/cloudflare-one/). | +| Zero Trust {props.editWord} | Grants write access to [Cloudflare Zero Trust](/cloudflare-one/) resources. | +| Zero Trust: PII Read | Grants read access to [Cloudflare Zero Trust](/cloudflare-one/) PII. | +| Zero Trust: Seats {props.editWord} | Grants write access to the number of [Zero Trust seats](/cloudflare-one/identity/users/seat-management/) your organization can use (and be billed for). | diff --git a/src/content/partials/fundamentals/api-rate-limits.mdx b/src/content/partials/fundamentals/api-rate-limits.mdx index 2c5eb6926c3074..bbf86d33cea5e8 100644 --- a/src/content/partials/fundamentals/api-rate-limits.mdx +++ b/src/content/partials/fundamentals/api-rate-limits.mdx @@ -29,6 +29,6 @@ Some specific API calls have their own limits and are documented separately, suc - [GraphQL APIs](/analytics/graphql-api/limits/) - [Rulesets APIs](/ruleset-engine/rulesets-api/#limits) - [Lists API](/waf/tools/lists/lists-api/#rate-limiting-for-lists-api-requests) -- [Gateway Lists API](/cloudflare-one/policies/gateway/lists/#api-rate-limit) +- [Gateway Lists API](/cloudflare-one/traffic-policies/lists/#api-rate-limit) Enterprise customers can also [contact Cloudflare Support](/support/contacting-cloudflare-support/) to raise the Client API per user, GraphQL, or API token limits to a higher value. diff --git a/src/content/partials/fundamentals/cybersafe-cipa-subcategories.mdx b/src/content/partials/fundamentals/cybersafe-cipa-subcategories.mdx index de9120752f1d4f..5c9104ac3a59f7 100644 --- a/src/content/partials/fundamentals/cybersafe-cipa-subcategories.mdx +++ b/src/content/partials/fundamentals/cybersafe-cipa-subcategories.mdx @@ -33,4 +33,4 @@ Cloudflare’s recommended CIPA rule blocks the following content subcategories: * Violence * Weapons -Review the [domain categories](/cloudflare-one/policies/gateway/domain-categories/) for more information. +Review the [domain categories](/cloudflare-one/traffic-policies/domain-categories/) for more information. diff --git a/src/content/partials/fundamentals/cybersafe-configuration.mdx b/src/content/partials/fundamentals/cybersafe-configuration.mdx index 387213a3a3cd01..e8654c6c41b1e8 100644 --- a/src/content/partials/fundamentals/cybersafe-configuration.mdx +++ b/src/content/partials/fundamentals/cybersafe-configuration.mdx @@ -3,7 +3,7 @@ --- -To facilitate compliance with CIPA requirements, administrators can [enable a single filtering policy option](/cloudflare-one/policies/gateway/dns-policies/common-policies/#turn-on-cipa-filter). This includes applying the required filter categories to block access to unwanted or harmful online content. +To facilitate compliance with CIPA requirements, administrators can [enable a single filtering policy option](/cloudflare-one/traffic-policies/dns-policies/common-policies/#turn-on-cipa-filter). This includes applying the required filter categories to block access to unwanted or harmful online content. :::note diff --git a/src/content/partials/fundamentals/zone-permissions-table.mdx b/src/content/partials/fundamentals/zone-permissions-table.mdx index 8bb09657bae748..b337b088324615 100644 --- a/src/content/partials/fundamentals/zone-permissions-table.mdx +++ b/src/content/partials/fundamentals/zone-permissions-table.mdx @@ -6,77 +6,77 @@ params: import { Markdown } from "~/components"; -| Name | Description | -| ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -| Access: Apps and Policies Read | Grants read access to [Cloudflare Access](/cloudflare-one/policies/access/) zone resources. | -| Access: Apps and Policies Revoke | Grants ability to revoke all tokens to [Cloudflare Access](/cloudflare-one/policies/access/) zone resources. | -| Access: Apps and Policies {props.editWord} | Grants write access to [Cloudflare Access](/cloudflare-one/policies/access/) zone resources. | -| Analytics Read | Grants read access to [analytics](/analytics/account-and-zone-analytics/zone-analytics/). | -| { props.src === "api" && "Domain" } API Gateway Read | Grants read access to [API Gateway](/api-shield/) zone resources. | -| { props.src === "api" && "Domain" } API Gateway {props.editWord} | Grants write access to [API Gateway](/api-shield/) zone resources. | -| Apps {props.editWord} | Grants full access to Cloudflare Apps (deprecated, refer to [Workers](/workers/) instead). | -| Bot Management Read | Grants read access to [Bot Management](/bots/plans/bm-subscription/). | -| Bot Management {props.editWord} | Grants write access to [Bot Management](/bots/plans/bm-subscription/). | -| Bot Management Feedback Read | Grants read access to [Bot Management feedback](/bots/concepts/feedback-loop/). | -| Bot Management Feedback {props.editWord} | Grants write access to [Bot Management feedback](/bots/concepts/feedback-loop/). | -| Cache Purge | Grants access to [purge cache](/cache/how-to/purge-cache/). | -| Cache { props.src === "dash" ? "Rules" : "Settings" } Read | Grants read access to [Cache Rules](/cache/how-to/cache-rules/). | -| Cache { props.src === "dash" ? "Rules" : "Settings" } {props.editWord} | Grants write access to [Cache Rules](/cache/how-to/cache-rules/). | -| Cloud Connector Read | Grants read access to [Cloud Connector rules](/rules/cloud-connector/). | -| Cloud Connector {props.editWord} | Grants write access to [Cloud Connector rules](/rules/cloud-connector/). | -| Config { props.src === "dash" ? "Rules" : "Settings" } Read | Grants read access to [Configuration Rules](/rules/configuration-rules/). | -| Config { props.src === "dash" ? "Rules" : "Settings" } {props.editWord} | Grants write access to [Configuration Rules](/rules/configuration-rules/). | -| Custom { props.src === "dash" ? "Error Rules" : "Errors" } Read | Grants read access to [Custom Error Rules](/rules/custom-errors/). | -| Custom { props.src === "dash" ? "Error Rules" : "Errors" } {props.editWord} | Grants write access to [Custom Error Rules](/rules/custom-errors/). | -| Custom Pages Read | Grants read access to [Custom Error Pages](/rules/custom-errors/). | -| Custom Pages {props.editWord} | Grants write access to [Custom Error Pages](/rules/custom-errors/). | -| { props.src === "dash" ? "Dmarc Management" : "Email Security DMARC Reports" } Read | Grants read access to [DMARC Management](/dmarc-management/). | -| { props.src === "dash" ? "Dmarc Management" : "Email Security DMARC Reports" } {props.editWord} | Grants write access to [DMARC Management](/dmarc-management/). | -| DNS Read | Grants read access to [DNS](/dns/). | -| DNS Write | Grants write access to [DNS](/dns/). | -| Email Routing Rules Read | Grants read access to [Email Routing Rules](/email-routing/setup/email-routing-addresses/). | -| Email Routing Rules {props.editWord} | Grants write access to [Email Routing Rules](/email-routing/setup/email-routing-addresses/). | -| Firewall Services Read | Grants read access to Firewall resources. | -| Firewall Services {props.editWord} | Grants write access to Firewall resources. | -| Health Checks Read | Grants read access to [Health Checks](/health-checks/). | -| Health Checks {props.editWord} | Grants write access to [Health Checks](/health-checks/). | -| HTTP DDoS Managed Ruleset Read | Grants read access to [HTTP DDoS managed ruleset](/ddos-protection/managed-rulesets/http/). | -| HTTP DDoS Managed Ruleset {props.editWord} | Grants write access to [HTTP DDoS managed ruleset](/ddos-protection/managed-rulesets/http/). | -| Load Balancers Read | Grants read access to [load balancer resources](/load-balancing/). | -| Load Balancers {props.editWord} | Grants write access to [load balancer resources](/load-balancing/). | -| Logs Read | Grants read access to logs using [Logpull](/logs/). | -| Logs {props.editWord} | Grants write access to [Logpull and Logpush](/logs/). | -| Managed { props.src === "dash" ? "Headers" : "headers" } Read | Grants read access to [Managed Headers](/rules/transform/managed-transforms/). | -| Managed { props.src === "dash" ? "Headers" : "headers" } {props.editWord} | Grants write access to [Managed Headers](/rules/transform/managed-transforms/). | -| Origin { props.src === "dash" && "Rules" } Read | Grants read access to [Origin Rules](/rules/origin-rules/). | -| Origin { props.src === "dash" && "Rules" } {props.editWord} | Grants write access to [Origin Rules](/rules/origin-rules/). | -| Page Rules Read | Grants read access to [Page Rules](/rules/page-rules/). | -| Page Rules {props.editWord} | Grants write access to [Page