From 227c2145dc2ed87531b4018bfc94cff7e54c439c Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 13:50:49 -0400 Subject: [PATCH 01/11] move mtls --- public/__redirects | 1 + .../service-credentials}/mutual-tls-authentication.mdx | 0 2 files changed, 1 insertion(+) rename src/content/docs/cloudflare-one/{reusable-components/posture-checks/access-integrations => access-controls/service-credentials}/mutual-tls-authentication.mdx (100%) diff --git a/public/__redirects b/public/__redirects index 7070fd9e718f3ed..18b0501b3cb9856 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2399,6 +2399,7 @@ /cloudflare-one/identity/authorization-cookie/application-token/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/ 301 /cloudflare-one/identity/authorization-cookie/cors/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/ 301 /cloudflare-one/identity/service-tokens/ /cloudflare-one/access-controls/service-credentials/service-tokens/ 301 +/cloudflare-one/identity/mutual-tls-authentication/ /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ 301 /cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/ /cloudflare-one/access-controls/ai-controls/mcp-portals/ 301 /cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/ /cloudflare-one/access-controls/ai-controls/saas-mcp/ 031 /cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/ /cloudflare-one/access-controls/ai-controls/linked-apps/ 301 diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx similarity index 100% rename from src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication.mdx rename to src/content/docs/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication.mdx From 2660376ca2fd4e9d532671e80263f453ac37428a Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 13:52:07 -0400 Subject: [PATCH 02/11] update links --- .../security/certificate-management/enforce-mtls.mdx | 2 +- .../posture-checks/access-integrations/index.mdx | 2 +- .../warp-client-checks/client-certificate.mdx | 2 +- .../devices/warp/deployment/device-enrollment.mdx | 2 +- .../learning-paths/mtls/concepts/mtls-cloudflare.mdx | 4 ++-- .../mtls/mtls-cloudflare-access/index.mdx | 12 ++++++------ src/content/docs/ssl/client-certificates/byo-ca.mdx | 2 +- .../configure-your-mobile-app-or-iot-device.mdx | 2 +- src/content/docs/ssl/client-certificates/index.mdx | 2 +- .../docs/ssl/client-certificates/zero-trust-mtls.mdx | 2 +- src/content/docs/ssl/troubleshooting/faq.mdx | 2 +- ...for-content-management-systems-like-wordpress.mdx | 2 +- src/content/notifications/index.yaml | 4 ++-- .../cloudflare-one/warp/device-enrollment-mtls.mdx | 4 ++-- .../fundamentals/account-permissions-table.mdx | 4 ++-- .../zero-trust/device-enrollment-permissions.mdx | 2 +- 16 files changed, 25 insertions(+), 25 deletions(-) diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx index 0d65db2bebe9ca9..61b4e6f53d80a31 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx @@ -24,7 +24,7 @@ However, if you want to update the Minimum TLS settings for all wildcard hostnam ## Enable mTLS -Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) with a few clicks. +Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) with a few clicks. :::note Currently, you cannot add mTLS policies for custom hostnames using [API Shield](/api-shield/security/mtls/). diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx index 10cf48f23204c05..532cc36b08704c2 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx @@ -10,5 +10,5 @@ These device posture checks can only be enforced for Cloudflare Access applicati | Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | [WARP mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | | ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | ---------------------------------------------------------------------------------------- | | [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | WARP not required | -| [Mutual TLS](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | +| [Mutual TLS](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | | [Tanium](/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate.mdx index edced3cb4dbdf3b..0d91a1225d95f58 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate.mdx @@ -44,7 +44,7 @@ The Client Certificate device posture attribute checks if the device has a valid :::note -To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#generate-mtls-certificates). +To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#generate-mtls-certificates). ::: ## Configure the client certificate check diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx index 1c136286b7d4f66..468fe8ebf36403a 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx @@ -29,7 +29,7 @@ You can verify which devices have enrolled by going to **My Team** > **Devices** ### Check for mTLS certificate -Enterprise customers can enforce [mutual TLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) during device enrollment. +Enterprise customers can enforce [mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) during device enrollment. diff --git a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx index 821633d0696edda..0215e34c87b6920 100644 --- a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx +++ b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx @@ -20,5 +20,5 @@ There are two main ways to use mTLS at Cloudflare, either by using the Applicati | Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) | | Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. | | [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). | -| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/forward-a-client-certificate/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | -| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | +| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/forward-a-client-certificate/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | +| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | diff --git a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx index ace3c9981c52d66..5dd46b518c3faf2 100644 --- a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx @@ -9,7 +9,7 @@ sidebar: This requires an active Enterprise [Account](/fundamentals/concepts/accounts-and-zones/) with Cloudflare Access enabled. ::: -Setting up [mTLS](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) can help in cases where the customer: +Setting up [mTLS](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) can help in cases where the customer: - Already has existing Client Certificates on devices. - Needs to protect Access applications with [Bring Your Own CA (BYOCA)](/ssl/client-certificates/byo-ca/). @@ -19,7 +19,7 @@ Setting up [mTLS](/cloudflare-one/reusable-components/posture-checks/access-inte The CA certificate can be from a publicly trusted CA or self-signed. -In case you want to [create your own CA](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) from scratch, you can follow these example steps and adapt the information to your own needs: +In case you want to [create your own CA](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) from scratch, you can follow these example steps and adapt the information to your own needs: 1. Create a JSON file called `ca-csr.json`: @@ -64,7 +64,7 @@ In case you want to [create your own CA](/cloudflare-one/reusable-components/pos } ``` -3. Run the following [cfssl](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) command to generate the CA certificate `ca.pem`: +3. Run the following [cfssl](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) command to generate the CA certificate `ca.pem`: ```txt cfssl gencert -initca ca-csr.json | cfssljson -bare ca @@ -102,13 +102,13 @@ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=clie ## 3. Add mTLS CA certificate to Cloudflare Access -Follow the steps outlined in the [developer documentation](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). +Follow the steps outlined in the [developer documentation](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). -Using the example from Step 2: upload the `ca.pem` to your Cloudflare Access account via the [dashboard](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) or [Cloudflare API](/api/resources/zero_trust/subresources/access/subresources/certificates/methods/create/). +Using the example from Step 2: upload the `ca.pem` to your Cloudflare Access account via the [dashboard](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) or [Cloudflare API](/api/resources/zero_trust/subresources/access/subresources/certificates/methods/create/). Do not forget to enter the fully-qualified domain names (FQDN / associated hostnames) that will use this CA certificate. -Customers can identify which client sends the Client Certificates by [forwarding client certificate headers](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#forward-a-client-certificate) to the origin server. Customers can then store and use the certificate information such as Common Name (CN), Serial number, and other fields along with the device number to perform additional checks or logics. +Customers can identify which client sends the Client Certificates by [forwarding client certificate headers](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#forward-a-client-certificate) to the origin server. Customers can then store and use the certificate information such as Common Name (CN), Serial number, and other fields along with the device number to perform additional checks or