Skip to content

[CF1] Updating UI instructions for /cloudflare-one/policies/ #26111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 28, 2025
Merged

[CF1] Updating UI instructions for /cloudflare-one/policies/ #26111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/content/docs/cloudflare-one/access-controls/policies/external-evaluation.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ You can set up External Evaluation rules using any API service, but to get start
4. Open the [Wrangler configuration file](/workers/wrangler/configuration/) in an editor and insert the following:

- `[[kv_namespaces]]`: Add the output generated in the previous step.
- `<TEAM_NAME>`: your Cloudflare Zero Trust <GlossaryTooltip term="team name">team name</GlossaryTooltip>.
- `<TEAM_NAME>`: your Cloudflare Cloudflare One <GlossaryTooltip term="team name">team name</GlossaryTooltip>.

<WranglerConfig>

Expand Down Expand Up @@ -110,7 +110,7 @@ Other key formats (such as DSA) are not supported at this time.

### 4. Create an External Evaluation rule

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Policies**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**.

2. Edit an existing policy or select **Add a policy**.

Expand All @@ -122,7 +122,7 @@ Other key formats (such as DSA) are not supported at this time.

4. Save the policy.

5. Go to **Access** > **Applications** and edit the application for which you want to apply the External Evaluation rule.
5. Go to **Access controls** > **Applications** and edit the application for which you want to apply the External Evaluation rule.

6. In the **Policies** tab, add the policy that contains the External Evaluation rule.

Expand Down
2 changes: 1 addition & 1 deletion src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ This feature is only available if you are using the following identity providers

To enforce an MFA requirement to an application:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**.

2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/access-controls/applications/http-apps/).

Expand Down
10 changes: 5 additions & 5 deletions src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Access policies define the users who can log in to your Access applications. You

To create a reusable Access policy:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Policies**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**.
2. Select **Add a policy**.
3. Enter a **Policy name**.
4. Choose an [**Action**](/cloudflare-one/access-controls/policies/#actions) for the policy.
Expand All @@ -31,7 +31,7 @@ You can now add this policy to an [Access application](/cloudflare-one/access-co

To make changes to an existing Access policy:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Policies**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**.
2. Locate the policy you want to update and select **Configure**.
3. Once you have made the necessary changes, select **Save**.

Expand All @@ -41,7 +41,7 @@ The updated policy is now in effect for all associated Access applications.

To delete a reusable Access policy:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Policies** and locate the policy you want to delete.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies** and locate the policy you want to delete.
2. If the policy is used by an application, remove the policy from all associated applications.
3. Select **Delete**.
4. A pop-up message will ask you to confirm your decision to delete the policy. Select **Delete**.
Expand All @@ -58,7 +58,7 @@ The Access policy builder allows you to test your rules before saving any change

To test an individual Access policy:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Policies**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**.
2. Locate the policy you want to test and select **Configure**.
3. Go to **Policy tester** and select **Test policies**.

Expand All @@ -70,7 +70,7 @@ You can test your Access application policies against your user population befor

To test if users have access to an application:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**.
2. Locate the application you want to test and select **Configure**.
3. Go to **Policies** > **Policy tester**.
4. To test all active users in your organization, select **Test policies**.
Expand Down
2 changes: 1 addition & 1 deletion .../docs/cloudflare-one/access-controls/policies/require-purpose-justification.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ The purpose justification screen will show for any new sessions of an applicatio

Configuring a purpose justification screen is done as part of configuring an Access policy.

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Access controls** > **Applications**.
2. Choose an application and select **Configure**.
3. Go to **Policies**.
4. Choose an **Allow** policy and select **Configure**.
Expand Down
2 changes: 1 addition & 1 deletion src/content/docs/cloudflare-one/access-controls/policies/temporary-auth.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ With Cloudflare Access, you can require that users obtain approval before they c

## Set up temporary authentication

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Access controls** > **Applications**.
2. Choose a **Self-hosted** or **SaaS** application and select **Configure**.
3. Choose an **Allow** policy and select **Configure**.
4. Under **Additional settings**, turn on [**Purpose justification**](/cloudflare-one/access-controls/policies/require-purpose-justification/).
Expand Down
6 changes: 3 additions & 3 deletions src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@ DLP scans will not start until you [create a DLP policy](#2-create-a-dlp-policy)

## 2. Create a DLP policy

DLP Profiles may be used alongside other Zero Trust rules in a [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/). To start logging or blocking traffic, create a policy for DLP:
DLP Profiles may be used alongside other Cloudflare One rules in a [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/). To start logging or blocking traffic, create a policy for DLP:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies**. Select **HTTP**.
1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies**. Select **HTTP**.