Rules](/rules/page-rules/). | -| { props.src === "api" && "Domain" } Page Shield Read | Grants read access to [Page Shield](/page-shield/). | -| { props.src === "api" && "Domain" } Page Shield {props.editWord} | Grants write access to [Page Shield](/page-shield/). | -| Response Compression Read | Grants read access to [Response Compression](/rules/compression-rules/). | -| Response Compression {props.editWord} | Grants write access to [Response Compression](/rules/compression-rules/). | -| Sanitize Read | Grants read access to sanitization. | -| Sanitize {props.editWord} | Grants write access to sanitization. | -| { props.src === "dash" ? "Single Redirect" : "Dynamic URL Redirects" } Read | Grants read access to zone-level [Single Redirects](/rules/url-forwarding/single-redirects/). | -| { props.src === "dash" ? "Single Redirect" : "Dynamic URL Redirects" } {props.editWord} | Grants write access to zone-level [Single Redirects](/rules/url-forwarding/single-redirects/). | -| SSL and Certificates Read | Grants read access to [SSL configuration and certificate management](/ssl/). | -| SSL and Certificates {props.editWord} | Grants write access to [SSL configuration and certificate management](/ssl/). | -| { props.src === "api" && "Zone" } Transform Rules Read | Grants read access to [Transform Rules](/rules/transform/). | -| { props.src === "api" && "Zone" } Transform Rules {props.editWord} | Grants write access to [Transform Rules](/rules/transform/). | -| Waiting { props.src === "dash" ? "Room" : "Rooms" } Read | Grants read access to [Waiting Room](/waiting-room/). | -| Waiting { props.src === "dash" ? "Room" : "Rooms" } {props.editWord} | Grants write access to [Waiting Room](/waiting-room/). | -| Web3 Hostnames Read | Grants read access to [Web3 Hostnames](/web3/). | -| Web3 Hostnames {props.editWord} | Grants write access to [Web3 Hostnames](/web3/). | -| Workers Routes Read | Grants read access to [Cloudflare Workers](/workers/) and [Workers KV Storage](/kv/api/). | -| Workers Routes {props.editWord} | Grants write access to [Cloudflare Workers](/workers/) and [Workers KV Storage](/kv/api/). | -| Zaraz Read | Grants read access to [Zaraz](/zaraz/) zone level settings. | -| Zaraz {props.editWord} | Grants write access to [Zaraz](/zaraz/) zone level settings. | -| Zone Read | Grants read access to zone management. | -| Zone {props.editWord} | Grants write access to zone management. | -| Zone Settings Read | Grants read access to zone settings. | -| Zone Settings {props.editWord} | Grants write access to zone settings. | -| Zone Versioning Read | Grants read access to [Zone Versioning](/version-management/) at zone level. | -| Zone Versioning {props.editWord} | Grants write access to [Zone Versioning](/version-management/) at zone level. | -| Zone WAF Read | Grants read access to [Zone WAF](/waf/). | -| Zone WAF {props.editWord} | Grants write access to [Zone WAF](/waf/). | +| Name | Description | +| ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | +| Access: Apps and Policies Read | Grants read access to [Cloudflare Access](/cloudflare-one/access-controls/policies/) zone resources. | +| Access: Apps and Policies Revoke | Grants ability to revoke all tokens to [Cloudflare Access](/cloudflare-one/access-controls/policies/) zone resources. | +| Access: Apps and Policies {props.editWord} | Grants write access to [Cloudflare Access](/cloudflare-one/access-controls/policies/) zone resources. | +| Analytics Read | Grants read access to [analytics](/analytics/account-and-zone-analytics/zone-analytics/). | +| { props.src === "api" && "Domain" } API Gateway Read | Grants read access to [API Gateway](/api-shield/) zone resources. | +| { props.src === "api" && "Domain" } API Gateway {props.editWord} | Grants write access to [API Gateway](/api-shield/) zone resources. | +| Apps {props.editWord} | Grants full access to Cloudflare Apps (deprecated, refer to [Workers](/workers/) instead). | +| Bot Management Read | Grants read access to [Bot Management](/bots/plans/bm-subscription/). | +| Bot Management {props.editWord} | Grants write access to [Bot Management](/bots/plans/bm-subscription/). | +| Bot Management Feedback Read | Grants read access to [Bot Management