logics. Additionally, authenticated requests also send the `Cf-Access-Jwt-Assertion\` JWT header to the origin server. To decode the header value, you can use [jwt.io](https://jwt.io/). diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx index d0d129c3a39e2ec..cd46efc3ec1d305 100644 --- a/src/content/docs/ssl/client-certificates/byo-ca.mdx +++ b/src/content/docs/ssl/client-certificates/byo-ca.mdx @@ -19,7 +19,7 @@ Bring your own CA (BYOCA) is especially useful if you already have mTLS implemen - Currently, you can only manage your uploaded CA via API, and the hostname associations are **not** reflected on the [dashboard](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates/). - This process is only available on Enterprise accounts. -- Each Enterprise account can upload up to five CAs. This quota does not apply to CAs uploaded through [Cloudflare Access](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/). +- Each Enterprise account can upload up to five CAs. This quota does not apply to CAs uploaded through [Cloudflare Access](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). ## CA certificate requirements diff --git a/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx b/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx index bedbbe625bb031b..b44e9db6ff89b4b 100644 --- a/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx +++ b/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx @@ -15,7 +15,7 @@ This walkthrough uses the example of a device that captures temperature readings To keep this example simple, the API is implemented as a Cloudflare Worker (borrowing code from the [To-Do List tutorial on building a jamstack app](/workers/tutorials/build-a-jamstack-app/)). -Temperatures are stored in [Workers KV](/kv/concepts/how-kv-works/) using the source IP address as a key, but you can easily use a [value from the client certificate](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/), such as the fingerprint. +Temperatures are stored in [Workers KV](/kv/concepts/how-kv-works/) using the source IP address as a key, but you can easily use a [value from the client certificate](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/), such as the fingerprint. The example API code below saves a temperature and timestamp into KV when a POST is made and returns the most recent five temperatures when a GET request is made. diff --git a/src/content/docs/ssl/client-certificates/index.mdx b/src/content/docs/ssl/client-certificates/index.mdx index cc7ba53e144e697..f640a97241c2c77 100644 --- a/src/content/docs/ssl/client-certificates/index.mdx +++ b/src/content/docs/ssl/client-certificates/index.mdx @@ -38,7 +38,7 @@ The account-level CAs can be: As explained in the [mTLS learning path](/learning-paths/mtls/concepts/), there are different use cases and implementation options for mTLS. Consider the following links for specific guidance. - [Application security](/learning-paths/mtls/mtls-app-security/) -- [mTLS for Zero Trust](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) (Cloudflare Access integration) +- [mTLS for Zero Trust](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) (Cloudflare Access integration) - [mTLS with API Shield](/api-shield/security/mtls/configure/) - [mTLS Workers binding](/workers/runtime-apis/bindings/mtls/) diff --git a/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx b/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx index 60fedb951f69188..a3b428c4af9b24d 100644 --- a/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx +++ b/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx @@ -1,7 +1,7 @@ --- pcx_content_type: navigation title: mTLS for Zero Trust -external_link: /cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/ +external_link: /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ sidebar: order: 14 diff --git a/src/content/docs/ssl/troubleshooting/faq.mdx b/src/content/docs/ssl/troubleshooting/faq.mdx index 646ac1f209aeb68..aad9954de13240c 100644 --- a/src/content/docs/ssl/troubleshooting/faq.mdx +++ b/src/content/docs/ssl/troubleshooting/faq.mdx @@ -121,7 +121,7 @@ If you are encountering issues with PayPal IPN when the traffic is proxied by Cl ## Does Cloudflare support TLS client authentication? -Yes. For more details, refer to our documentation on [Mutual TLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/). +Yes. For more details, refer to our documentation on [Mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). *** diff --git a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx index b377f403b06da08..d646ab5cb97d78a 100644 --- a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx +++ b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx @@ -96,7 +96,7 @@ While designed for authenticating appliances that cannot perform a login, you ca Do the following: 1. [Create a client certificate](/ssl/client-certificates/create-a-client-certificate/) and save both the certificate and key to your device. -2. Import the certificate to your computer’s key storage. With macOS Keychain, you can use the steps listed in [Test in the browser](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-in-the-browser). +2. Import the certificate to your computer’s key storage. With macOS Keychain, you can use the steps listed in [Test in the browser](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-in-the-browser). 3. [Enable mTLS](/ssl/client-certificates/enable-mtls/) by adding the correct host. 4. In **SSL/TLS** > **Client Certificates**, select **Create mTLS Rule**. 5. Under **When incoming requests match**, enter a value for thr **URI Path** field to narrow the rule scope to the admin section, otherwise you will block your visitors from accessing the public content. diff --git a/src/content/notifications/index.yaml b/src/content/notifications/index.yaml index bd8dfa898d3626a..4702b9335464557 100644 --- a/src/content/notifications/index.yaml +++ b/src/content/notifications/index.yaml @@ -342,9 +342,9 @@ entries: - name: Access mTLS Certificate Expiration Alert audience: "[Access](/cloudflare-one/access-controls/policies/) customers that use client certificates for mutual TLS authentication. This notification will be sent 30 and 14 days before the expiration of the certificate." - availability: Purchase of [Access](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) and/or [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/). + availability: Purchase of [Access](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) and/or [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/). associatedProducts: SSL/TLS - nextSteps: Upload a [renewed certificate](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). + nextSteps: Upload a [renewed certificate](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration). otherFilters: None. - name: Advanced Certificate Alert diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx index 2143a906756220d..4a4807cca9af60b 100644 --- a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx +++ b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx @@ -23,7 +23,7 @@ To check for an mTLS certificate: | ------ | --------- | ----------- | -------------------- | | Allow | Require | Common Name | `` | -7. On your device, add the client certificate to the [system keychain](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-in-the-browser). +7. On your device, add the client certificate to the [system keychain](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-in-the-browser). @@ -79,6 +79,6 @@ To check for an mTLS certificate: 4. Add the policy to your [`cloudflared_zero_trust_access_application` for WARP](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions). -5. On your device, add the client certificate to the [system keychain](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#test-in-the-browser). +5. On your device, add the client certificate to the [system keychain](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#test-in-the-browser). \ No newline at end of file diff --git a/src/content/partials/fundamentals/account-permissions-table.mdx b/src/content/partials/fundamentals/account-permissions-table.mdx index d8668245f32377a..7bc93229cbfd242 100644 --- a/src/content/partials/fundamentals/account-permissions-table.mdx +++ b/src/content/partials/fundamentals/account-permissions-table.mdx @@ -16,8 +16,8 @@ import { Markdown } from "~/components"; | Access: Custom Pages {props.editWord} | Grants write access to [Cloudflare Access custom block pages](/cloudflare-one/reusable-components/custom-pages/access-block-page/). | | Access: Device Posture Read | Grants read access to [Cloudflare Access device posture](/cloudflare-one/reusable-components/posture-checks/). | | Access: Device Posture {props.editWord} | Grants write access to [Cloudflare Access device posture](/cloudflare-one/reusable-components/posture-checks/). | -| Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/). | -| Access: Mutual TLS Certificates {props.editWord} | Grants write access to [Cloudflare Access mTLS certificates](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/). | +| Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). | +| Access: Mutual TLS Certificates {props.editWord} | Grants write access to [Cloudflare Access mTLS certificates](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). | | Access: Organizations, Identity Providers, and Groups Read | Grants read access to [Cloudflare Access account