2. Select **Add a policy**.

Expand Down Expand Up @@ -57,7 +57,7 @@ Different sites will send requests in different ways. For example, some sites wi

## 4. View DLP logs

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Logs** > **Gateway** > **HTTP**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Logs** > **HTTP logs**.
2. Select **Filter**.
3. Choose an item under one of the following filters:
- **DLP Profiles** shows the requests which matched a specific DLP profile.
Expand Down
34 changes: 17 additions & 17 deletions ...ntent/docs/cloudflare-one/data-loss-prevention/dlp-policies/logging-options.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,10 @@ To generate a public/private key pair in the command line, refer to [these instr

### Upload the public key to Cloudflare

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
2. In the **DLP Payload Encryption public key** field, paste your public key.
3. Select **Save**.
1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**.
2. In the **Set a DLP payload and prompt encryption public key** field, select **Edit**.
3. Paste your public key.
4. Select **Save**.

:::note
The matching private key is required to view logs. If you lose your private key, you will need to [generate](#1-generate-a-key-pair) and [upload](#2-upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key.
Expand All @@ -35,7 +36,7 @@ DLP can log the payload of matched HTTP requests in your Cloudflare logs.

You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/traffic-policies/http-policies/#dlp-profile) selector.

1. Go to **Gateway** > **Firewall policies** > **HTTP**.
1. Go to **Traffic policies** > **Firewall policies** > **HTTP**.
2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
3. In the policy builder, scroll down to **Configure policy settings** and turn on **Log the payload of matched rules**.
4. Select **Save**.
Expand All @@ -46,7 +47,7 @@ Data Loss Prevention will now store a portion of the payload for HTTP requests t

To view DLP payload logs:

1. Go to **Logs** > **Gateway** > **HTTP**.
1. Go to **Insights** > **Logs** > **HTTP request logs**.
2. Go to the DLP log you are interested in reviewing and expand the row.
3. Select **Decrypt payload log**.
4. Enter your private key and select **Decrypt**.
Expand Down Expand Up @@ -85,7 +86,7 @@ DLP can detect and log the prompt topic sent to an AI tool.

You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/traffic-policies/http-policies/#application) selector with a supported [Application Granular Controls](/cloudflare-one/traffic-policies/http-policies/#application-granular-controls) application.

1. Go to **Gateway** > **Firewall policies** > **HTTP**.
1. Go to **Traffic policies** > **Firewall policies** > **HTTP**.
2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**.
4. Select **Save**.
Expand All @@ -96,7 +97,7 @@ Data Loss Prevention will now store the user prompt and AI model response for re

To view generative AI prompt log details:

1. Go to **Logs** > **Gateway** > **HTTP**.
1. Go to **Insights** > **Logs** > **HTTP request logs**.
2. Go to the DLP log you are interested in reviewing and expand the row.
3. Select **Decrypt payload log**.
4. Enter your private key and select **Decrypt**.
Expand All @@ -114,16 +115,15 @@ Gateway allows you to send copies of entire HTTP requests matched in HTTP Allow

To set up the DLP Forensic Copy Logpush job:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Logs** > **Logpush**.
2. If this is your first Logpush job, select **Add a Logpush job**. Otherwise, select **Go to logpush configurations**.
3. In Logpush, select **Create a Logpush job**.
4. Choose a [Logpush destination](/logs/logpush/logpush-job/enable-destinations/).
5. In **Configure logpush job**, choose the _DLP forensic copies_ dataset. Select **Create Logpush job**.
6. Return to Zero Trust and go to **Gateway** > **Firewall policies** > **HTTP**.
7. Edit an existing Allow or Block policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). Your policy does not need to include a DLP profile.
8. In the policy builder, scroll down to **Configure policy settings** and turn on **Send DLP forensic copies to storage**.
9. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests.
10. Select **Save policy**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** >**Logs**, and select **Manage Logpush**.
2. In Logpush, select **Create a Logpush job**.
3. Choose a [Logpush destination](/logs/logpush/logpush-job/enable-destinations/).
4. In **Configure logpush job**, choose the _DLP forensic copies_ dataset. Select **Create Logpush job**.
5. Return to Cloudflare One and go to **Traffic policies** > **Firewall policies** > **HTTP**.
6. Edit an existing Allow or Block policy, or [create a new policy](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy). Your policy does not need to include a DLP profile.
7. In the policy builder, scroll down to **Configure policy settings** and turn on **Send DLP forensic copies to storage**.
8. Select a storage destination. Gateway will list any configured Logpush jobs or integrations that can receive HTTP requests.
9. Select **Save policy**.

DLP will now send a copy of HTTP requests that match this policy to your Logpush destination.

Expand Down
9 changes: 5 additions & 4 deletions ...ent/docs/cloudflare-one/data-loss-prevention/dlp-profiles/advanced-settings.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ This page lists the profile settings available when configuring a [predefined](/

To edit profile settings for an existing predefined or custom DLP profile:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **DLP profiles**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Profiles**.
2. Choose a profile, then select **Edit**.
3. In **Settings**, configure the [settings](#available-settings) for your profile.
4. Select **Save profile**.
Expand Down Expand Up @@ -44,7 +44,7 @@ DLP redacts any matched text, then submits the context as an AI text embedding v

To use AI context analysis:

1. Turn on **AI context analysis** in a DLP profile.
1. Choose the **Confidence threshold** in a DLP profile.
2. [Add the profile](/cloudflare-one/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy) to a DLP policy.
3. When configuring the DLP policy, turn on [payload logging](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules).