feedback](/bots/concepts/feedback-loop/). | +| Bot Management Feedback {props.editWord} | Grants write access to [Bot Management feedback](/bots/concepts/feedback-loop/). | +| Cache Purge | Grants access to [purge cache](/cache/how-to/purge-cache/). | +| Cache { props.src === "dash" ? "Rules" : "Settings" } Read | Grants read access to [Cache Rules](/cache/how-to/cache-rules/). | +| Cache { props.src === "dash" ? "Rules" : "Settings" } {props.editWord} | Grants write access to [Cache Rules](/cache/how-to/cache-rules/). | +| Cloud Connector Read | Grants read access to [Cloud Connector rules](/rules/cloud-connector/). | +| Cloud Connector {props.editWord} | Grants write access to [Cloud Connector rules](/rules/cloud-connector/). | +| Config { props.src === "dash" ? "Rules" : "Settings" } Read | Grants read access to [Configuration Rules](/rules/configuration-rules/). | +| Config { props.src === "dash" ? "Rules" : "Settings" } {props.editWord} | Grants write access to [Configuration Rules](/rules/configuration-rules/). | +| Custom { props.src === "dash" ? "Error Rules" : "Errors" } Read | Grants read access to [Custom Error Rules](/rules/custom-errors/). | +| Custom { props.src === "dash" ? "Error Rules" : "Errors" } {props.editWord} | Grants write access to [Custom Error Rules](/rules/custom-errors/). | +| Custom Pages Read | Grants read access to [Custom Error Pages](/rules/custom-errors/). | +| Custom Pages {props.editWord} | Grants write access to [Custom Error Pages](/rules/custom-errors/). | +| { props.src === "dash" ? "Dmarc Management" : "Email Security DMARC Reports" } Read | Grants read access to [DMARC Management](/dmarc-management/). | +| { props.src === "dash" ? "Dmarc Management" : "Email Security DMARC Reports" } {props.editWord} | Grants write access to [DMARC Management](/dmarc-management/). | +| DNS Read | Grants read access to [DNS](/dns/). | +| DNS Write | Grants write access to [DNS](/dns/). | +| Email Routing Rules Read | Grants read access to [Email Routing Rules](/email-routing/setup/email-routing-addresses/). | +| Email Routing Rules {props.editWord} | Grants write access to [Email Routing Rules](/email-routing/setup/email-routing-addresses/). | +| Firewall Services Read | Grants read access to Firewall resources. | +| Firewall Services {props.editWord} | Grants write access to Firewall resources. | +| Health Checks Read | Grants read access to [Health Checks](/health-checks/). | +| Health Checks {props.editWord} | Grants write access to [Health Checks](/health-checks/). | +| HTTP DDoS Managed Ruleset Read | Grants read access to [HTTP DDoS managed ruleset](/ddos-protection/managed-rulesets/http/). | +| HTTP DDoS Managed Ruleset {props.editWord} | Grants write access to [HTTP DDoS managed ruleset](/ddos-protection/managed-rulesets/http/). | +| Load Balancers Read | Grants read access to [load balancer resources](/load-balancing/). | +| Load Balancers {props.editWord} | Grants write access to [load balancer resources](/load-balancing/). | +| Logs Read | Grants read access to logs using [Logpull](/logs/). | +| Logs {props.editWord} | Grants write access to [Logpull and Logpush](/logs/). | +| Managed { props.src === "dash" ? "Headers" : "headers" } Read | Grants read access to [Managed Headers](/rules/transform/managed-transforms/). | +| Managed { props.src === "dash" ? "Headers" : "headers" } {props.editWord} | Grants write access to [Managed Headers](/rules/transform/managed-transforms/). | +| Origin { props.src === "dash" && "Rules" } Read | Grants read access to [Origin Rules](/rules/origin-rules/). | +| Origin { props.src === "dash" && "Rules" } {props.editWord} | Grants write access to [Origin Rules](/rules/origin-rules/). | +| Page Rules Read | Grants read access to [Page Rules](/rules/page-rules/). | +| Page Rules {props.editWord} | Grants write access to [Page Rules](/rules/page-rules/). | +| { props.src === "api" && "Domain" } Page Shield Read | Grants read access to [Page Shield](/page-shield/). | +| { props.src === "api" && "Domain" } Page Shield {props.editWord} | Grants write access to [Page Shield](/page-shield/). | +| Response Compression Read | Grants read access to [Response Compression](/rules/compression-rules/). | +| Response Compression {props.editWord} | Grants write access to [Response Compression](/rules/compression-rules/). | +| Sanitize Read | Grants read access to sanitization. | +| Sanitize {props.editWord} | Grants write access to sanitization. | +| { props.src === "dash" ? "Single Redirect" : "Dynamic URL Redirects" } Read | Grants read access to zone-level [Single Redirects](/rules/url-forwarding/single-redirects/). | +| { props.src === "dash" ? "Single Redirect" : "Dynamic URL Redirects" } {props.editWord} | Grants write access to zone-level [Single Redirects](/rules/url-forwarding/single-redirects/). | +| SSL and Certificates Read | Grants read access to [SSL configuration and certificate management](/ssl/). | +| SSL and Certificates {props.editWord} | Grants write access to [SSL configuration and certificate management](/ssl/). | +| { props.src === "api" && "Zone" } Transform Rules Read | Grants read access to [Transform Rules](/rules/transform/). | +| { props.src === "api" && "Zone" } Transform Rules {props.editWord} | Grants write access to [Transform Rules](/rules/transform/). | +| Waiting { props.src === "dash" ? "Room" : "Rooms" } Read | Grants read access to [Waiting Room](/waiting-room/). | +| Waiting { props.src === "dash" ? "Room" : "Rooms" } {props.editWord} | Grants write access to [Waiting Room](/waiting-room/). | +| Web3 Hostnames Read | Grants read access to [Web3 Hostnames](/web3/). | +| Web3 Hostnames {props.editWord} | Grants write access to [Web3 Hostnames](/web3/). | +| Workers Routes Read | Grants read access to [Cloudflare Workers](/workers/) and [Workers KV Storage](/kv/api/). | +| Workers Routes {props.editWord} | Grants write access to [Cloudflare Workers](/workers/) and [Workers KV Storage](/kv/api/). | +| Zaraz Read | Grants read access to [Zaraz](/zaraz/) zone level settings. | +| Zaraz {props.editWord} | Grants write access to [Zaraz](/zaraz/) zone level settings. | +| Zone Read | Grants read access to zone management. | +| Zone {props.editWord} | Grants write access to zone management. | +| Zone Settings Read | Grants read access to zone settings. | +| Zone Settings {props.editWord} | Grants write access to zone settings. | +| Zone Versioning Read | Grants read access to [Zone Versioning](/version-management/) at zone level. | +| Zone Versioning {props.editWord} | Grants write access to [Zone Versioning](/version-management/) at zone level. | +| Zone WAF Read | Grants read access to [Zone WAF](/waf/). | +| Zone WAF {props.editWord} | Grants write access to [Zone WAF](/waf/). | diff --git a/src/content/partials/learning-paths/zero-trust/blocklist-security-categories.mdx b/src/content/partials/learning-paths/zero-trust/blocklist-security-categories.mdx index 3dfd3e3b7589ee..060cde6c116053 100644 --- a/src/content/partials/learning-paths/zero-trust/blocklist-security-categories.mdx +++ b/src/content/partials/learning-paths/zero-trust/blocklist-security-categories.mdx @@ -3,4 +3,4 @@ --- -Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories), such as **Command and Control & Botnet** and **Malware**, based on Cloudflare's threat intelligence. +Block [security categories](/cloudflare-one/traffic-policies/domain-categories/#security-categories), such as **Command and Control & Botnet** and **Malware**, based on Cloudflare's threat intelligence. diff --git a/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx b/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx index 6634f356d9ceb7..2a7d3163a8decf 100644 --- a/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx +++ b/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx @@ -3,6 +3,6 @@ params: - policyType --- -Entries in the [security risk content subcategory](/cloudflare-one/policies/gateway/domain-categories/#security-risk-subcategories), such as **New Domains**, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your **Trusted Domains** list used in **All-{props.policyType}-Domain-Allowlist**. +Entries in the [security risk content subcategory](/cloudflare-one/traffic-policies/domain-categories/#security-risk-subcategories), such as **New Domains**, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your **Trusted Domains** list used in **All-{props.policyType}-Domain-Allowlist**. After