resources](/cloudflare-one/integrations/identity-providers/). | | Access: Organizations, Identity Providers, and Groups Revoke | Grants ability to revoke user sessions to [Cloudflare Access account resources](/cloudflare-one/integrations/identity-providers/). | | Access: Organizations, Identity Providers, and Groups {props.editWord} | Grants write access to [Cloudflare Access account resources](/cloudflare-one/integrations/identity-providers/). | diff --git a/src/content/partials/learning-paths/zero-trust/device-enrollment-permissions.mdx b/src/content/partials/learning-paths/zero-trust/device-enrollment-permissions.mdx index 8af7b928af61585..70b2a742d49c407 100644 --- a/src/content/partials/learning-paths/zero-trust/device-enrollment-permissions.mdx +++ b/src/content/partials/learning-paths/zero-trust/device-enrollment-permissions.mdx @@ -13,7 +13,7 @@ Device enrollment permissions determine which users can connect new devices to y ## Only allow corporate devices -Device posture evaluation happens after a device has already enrolled in your Zero Trust organization. If you want only specific devices to be able to enroll, we recommend adding a [mutual TLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) rule to your device enrollment policy. This rule will check for the presence of a specific client certificate on the enrolling devices. +Device posture evaluation happens after a device has already enrolled in your Zero Trust organization. If you want only specific devices to be able to enroll, we recommend adding a [mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) rule to your device enrollment policy. This rule will check for the presence of a specific client certificate on the enrolling devices. :::note From cabb31dfd2b012a81d58bb1c9ebf2c2b3c8a3203 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 14:40:37 -0400 Subject: [PATCH 03/11] move tanium --- public/__redirects | 1 + .../{access-integrations/index.mdx => access-integrations.mdx} | 2 +- .../cloudflare-one/reusable-components/posture-checks/index.mdx | 2 +- .../{access-integrations => warp-client-checks}/tanium.mdx | 2 +- src/content/docs/reference-architecture/architectures/sase.mdx | 2 +- 5 files changed, 5 insertions(+), 4 deletions(-) rename src/content/docs/cloudflare-one/reusable-components/posture-checks/{access-integrations/index.mdx => access-integrations.mdx} (81%) rename src/content/docs/cloudflare-one/reusable-components/posture-checks/{access-integrations => warp-client-checks}/tanium.mdx (99%) diff --git a/public/__redirects b/public/__redirects index 18b0501b3cb9856..1563cd307aa7361 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2403,6 +2403,7 @@ /cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/ /cloudflare-one/access-controls/ai-controls/mcp-portals/ 301 /cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/ /cloudflare-one/access-controls/ai-controls/saas-mcp/ 031 /cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/ /cloudflare-one/access-controls/ai-controls/linked-apps/ 301 +/cloudflare-one/identity/devices/access-integrations/tanium/ /cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/ 301 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301 diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx similarity index 81% rename from src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx rename to src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx index 532cc36b08704c2..0e208bca01d4314 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/index.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx @@ -11,4 +11,4 @@ These device posture checks can only be enforced for Cloudflare Access applicati | ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | ---------------------------------------------------------------------------------------- | | [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | WARP not required | | [Mutual TLS](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | -| [Tanium](/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | +| [Tanium](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx index 640eb99e6d95a17..f992cb36cb0aad5 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/index.mdx @@ -32,7 +32,7 @@ You can now use your device posture check in an [Access policy](/cloudflare-one/ :::caution[Gateway policy limitation] -Gateway does not support device posture checks for the [Tanium Access integration](/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium/). +Gateway does not support device posture checks for the [Tanium Access integration](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/). ::: ## 4. Ensure traffic is going through WARP diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx similarity index 99% rename from src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium.mdx rename to src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx index 7c65bde92f2cf5e..0733cf564e39acb 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Tanium (legacy) sidebar: - order: 4 + order: 12 head: - tag: title content: Integrate Tanium with Access diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index b9d1a1c371aa7b2..21a2746c223f76e 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -499,7 +499,7 @@ The following built-in posture checks are available: - [Unique Client ID](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device - [Device serial number](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers -Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium/), [Carbon Black](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/carbon-black/), [CrowdStrike](/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/sentinel-one/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. +Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](/cloudflare-one/integrations/service-providers//tanium/), [Carbon Black](/cloudflare-one/integrations/service-providers//carbon-black/), [CrowdStrike](/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/integrations/service-providers/sentinelone/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. All of the above device information, combined with data on the user identity and also the network the device is on, is available in Cloudflare to be used as part of the company policy. For example, organizations could choose to only allow administrators to SSH into servers when all of the following conditions are met: their device is free from threats, running the latest operating system, and joined to the company domain. From 2bf9fbc8b8574192fcfb21955fb7b47a62c8986a Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 14:45:35 -0400 Subject: [PATCH 04/11] gateway block page --- public/__redirects | 1 + .../2025-04-11-http-redirect-custom-block-page-redirect.mdx | 2 +- .../custom-pages/gateway-block-page.mdx} | 0 .../devices/agentless/dns/dns-over-https.mdx | 2 +- .../devices/user-side-certificates/automated-deployment.mdx | 2 +- .../devices/user-side-certificates/custom-certificate.mdx | 2 +- .../warp/configure-warp/route-traffic/split-tunnels.mdx | 2 +- .../cloudflare-one/traffic-policies/dns-policies/index.mdx | 2 +- .../traffic-policies/dns-policies/test-dns-filtering.mdx | 4 ++-- .../cloudflare-one/traffic-policies/http-policies/index.mdx | 4 ++-- .../cloudflare-one/traffic-policies/initial-setup/dns.mdx | 2 +- .../cloudflare-one/traffic-policies/initial-setup/network.mdx | 2 +- .../traffic-policies/managed-service-providers.mdx | 2 +- .../cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx | 2 +- .../build-security-policies/set-policy-approval.mdx | 2 +- .../learning-paths/replace-vpn/build-policies/block-page.mdx | 2 +- .../build-dns-policies/test-policy.mdx | 2 +- .../diagrams/sase/gateway-dns-for-isp.mdx | 2 +- .../diagrams/sase/gateway-for-protective-dns.mdx | 2 +- .../diagrams/security/securing-data-in-transit.mdx | 2 +- src/content/partials/cloudflare-one/access/block-page.mdx | 2 +- .../partials/cloudflare-one/gateway/add-block-page.mdx | 2 +- .../partials/cloudflare-one/gateway/client-notifications.mdx | 2 +- .../partials/cloudflare-one/gateway/customize-block-page.mdx | 4 ++-- .../partials/learning-paths/zero-trust/device-profiles.mdx | 2 +- 25 files changed, 27 insertions(+), 26 deletions(-) rename src/content/docs/cloudflare-one/{traffic-policies/block-page.mdx => reusable-components/custom-pages/gateway-block-page.mdx} (100%) diff --git a/public/__redirects b/public/__redirects index 1563cd307aa7361..db30468978030de 100644 --- a/public/__redirects +++ b/public/__redirects @@ -2389,6 +2389,7 @@ /cloudflare-one/identity/users/scim/ /cloudflare-one/team-and-resources/users/scim/ 301 /cloudflare-one/applications/login-page/ /cloudflare-one/reusable-components/custom-pages/access-login-page/ 301 /cloudflare-one/applications/block-page/ /cloudflare-one/reusable-components/custom-pages/access-block-page/ 301 +/cloudflare-one/policies/gateway/block-page/ /cloudflare-one/reusable-components/custom-pages/gateway-block-page/ 301 /cloudflare-one/applications/app-library/ /cloudflare-one/team-and-resources/app-library/ 301 /cloudflare-one/applications/bookmarks/ /cloudflare-one/access-controls/applications/bookmarks/ 301 /cloudflare-one/applications/app-launcher/ /cloudflare-one/access-controls/access-settings/app-launcher/ 301 diff --git a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx index ee71b61be933e58..9d9139522e99533 100644 --- a/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx +++ b/src/content/changelog/gateway/2025-04-11-http-redirect-custom-block-page-redirect.mdx @@ -12,4 +12,4 @@ You can now use more flexible redirect capabilities in Cloudflare One with Gatew - A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. - For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. -Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page). +Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). diff --git a/src/content/docs/cloudflare-one/traffic-policies/block-page.