Expand All @@ -54,15 +54,16 @@ AI context analysis results will appear in the payload section of your [DLP logs

Confidence thresholds indicate how confident Cloudflare DLP is in a DLP detection. DLP determines the confidence by inspecting the content for proximity keywords around the detection.

Confidence threshold is set on the DLP profile. When you select a confidence threshold in Zero Trust, you will see which DLP entries will be affected by the confidence threshold. Entries that do not reflect a confidence threshold in Zero Trust are not yet supported or are not applicable.
Confidence threshold is set on the DLP profile. When you select a confidence threshold in Cloudflare One, you will see which DLP entries will be affected by the confidence threshold. Entries that do not reflect a confidence threshold in Cloudflare One are not yet supported or are not applicable.

DLP confidence detections consist of Low, Medium, and High confidence thresholds. DLP will default to Low confidence detections, which are based on regular expressions, require few keywords, and will trigger more often. Medium and High confidence detections require more keywords, will trigger less often, and have a higher likelihood of accuracy.

To change the confidence threshold of a DLP profile:

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **DLP profiles**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Profiles**.
2. Select the profile, then select **Edit**.
3. In **Settings** > **Confidence threshold**, choose a new confidence threshold from the dropdown menu.
4. Select **Save profile**.

Setting the confidence to Low will also consider Medium and High confidence detections as matches. Setting the confidence to Medium or High will filter out lower confidence detections.

Expand Down
4 changes: 2 additions & 2 deletions .../cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Clientless Web Isolation allows users to securely browse high risk or sensitive

<Render file="clientless-browser-isolation" product="cloudflare-one" />

3. To configure permissions, in **Settings** > **Browser Isolation** > select **Manage** next to Permissions. You can add authentication methods and [rules](/cloudflare-one/access-controls/policies/) to control who can access the remote browser.
3. To configure permissions, in **Browser isolation** > **Browser isolation settings** > select **Manage** next to **Manage remote browser permissions**. You can add authentication methods and [rules](/cloudflare-one/access-controls/policies/) to control who can access the remote browser.

4. Under **Policies** > Access Policies > select **Create new policy**.

Expand All @@ -31,7 +31,7 @@ Your application will now be served in an isolated browser for users matching yo

To open links using Browser Isolation:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Browser Isolation**.
1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Browser isolation**.
2. Select **Launch isolated browser**. Turn **Clientless web isolation** on.
3. In **Launch browser**, enter the URL link, and then select **Launch**. Your URL will open in a secure isolated browser.

Expand Down
2 changes: 1 addition & 1 deletion src/content/docs/cloudflare-one/remote-browser-isolation/setup/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ Setup instructions vary depending on how you want to connect your devices to Clo

To configure Browser Isolation policies:

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies** > **HTTP**.
1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies** > **HTTP**.
2. Select **Add a policy** and enter a name for the policy.
3. Use the HTTP policy [selectors](/cloudflare-one/traffic-policies/http-policies/#selectors) and [operators](/cloudflare-one/traffic-policies/http-policies/#comparison-operators) to specify the websites or content you want to isolate.
4. For **Action**, choose either [_Isolate_](/cloudflare-one/remote-browser-isolation/isolation-policies/#isolate) or [_Do not Isolate_](/cloudflare-one/remote-browser-isolation/isolation-policies/#do-not-isolate).
Expand Down
4 changes: 2 additions & 2 deletions src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ sidebar:
order: 5
---

With Cloudflare Zero Trust, you can isolate HTTP traffic from on-ramps such as [proxy endpoints](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/). Since these on-ramps do not require users to log in to Cloudflare WARP, [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) are not supported.
With Cloudflare One, you can isolate HTTP traffic from on-ramps such as [proxy endpoints](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/). Since these on-ramps do not require users to log in to Cloudflare WARP, [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) are not supported.

:::note

Expand All @@ -19,6 +19,6 @@ If you want to apply Isolate policies based on user identity, you will need to e
- Configure your browser to forward traffic to a Gateway proxy endpoint with [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/).
- Connect your enterprise site router to Gateway with the [anycast GRE or IPsec tunnel on-ramp to Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/).
3. Enable non-identity browser isolation:
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Browser Isolation**.
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Browser isolation** > *Browser isolation settings**.
2. Turn on **Non-identity on-ramp support**.
4. Build a non-identity [HTTP policy](/cloudflare-one/remote-browser-isolation/isolation-policies/) to isolate websites in a remote browser.
2 changes: 1 addition & 1 deletion src/content/docs/cloudflare-one/reusable-components/lists.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ sidebar:

import { Render } from "~/components";

With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating [Gateway policies](/cloudflare-one/traffic-policies/) or [Access policies](/cloudflare-one/access-controls/policies/). This allows you to quickly create rules that match and take actions against several items at once.
With Cloudflare One, you can create lists of URLs, hostnames, or other entries to reference when creating [Gateway policies](/cloudflare-one/traffic-policies/) or [Access policies](/cloudflare-one/access-controls/policies/). This allows you to quickly create rules that match and take actions against several items at once.

Before creating a list, make note of the [limitations](#limitations).

Expand Down
Loading