your test is complete, we recommend you change the action to Block to minimize risk to your organization. diff --git a/src/content/partials/learning-paths/zero-trust/create-list.mdx b/src/content/partials/learning-paths/zero-trust/create-list.mdx index ad74f85f0e8536..fed2769b47d9c7 100644 --- a/src/content/partials/learning-paths/zero-trust/create-list.mdx +++ b/src/content/partials/learning-paths/zero-trust/create-list.mdx @@ -5,7 +5,7 @@ import { Render } from "~/components" -Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of IPs, hostnames, or other entries to reference in your policies. +Gateway supports creating [lists](/cloudflare-one/traffic-policies/lists/) of IPs, hostnames, or other entries to reference in your policies. It is likely that you will be onboarding to the Cloudflare platform with some predetermined series of security policies. Maybe you have explicit deny lists based on hostnames, IPs, or another measure that tie to individual users. Maybe some networks can access certain apex records while others cannot. diff --git a/src/content/partials/learning-paths/zero-trust/create-zero-trust-org.mdx b/src/content/partials/learning-paths/zero-trust/create-zero-trust-org.mdx index c4593c6f1d115a..2d2c8b44b7fb15 100644 --- a/src/content/partials/learning-paths/zero-trust/create-zero-trust-org.mdx +++ b/src/content/partials/learning-paths/zero-trust/create-zero-trust-org.mdx @@ -1,9 +1,8 @@ --- {} - --- -import { Render} from "~/components" +import { Render } from "~/components"; To start using Zero Trust features, create a Zero Trust organization in your Cloudflare account. @@ -22,18 +21,19 @@ To add Zero Trust to your Terraform configuration: 1. [Sign up for Zero Trust](#sign-up-for-zero-trust) on the Cloudflare dashboard. 2. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Access: Organizations, Identity Providers, and Groups Write` + - `Access: Organizations, Identity Providers, and Groups Write` 3. Add the [`cloudflare_zero_trust_organization`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_organization) resource: - ```terraform - resource "cloudflare_zero_trust_organization" "" { - account_id = var.cloudflare_account_id - name = "Acme Corporation" - auth_domain = ".cloudflareaccess.com" - } - ``` - Replace ` **Custom Pages**. + ```terraform + resource "cloudflare_zero_trust_organization" "" { + account_id = var.cloudflare_account_id + name = "Acme Corporation" + auth_domain = ".cloudflareaccess.com" + } + ``` + + Replace ` **Custom Pages**. You can now update Zero Trust organization settings using Terraform. diff --git a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx index e2d6756da27dd6..b227b3fcb91b69 100644 --- a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx +++ b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx @@ -38,7 +38,7 @@ To customize the default settings: 5. Configure [global settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#global-settings) for all device profiles: 1. (Recommended) Enable **Admin override code** if you turned on **Lock WARP switch**. - 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/policies/gateway/block-page/). + 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/traffic-policies/block-page/). diff --git a/src/content/partials/networking-services/analytics/magic-tunnel-traffic-analytics.mdx b/src/content/partials/networking-services/analytics/magic-tunnel-traffic-analytics.mdx index 336dfbb686781c..2c91d0409153e0 100644 --- a/src/content/partials/networking-services/analytics/magic-tunnel-traffic-analytics.mdx +++ b/src/content/partials/networking-services/analytics/magic-tunnel-traffic-analytics.mdx @@ -21,7 +21,7 @@ - For Magic WAN customers, `Non-tunnel traffic` refers to traffic outside of GRE or IPsec tunnels. This can include traffic from: - [WARP](/cloudflare-one/team-and-resources/devices/warp/) - [CNIs](/network-interconnect/) - - Traffic destined for the public Internet via [Gateway](/cloudflare-one/policies/gateway/) + - Traffic destined for the public Internet via [Gateway](/cloudflare-one/traffic-policies/) - Traffic destined for applications behind [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/) The label `Non-Tunnel traffic` is a placeholder, and