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx similarity index 100% rename from src/content/docs/cloudflare-one/traffic-policies/block-page.mdx rename to src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx index b319a09eb1c4a07..6eda7d53be28dc2 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/dns/dns-over-https.mdx @@ -275,7 +275,7 @@ curl --silent "https://.cloudflare-gateway.com/dns-query?name=exampl --header "CF-Authorization: " | jq ``` -If the site is blocked and you have turned on the [block page](/cloudflare-one/traffic-policies/block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`. +If the site is blocked and you have turned on the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx index 58628965dc645a6..c16bcbaeffc4424 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx @@ -29,7 +29,7 @@ import { Details, Render } from "~/components"; The [WARP client](/cloudflare-one/team-and-resources/devices/warp/) can automatically install a Cloudflare certificate or [custom root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). -The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/traffic-policies/block-page/), and more. +The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), and more. ## Install a certificate using WARP diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx index 8baa0be47e604ea..dff6abdbbf38b49 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx @@ -14,7 +14,7 @@ import { Render, Tabs, TabItem, APIRequest } from "~/components"; Only available on Enterprise plans. ::: -Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/traffic-policies/block-page/). +Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). You can upload up to five custom root certificates. If your organization requires more than five certificates, contact your account team. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx index 3e6f91d9a6aafce..dc11aae1804fa4b 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels.mdx @@ -49,7 +49,7 @@ If you are using Split Tunnels in Include mode, you must include the following d #### Block page -If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) with the [block page](/cloudflare-one/traffic-policies/block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: +If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) with the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: - `162.159.36.12` - `162.159.46.12` diff --git a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx index fd08902c6afd163..81970e110aa0bfd 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/index.mdx @@ -141,7 +141,7 @@ Policies with Block actions block DNS queries to reach destinations you specify #### Custom block page -When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/traffic-policies/block-page/). +When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). If the block page is turned off for a policy, Gateway will respond to queries blocked at the DNS level with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. The browser will display its default connection error page. diff --git a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx index b62ffb8481dd6c0..bfe160cfdd81fd2 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering.mdx @@ -23,7 +23,7 @@ For example, if you created a policy to block `example.com`, you can do the foll 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**. -3. If the [block page](/cloudflare-one/traffic-policies/block-page/) is turned off for the policy, you should see `REFUSED` in the answer section: +3. If the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is turned off for the policy, you should see `REFUSED` in the answer section: ```sh dig example.com @@ -46,7 +46,7 @@ For example, if you created a policy to block `example.com`, you can do the foll ;; MSG SIZE rcvd: 29 ``` - If the [block page](/cloudflare-one/traffic-policies/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers: + If the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers: ```sh null dig example.com diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx index 74c36d5d291d5ec..f53271d9c3af8a2 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx @@ -56,7 +56,7 @@ The **Untrusted certificate action** determines how to handle insecure requests. | Option | Action | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | -| Block | Display [block page](/cloudflare-one/traffic-policies/block-page/) as set in Zero Trust. | +| Block | Display [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) as set in Zero Trust. | | Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. For more information on what statuses are bypassed, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website). | ### Block @@ -130,7 +130,7 @@ API value: `redirect` The Redirect action allows you to redirect matched HTTP requests to a different URL you specify. For example, if your users browse to the public web page of a SaaS app, you can redirect them to your own self-hosted instance, a single sign-on page, or an internal policy page. -To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page). +To redirect URLs with a Block action and the block page, refer to [Redirect to a block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). #### Policy settings diff --git a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx index 68a829c3cd51a28..dfed0180c7ff166 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx @@ -33,7 +33,7 @@ To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/traffic-policies/block-page/), [install a Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. +3. (Optional) If you want to display a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), [install a Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device. ### Connect DNS locations diff --git a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx index b610c926aaf090c..5af81f5d100cce4 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/network.mdx @@ -24,7 +24,7 @@ To filter network traffic from a device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/team-and-resources/devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Cloudflare One instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/traffic-policies/block-page/), [install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device . +3. (Optional) If you want to display a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), [install the Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on your device . 4. [Enable the Gateway proxy](/cloudflare-one/traffic-policies/proxy/#turn-on-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. ### Connect private networks diff --git a/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx index 9c139e3d78d06fc..0f7132cbe6f3245 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/managed-service-providers.mdx @@ -27,7 +27,7 @@ The Gateway Tenant platform supports tiered and siloed account configurations. In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: -- Configuring a [custom block page](/cloudflare-one/traffic-policies/block-page/) +- Configuring a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) - Generating or uploading [root certificates](/cloudflare-one/team-and-resources/devices/user-side-certificates/) - Mapping [DNS locations](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) - Creating [lists](/cloudflare-one/reusable-components/lists/) diff --git a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx index 92b9af68eea61e4..e3f995b0003c89a 100644 --- a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx +++ b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx @@ -433,7 +433,7 @@ You can now block access to all unauthorized public AI agents with a Gateway [HT This ensures that public AI agents are not accessible using a managed endpoint. -Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page), [redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page), or a [user notification](/cloudflare-one/traffic-policies/http-policies/#warp-client-block-notifications) directing users to the AI agent wrapper. +Alternatively, you can prevent users from using public AI agents by displaying a [custom block message](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page), [redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page), or a [user notification](/cloudflare-one/traffic-policies/http-policies/#warp-client-block-notifications) directing users to the AI agent wrapper. ## 6. Enforce Data Loss Prevention and Clientless Browser Isolation diff --git a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx index 5595d8b1bb78ab4..1171209e7e8d50f 100644 --- a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx +++ b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx @@ -53,7 +53,7 @@ Cloudflare Workers are an easy method to stand up custom user coaching pages. Th 2. Enter the URL to the approved application you want to redirect the user to use instead. 7. Select **Create policy**. -For more information, refer to [Configure policy block behavior](/cloudflare-one/traffic-policies/block-page/#configure-policy-block-behavior). +For more information, refer to [Configure policy block behavior](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#configure-policy-block-behavior). ## Capture prompts to prevent data loss diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx index 67fca6d9e7d7318..90fe0b45b0e7412 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx @@ -55,7 +55,7 @@ For DNS policies, you will need to enable the block page on a per-policy basis. 2. Choose a DNS policy with a Block action. -3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy. +3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy. ```tf resource "cloudflare_zero_trust_gateway_policy" "dns_block_security_categories" { diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx index f2308b1f1e8393d..d8afa961d7c44c5 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx @@ -21,7 +21,7 @@ It is common for a misconfigured Gateway policy to accidentally block traffic to :::note -[Custom block pages](/cloudflare-one/traffic-policies/block-page/) require you to install a root certificate on the device. +[Custom block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) require you to install a root certificate on the device. ::: diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx index 5ea337268b54298..4e9d0c83f0fcb19 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-dns-for-isp.mdx @@ -34,7 +34,7 @@ To distinguish queries originating from the service provider from those coming f If stable and defined source IPv4 addresses cannot be assigned to the on-premises DNS servers, service providers can instead use unique destination location endpoints. Each location is assigned a distinct [DoT](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-over-tls-dot) and [DoH](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-over-https-doh) hostname, as well as a unique [destination IPv6 address](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#ipv4ipv6-address). Additionally, Cloudflare can provide unique [destination IPv4 addresses upon request](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip). ::: -DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/traffic-policies/block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. +DNS filtering is then enforced through DNS policies set up by the service provider to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of risky domains using [its extensive threat intelligence](https://www.cloudflare.com/en-gb/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an `[Override](/cloudflare-one/traffic-policies/dns-policies/#override)` action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the service provider. ![Figure 2: A DNS policy to prevent users from navigating to malicious domains. The action is to override and redirect the DNS query to a block page hosted by the service provider.](~/assets/images/reference-architecture/gateway-dns-for-isp/gateway-dns-for-isp-image-02.svg) diff --git a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx index a1c6f192e6e9d12..3bdda7735ea827d 100644 --- a/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx +++ b/src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx @@ -30,7 +30,7 @@ IT administrators forward public DNS requests to Cloudflare where they are filte To distinguish queries originating from the government departments and agencies they are responsible for, admins configure a location in the Cloudflare dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DNS over TLS/HTTPS (DoT/DoH) hostnames for that location. These IP addresses and hostnames are then used by the admins to send DNS queries for resolution. In turn, the administrator configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location. -DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/traffic-policies/block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. +DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/traffic-policies/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/traffic-policies/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). Alternatively, an [Override](/cloudflare-one/traffic-policies/dns-policies/#override) action or [block page URL redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page) can redirect the DNS query to a block page hosted by the government agency. Cloudflare's own threat intelligence can be seamlessly integrated with threat intelligence data provided by the agency or third-party sources. In this setup, the agency or the third-party entity acts as a [threat feed provider](/security-center/indicator-feeds/) to Cloudflare. This enables IT admins to create DNS policies that combine Cloudflare's security risk categories with the data sourced by the agency, for a unified and enhanced security posture (see diagram below). Additionally, [publicly available custom indicator feeds](/security-center/indicator-feeds/#publicly-available-feeds) can be accessed by eligible public and private sector organizations without the need to establish a provider relationship, further expanding security capabilities. diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx index 918fcc40a222067..87722850992ba1f 100644 --- a/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx +++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-in-transit.mdx @@ -62,7 +62,7 @@ The following diagram shows a common flow for how Cloudflare inspects a request 1. User attempts to upload a file to a SaaS application (via a secure tunnel to Cloudflare created by our [device agent](/cloudflare-one/team-and-resources/devices/warp/download-warp/)). [Clientless](/cloudflare-one/team-and-resources/devices/agentless/) options are supported as well. 2. Cloudflare's [Secure Web Gateway](/cloudflare-one/traffic-policies/) (SWG) will first verify that the user is permitted to use the requested SaaS application, and then scrutinize the file's payload for [malicious code](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/) and [sensitive data](/cloudflare-one/data-loss-prevention/). 3. The DLP profile determines the file contains national identifiers like US Social Security Numbers (SSN). -4. The Gateway policy is configured with a [Block action](/cloudflare-one/traffic-policies/http-policies/#block), so the attempt is [logged](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/traffic-policies/block-page/) returned to the end user's web browser. +4. The Gateway policy is configured with a [Block action](/cloudflare-one/traffic-policies/http-policies/#block), so the attempt is [logged](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules) and a [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) returned to the end user's web browser. ## Related resources diff --git a/src/content/partials/cloudflare-one/access/block-page.mdx b/src/content/partials/cloudflare-one/access/block-page.mdx index d5da105a4f66033..94b43c3367b9ed5 100644 --- a/src/content/partials/cloudflare-one/access/block-page.mdx +++ b/src/content/partials/cloudflare-one/access/block-page.mdx @@ -5,7 +5,7 @@ You can customize the block page that displays when users fail to authenticate to an Access application. Each application can have a different block page. :::note[Gateway block page] -To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/traffic-policies/block-page/). +To customize the page that users see when they are blocked by a Gateway firewall policy, refer to [Gateway block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). ::: ## Types of block pages diff --git a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx index ab243e83db993f6..c46e948134e5405 100644 --- a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx @@ -10,7 +10,7 @@ import { Markdown } from "~/components"; 2. Select **Add a policy** to create a new policy, or choose the policy you want to customize and select **Edit**. You can only edit the block page for policies with a Block action. 3. Under **Configure policy settings**, {props.blockBehaviorAction} **Modify Gateway block behavior**. 4. Choose your block behavior: - - **Use account-level block setting**: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an [HTTP redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page), or a [custom Gateway block page](/cloudflare-one/traffic-policies/block-page/#customize-the-block-page). + - **Use account-level block setting**: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an [HTTP redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page), or a [custom Gateway block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#customize-the-block-page). - **Override account setting with URL redirect**: Redirect users with a `307` HTTP redirect to a URL you specify on a policy level. 5. (Optional) If your account-level block page setting uses a custom Gateway block page, you can turn on **Add an additional message to your custom block page when traffic matches this policy** to add a custom message to your custom block page when traffic is blocked by this policy. This option will replace the **Message** field. 