more specific labels will be applied to this category of traffic in the near future. diff --git a/src/content/partials/networking-services/magic-wan/third-party/azure-vpn-gateway.mdx b/src/content/partials/networking-services/magic-wan/third-party/azure-vpn-gateway.mdx index 800acd9807a6db..518fa7db78102f 100644 --- a/src/content/partials/networking-services/magic-wan/third-party/azure-vpn-gateway.mdx +++ b/src/content/partials/networking-services/magic-wan/third-party/azure-vpn-gateway.mdx @@ -171,7 +171,7 @@ Microsoft does not permit specifying a default route (`0.0.0.0/0`) under Address ## Install Cloudflare Zero Trust CA Certificate -If you opt to route all Internet bound traffic through {props.productName} and want to take advantage of [HTTPS TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), it will be necessary to install and trust the Cloudflare Zero Trust root CA certificate on your user's devices. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. +If you opt to route all Internet bound traffic through {props.productName} and want to take advantage of [HTTPS TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), it will be necessary to install and trust the Cloudflare Zero Trust root CA certificate on your user's devices. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. More details on how to install the root CA certificate can be found in [User-side certificates](/cloudflare-one/team-and-resources/devices/user-side-certificates/) in the Cloudflare Zero Trust documentation. diff --git a/src/content/partials/networking-services/reference/traffic-steering.mdx b/src/content/partials/networking-services/reference/traffic-steering.mdx index 06f165b02ebaa6..0a6e01a5104be6 100644 --- a/src/content/partials/networking-services/reference/traffic-steering.mdx +++ b/src/content/partials/networking-services/reference/traffic-steering.mdx @@ -401,7 +401,7 @@ BGP support currently has the following limitations:

By default, Cloudflare balances and steers traffic based on network-layer characteristics (IP, port etc). If you are using the Magic WAN Connector, you can also steer traffic based on well-known applications. Application-aware policies provide easier management and more granularity over traffic flows. - For more information, refer to Applications and app types.

+ For more information, refer to Applications and app types.

) } diff --git a/src/content/products/access.yaml b/src/content/products/access.yaml index 58f6922a988e69..459f2bc7ed00ff 100644 --- a/src/content/products/access.yaml +++ b/src/content/products/access.yaml @@ -3,7 +3,7 @@ name: Access product: title: Access group: Cloudflare One - url: /cloudflare-one/policies/access/ + url: /cloudflare-one/access-controls/policies/ meta: title: Cloudflare Access docs diff --git a/src/content/products/browser-isolation.yaml b/src/content/products/browser-isolation.yaml index cc5df97693ace2..660d2c1dfb53ad 100644 --- a/src/content/products/browser-isolation.yaml +++ b/src/content/products/browser-isolation.yaml @@ -3,7 +3,7 @@ name: Browser Isolation product: title: Browser Isolation group: Cloudflare One - url: /cloudflare-one/policies/browser-isolation/ + url: /cloudflare-one/remote-browser-isolation/ meta: description: Execute active webpage content in a secure, isolated browser diff --git a/src/content/products/dlp.yaml b/src/content/products/dlp.yaml index 97a3c68feb39a4..e267069ae11857 100644 --- a/src/content/products/dlp.yaml +++ b/src/content/products/dlp.yaml @@ -3,7 +3,7 @@ name: Data Loss Prevention product: title: Data Loss Prevention group: Cloudflare One - url: /cloudflare-one/policies/data-loss-prevention/ + url: /cloudflare-one/data-loss-prevention/ meta: description: Scan your web traffic and SaaS applications for sensitive data diff --git a/src/content/products/gateway.yaml b/src/content/products/gateway.yaml index 4a4dc76bd7ecc4..3d2036e3c1f701 100644 --- a/src/content/products/gateway.yaml +++ b/src/content/products/gateway.yaml @@ -3,7 +3,7 @@ name: Gateway product: title: Gateway group: Cloudflare One - url: /cloudflare-one/policies/gateway/ + url: /cloudflare-one/traffic-policies/ meta: description: Set up policies to inspect DNS, Network, HTTP, and Egress traffic