6. Select **Save policy**. diff --git a/src/content/partials/cloudflare-one/gateway/client-notifications.mdx b/src/content/partials/cloudflare-one/gateway/client-notifications.mdx index 7762ac203527991..b6eea9cb98243be 100644 --- a/src/content/partials/cloudflare-one/gateway/client-notifications.mdx +++ b/src/content/partials/cloudflare-one/gateway/client-notifications.mdx @@ -24,7 +24,7 @@ import { Details, Render, Markdown } from "~/components"; Turn on to display notifications for Gateway block events. Blocked users will receive an operating system notification from the WARP client with a custom message you set. If you do not set a custom message, the WARP client will display a default message. Custom messages must be 100 characters or less. WARP will only display one notification per minute. -Upon selecting the notification, WARP will direct your users to the [Gateway block page](/cloudflare-one/traffic-policies/block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. +Upon selecting the notification, WARP will direct your users to the [Gateway block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) you have configured. Optionally, you can direct users to a custom URL, such as an internal support form. diff --git a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx index aba67691d8128ba..e2699b06f1cf1c9 100644 --- a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx @@ -14,10 +14,10 @@ To customize your block page: 2. Under **Account Gateway block page**, select **Customize**. 3. Choose **Custom Gateway block page**. Gateway will display a preview of your custom block page. Available customizations include: - Your organization's name - - [Logo](/cloudflare-one/traffic-policies/block-page/#add-a-logo-image) + - [Logo](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#add-a-logo-image) - Header text - Global block message, which will be displayed above the policy-specific block message - - [Mailto link](/cloudflare-one/traffic-policies/block-page/#allow-users-to-email-an-administrator) + - [Mailto link](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#allow-users-to-email-an-administrator) - Background color 4. Select **Save**. diff --git a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx index b227b3fcb91b699..53bc1b75ef4f71c 100644 --- a/src/content/partials/learning-paths/zero-trust/device-profiles.mdx +++ b/src/content/partials/learning-paths/zero-trust/device-profiles.mdx @@ -38,7 +38,7 @@ To customize the default settings: 5. Configure [global settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#global-settings) for all device profiles: 1. (Recommended) Enable **Admin override code** if you turned on **Lock WARP switch**. - 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/traffic-policies/block-page/). + 2. Enable **Install CA to system certificate store** if you want users to see a [custom block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/). From 207f16639d0bfffdd21c60777367e9146ba25843 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 14:57:00 -0400 Subject: [PATCH 05/11] split out app launcher customization --- .../app-launcher-customization.mdx | 44 +++++++++++++++++++ .../custom-pages/gateway-block-page.mdx | 2 +- .../cloudflare-one/access/app-launcher.mdx | 36 +-------------- 3 files changed, 46 insertions(+), 36 deletions(-) create mode 100644 src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx diff --git a/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx new file mode 100644 index 000000000000000..42856884904c012 --- /dev/null +++ b/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx @@ -0,0 +1,44 @@ +--- +pcx_content_type: how-to +title: App Launcher customization +sidebar: + order: 2 +--- + +import { Render } from "~/components"; + +:::note + +Only available on Pay-as-you-go and Enterprise plans. +::: + +You can display your own branding, messages, and links to users when they open the [Access App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). + +To customize the App Launcher appearance: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**. +2. Find the **Customize App Launcher** setting and select **Customize**. +3. Give the App Launcher the look and feel of your organization by adding: + - Your organization's name + - A logo + - A preferred background color for the header + - A preferred background color for the page + - A custom footer with links to your organization's help desk or other internal resources. + +:::note + +We recommend lighter background colors because the font defaults to black. +::: + +4. Next, customize the landing page that users will see when they login to the App Launcher. Available properties include: + - A custom title + - A custom subtitle + - An image + - A preferred color for the **Log in** button + - A preferred color for the **Log in** button text + + All of the properties configured in Step 3 will also apply to the landing page. + +5. Once you are satisfied with your customization, select **Save**. + +The App Launcher screens are now updated. To view your changes, select **Preview**. diff --git a/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx index b94308f150d79e8..99a05d43181ba60 100644 --- a/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Block page sidebar: - order: 14 + order: 1 --- import { Render, Tabs, TabItem } from "~/components"; diff --git a/src/content/partials/cloudflare-one/access/app-launcher.mdx b/src/content/partials/cloudflare-one/access/app-launcher.mdx index 14ea0928efb94f4..0d8d246b75aa2f4 100644 --- a/src/content/partials/cloudflare-one/access/app-launcher.mdx +++ b/src/content/partials/cloudflare-one/access/app-launcher.mdx @@ -58,38 +58,4 @@ To show an Access application in the App Launcher: ## Customize App Launcher appearance -:::note - -Only available on Pay-as-you-go and Enterprise plans. -::: - -You can display your own branding, messages, and links to users when they open the App Launcher. - -To customize the App Launcher appearance: - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**. -2. Find the **Customize App Launcher** setting and select **Customize**. -3. Give the App Launcher the look and feel of your organization by adding: - - Your organization's name - - A logo - - A preferred background color for the header - - A preferred background color for the page - - A custom footer with links to your organization's help desk or other internal resources. - -:::note - -We recommend lighter background colors because the font defaults to black. -::: - -4. Next, customize the landing page that users will see when they login to the App Launcher. Available properties include: - - A custom title - - A custom subtitle - - An image - - A preferred color for the **Log in** button - - A preferred color for the **Log in** button text - - All of the properties configured in Step 3 will also apply to the landing page. - -5. Once you are satisfied with your customization, select **Save**. - -The App Launcher screens are now updated. To view your changes, select **Preview**. +To customize the App Launcher with your own branding, messages, and links, refer to the [Custom pages documentation](/cloudflare-one/reusable-components/custom-pages/app-launcher-customization/). \ No newline at end of file From e239922ff160b878a59127bb318a9d2ac92a398d Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 15:17:51 -0400 Subject: [PATCH 06/11] fix links --- src/content/docs/reference-architecture/architectures/sase.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index 21a2746c223f76e..291238772af2d21 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -499,7 +499,7 @@ The following built-in posture checks are available: - [Unique Client ID](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device - [Device serial number](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers -Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](/cloudflare-one/integrations/service-providers//tanium/), [Carbon Black](/cloudflare-one/integrations/service-providers//carbon-black/), [CrowdStrike](/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/integrations/service-providers/sentinelone/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. +Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](/cloudflare-one/integrations/service-providers/tanium/), [Carbon Black](/cloudflare-one/integrations/service-providers/carbon-black/), [CrowdStrike](/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/integrations/service-providers/sentinelone/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. All of the above device information, combined with data on the user identity and also the network the device is on, is available in Cloudflare to be used as part of the company policy. For example, organizations could choose to only allow administrators to SSH into servers when all of the following conditions are met: their device is free from threats, running the latest operating system, and joined to the company domain. From fcc9e31ff3577fc2a242202334de7ff636938f54 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 15:33:59 -0400 Subject: [PATCH 07/11] fix links --- src/content/docs/reference-architecture/architectures/sase.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index 291238772af2d21..0e6c16edf9cdaf7 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -499,7 +499,7 @@ The following built-in posture checks are available: - [Unique Client ID](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/device-uuid/): When using an MDM too, organizations can assign a verifiable UUID to a mobile, desktop, or laptop device - [Device serial number](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/corp-device/): Checks to see if the device serial matches a list of company desktop/laptop computers -Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](/cloudflare-one/integrations/service-providers/tanium/), [Carbon Black](/cloudflare-one/integrations/service-providers/carbon-black/), [CrowdStrike](/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/integrations/service-providers/sentinelone/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. +Cloudflare One can also integrate with any deployed endpoint security solution, such as [Microsoft Endpoint Manager](/cloudflare-one/integrations/service-providers/microsoft/), [Tanium](/cloudflare-one/integrations/service-providers/taniums2s/), [Carbon Black](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/carbon-black/), [CrowdStrike](/cloudflare-one/integrations/service-providers/crowdstrike/), [SentinelOne](/cloudflare-one/integrations/service-providers/sentinelone/), and more. Any data from those products can be passed to Cloudflare for use in access decisions. All of the above device information, combined with data on the user identity and also the network the device is on, is available in Cloudflare to be used as part of the company policy. For example, organizations could choose to only allow administrators to SSH into servers when all of the following conditions are met: their device is free from threats, running the latest operating system, and joined to the company domain. From ebf882436923d8302c11d9bae9c66f9b1f0fbd00 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 16:36:26 -0400 Subject: [PATCH 08/11] cleanup chart --- .../posture-checks/access-integrations.mdx | 13 +++++++------ .../posture-checks/warp-client-checks/index.mdx | 1 + .../posture-checks/warp-client-checks/tanium.mdx | 6 ++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx index 0e208bca01d4314..3386932605b9b4e 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/access-integrations.mdx @@ -5,10 +5,11 @@ sidebar: order: 4 --- -These device posture checks can only be enforced for Cloudflare Access applications. They cannot be used in Gateway network policies. +The following device posture checks do not require the WARP client and can only be used in [Cloudflare Access policies](/cloudflare-one/access-controls/policies/). They cannot be used in Gateway network policies. -| Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | [WARP mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | -| ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | ---------------------------------------------------------------------------------------- | -| [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | WARP not required | -| [Mutual TLS](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | -| [Tanium](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | +## Supported operating systems + +| Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | +| ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- |---------------------------------------------------------------------------------------- | +| [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | +| [Mutual TLS](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/index.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/index.mdx index 4ebe78397f841b9..9a51b28fc539fb3 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/index.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/index.mdx @@ -31,3 +31,4 @@ These device posture checks are performed by the [Cloudflare WARP client](/cloud | [Require Gateway](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-gateway/) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Require WARP](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-warp/) | ✅ | ✅ | ✅ | ✅ | ✅ | | [SentinelOne](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/sentinel-one/) | ✅ | ✅ | ✅ | ❌ | ❌ | +| [Tanium (legacy)](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx index 0733cf564e39acb..e473c77e3c3fe32 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium.mdx @@ -16,10 +16,8 @@ Not recommended for new deployments. We recommend using the [Tanium service-to-s Cloudflare Access can use endpoint data from [Tanium™](https://www.tanium.com/) to determine if a request should be allowed to reach a protected resource. When users attempt to connect to a resource protected by Access with a Tanium rule, Cloudflare Access will validate the user's identity, and the browser will connect to the Tanium agent before making a decision to grant access. -:::caution[Gateway device posture limitation] - -The Tanium integration cannot be used with [Gateway device posture policies](/cloudflare-one/traffic-policies/network-policies/#device-posture). - +:::caution[Gateway policy limitation] +The legacy Tanium integration cannot be used in [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/#device-posture). Only [Access policies](/cloudflare-one/access-controls/policies/) are supported. ::: ## Prerequisites From 4fb3214f11269879a7038ec96ce3fc2ea4eaf0ce Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 17:42:05 -0400 Subject: [PATCH 09/11] ui updates --- .../detection-entries.mdx | 8 +++---- .../setup/non-identity.mdx | 4 ++-- .../warp-client-checks/require-warp.mdx | 4 ++-- .../troubleshooting/troubleshooting-guide.mdx | 2 +- .../http-policies/file-sandboxing.mdx | 4 ++-- src/content/glossary/cloudflare-one.yaml | 24 +++++++++---------- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries.mdx index d7ae0556086d172..104e40c2ecf8f2e 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/detection-entries.mdx @@ -52,8 +52,8 @@ To select which Exact Data Match columns to use, you will need to [reupload any
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**. -2. Go to **Datasets**. -3. Select **Add a dataset**. In **Exact Data Match (EDM)**, choose **Select**. +2. From the **Datasets** tab, select **Add a dataset**. +3. Select **Exact Data Match (EDM)**. 4. Upload your dataset file. Select **Next**. 5. Review and choose the detected columns you want to include. Select **Next**. 6. Name your dataset. Optionally, add a description. Select **Next**. @@ -66,8 +66,8 @@ DLP will encrypt your dataset and save its hash.
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**. -2. Go to **Datasets**. -3. Select **Add a dataset**. In **Custom Wordlist (CWL)**, choose **Select**. +2. From the **Datasets** tab, select **Add a dataset**. +3. Select **Custom Wordlist (CWL)**. 4. Name your dataset. Optionally, add a description. 5. (Optional) In **Settings**, turn on **Enforce case sensitivity** to require matched values to contain exact capitalization. 6. In **Upload file**, choose your dataset file. diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx index fce27e282ed5762..22b5513c5746674 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/non-identity.mdx @@ -19,6 +19,6 @@ If you want to apply Isolate policies based on user identity, you will need to e - Configure your browser to forward traffic to a Gateway proxy endpoint with [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/). - Connect your enterprise site router to Gateway with the [anycast GRE or IPsec tunnel on-ramp to Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/). 3. Enable non-identity browser isolation: - 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Browser isolation** > *Browser isolation settings**. - 2. Turn on **Non-identity on-ramp support**. + 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Browser isolation** > **Browser isolation settings**. + 2. Turn on **Allow isolated HTTP traffic when user identity is unknown**. 4. Build a non-identity [HTTP policy](/cloudflare-one/remote-browser-isolation/isolation-policies/) to isolate websites in a remote browser. diff --git a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-warp.mdx b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-warp.mdx index 5ae92d5c7abc072..accbaf0e2e4ae76 100644 --- a/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-warp.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-warp.mdx @@ -31,8 +31,8 @@ Cloudflare One enables you to restrict access to your applications to devices ru ## 1. Enable the WARP check -1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Settings** > **Network**. -2. Ensure that **Proxy** is enabled. +1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**. +2. Ensure that *Allow Secure Web Gateway to proxy traffic** is enabled. 3. Go to **Reusable components** > **Posture checks**. 4. In **WARP client checks**, select **Add a check**. 5. Select **WARP**, then select **Save**. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/troubleshooting-guide.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/troubleshooting-guide.mdx index 35640fbd621ef99..ed755713b92a717 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/troubleshooting-guide.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/troubleshooting-guide.mdx @@ -129,7 +129,7 @@ The [WARP Diagnostics Analyzer](/cloudflare-one/team-and-resources/devices/warp/ After you run a [DEX remote capture](#option-a-collect-logs-via-the-cloudflare-dashboard) for WARP diagnostics: -1. Go to **DEX** > **Remote captures**. +1. Go to **Insights** > **Digital experience** and select the **Diagnotics** tab. 2. Find your capture in the list of captures. 3. Select the three-dot icon next to **Status** > select **View WARP Diag** to generate an AI summary. diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx index 22bd3f5a554ca0b..fc8d9bf2c319d4a 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx @@ -49,8 +49,8 @@ flowchart TD To begin quarantining downloaded files, turn on file sandboxing: -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. -2. In **Firewall**, turn on **File sandboxing**. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**. +2. Turn on **File sandboxing**. 3. (Optional) To block requests containing [non-scannable files](#non-scannable-files), select **Block requests for files that cannot be scanned**. You can now create [Quarantine HTTP policies](/cloudflare-one/traffic-policies/http-policies/#quarantine) to determine what files to scan in the sandbox. diff --git a/src/content/glossary/cloudflare-one.yaml b/src/content/glossary/cloudflare-one.yaml index 1f5b92535c5c1d0..7b3a09a493135a7 100644 --- a/src/content/glossary/cloudflare-one.yaml +++ b/src/content/glossary/cloudflare-one.yaml @@ -3,11 +3,11 @@ productName: Cloudflare One entries: - term: App Launcher general_definition: |- - the App Launcher portal provides end users with a single dashboard to open applications secured by Cloudflare Zero Trust. + the App Launcher portal provides end users with a single dashboard to open applications secured by Cloudflare One. - term: application general_definition: |- - the resource protected by Cloudflare Zero Trust, which can be a subdomain, a path, or a SaaS application. + the resource protected by Cloudflare One, which can be a subdomain, a path, or a SaaS application. - term: application token general_definition: |- @@ -19,7 +19,7 @@ entries: - term: CGNAT IP general_definition: |- - a unique, virtual IP address assigned to each WARP device from the `100.96.0.0/12` range. You can view the CGNAT IP for a device in **My Team** > **Devices** > **Virtual IPv4/IPv6**. + a unique, virtual IP address assigned to each WARP device from the `100.96.0.0/12` range. You can view the CGNAT IP for a device in **Team & Resources** > **Devices** > **Virtual IPv4/IPv6**. - term: cloudflared general_definition: |- @@ -47,7 +47,7 @@ entries: - term: Cloudflare DEX general_definition: |- - Cloudflare Digital Experience Monitoring (DEX) provides visibility into device, network, and application performance across your Zero Trust organization. + Cloudflare Digital Experience Monitoring (DEX) provides visibility into device, network, and application performance across your Cloudflare One organization. - term: Cloudflare Gateway general_definition: |- @@ -91,7 +91,7 @@ entries: - term: DoH subdomain general_definition: |- - a unique DoH subdomain for each DNS location in Cloudflare Zero Trust used in WARP client settings. + a unique DoH subdomain for each DNS location in Cloudflare One used in WARP client settings. - term: DNS location general_definition: |- @@ -101,7 +101,7 @@ entries: - term: fleet general_definition: |- - a fleet is a collection of user devices. All devices in a fleet have WARP installed and are connected to a [Cloudflare Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization). + a fleet is a collection of user devices. All devices in a fleet have WARP installed and are connected to a [Cloudflare One organization](/cloudflare-one/setup/#create-a-cloudflare-one-organization). - term: identity provider general_definition: |- @@ -133,7 +133,7 @@ entries: - term: MCP server portal general_definition: |- - a web application in Cloudflare Zero Trust that serves as a gateway to multiple MCP servers. + a web application in Cloudflare One that serves as a gateway to multiple MCP servers. - term: MCP server tool general_definition: |- @@ -169,7 +169,7 @@ entries: - term: remotely-managed tunnel general_definition: |- - a Cloudflare Tunnel that was created in Zero Trust under **Networks** > **Tunnels**. Tunnel configuration is stored in Cloudflare, which allows you to manage the tunnel from the dashboard or using the API. + a Cloudflare Tunnel whose configuration is stored on Cloudflare rather than on your local machine. You can manage the tunnel in the dashboard under **Networks** > **Connectors** or by using the API. - term: RDP general_definition: |- @@ -241,11 +241,11 @@ entries: - term: team domain general_definition: |- - a unique subdomain assigned to your Cloudflare account (for example, `.cloudflareaccess.com`), where users will find the apps you have secured behind Cloudflare Zero Trust. + a unique subdomain assigned to your Cloudflare account (for example, `.cloudflareaccess.com`), where users will find the apps you have secured behind Cloudflare One. - term: team name general_definition: |- - the customizable portion of your team domain (`.cloudflareaccess.com`). You can view your team name in Zero Trust under **Settings** > **Custom Pages**. + the customizable portion of your team domain (`.cloudflareaccess.com`). You can view your team name in Cloudflare One under **Settings**. - term: Terraform general_definition: |- @@ -259,11 +259,11 @@ entries: - term: User risk score general_definition: |- - Cloudflare Zero Trust user risk score ranks the likelihood of a user to introduce risk to your organization's systems and data based on the detection of security risk behaviors. Risk scores add user and entity behavior analytics (UEBA) to the Zero Trust platform. + User risk score ranks the likelihood of a user to introduce risk to your organization's systems and data based on the detection of security risk behaviors. Risk scores add user and entity behavior analytics (UEBA) to the Cloudflare One platform. - term: User risk score level general_definition: |- - Cloudflare Zero Trust assigns a risk score of Low, Medium or High based on detections of users' activities, posture, and settings. A user's risk score is equal to the highest-level risk behavior they trigger. + Cloudflare One assigns a risk score of Low, Medium or High based on detections of users' activities, posture, and settings. A user's risk score is equal to the highest-level risk behavior they trigger. - term: Virtual network general_definition: |- From f790d81ab0ee64aa6b03a930ff047b1151e3a267 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 28 Oct 2025 17:45:46 -0400 Subject: [PATCH 10/11] Update src/content/glossary/cloudflare-one.yaml --- src/content/glossary/cloudflare-one.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/glossary/cloudflare-one.yaml b/src/content/glossary/cloudflare-one.yaml index 7b3a09a493135a7..6ee18347c9931fc 100644 --- a/src/content/glossary/cloudflare-one.yaml +++ b/src/content/glossary/cloudflare-one.yaml @@ -259,7 +259,7 @@ entries: - term: User risk score general_definition: |- - User risk score ranks the likelihood of a user to introduce risk to your organization's systems and data based on the detection of security risk behaviors. Risk scores add user and entity behavior analytics (UEBA) to the Cloudflare One platform. + ranks the likelihood of a user to introduce risk to your organization's systems and data based on the detection of security risk behaviors. Risk scores add user and entity behavior analytics (UEBA) to the Cloudflare One platform. - term: User risk score level general_definition: |- From 5398cfc7193e17ca77839824a10af23081deb016 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 28 Oct 2025 17:53:12 -0400 Subject: [PATCH 11/11] proxy --- .../cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx | 2 +- .../use-cases/ssh/ssh-infrastructure-access.mdx | 2 +- .../traffic-policies/egress-policies/dedicated-egress-ips.mdx | 4 ++-- .../traffic-policies/network-policies/index.mdx | 2 +- .../configure-device-agent/enable-proxy.mdx | 4 ++-- .../cloudflare-one/tunnel/troubleshoot-private-networks.mdx | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx index de034f810c3ca0f..aa29f4734643b81 100644 --- a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx @@ -23,7 +23,7 @@ Cloudflare Gateway can log the following types of PII: Enabling this setting means Cloudflare Gateway will log activity without storing any employee PII. Changes to this setting will not change PII storage of any previous logs. This means if Exclude PII is enabled and then disabled, there will be no PII data for logs captured while Exclude PII was enabled. The PII data will be unavailable to all roles within your Zero Trust organization, including the Super Admin. -To enable or disable this setting, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Settings** > **Network** > **Exclude PII**. +To enable or disable this setting, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Traffic policies** > **Traffic settings** > **Exclude personally identifiable information (PII) from logs**. ## Redact PII diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx index 67c0d9027a7f160..c4b586f5e1e8d51 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx @@ -129,7 +129,7 @@ To turn off SSH command logging, delete your uploaded public key: -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network** > **SSH encryption public key**. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings** > **SSH log encryption public key**. 2. Select **Remove**. diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx index 09b5beb09c610bd..bb5a0de7016251c 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx @@ -20,8 +20,8 @@ An account can have any number of additional dedicated egress IPs. To request ad To start routing traffic through dedicated egress IPs: 1. Contact your account team to obtain a dedicated egress IP. -2. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**. -3. In **Firewall**, turn on **Proxy**. +2. In [Zero Trust](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**. +3. Turn on **Allow Secure Web Gateway to proxy traffic**. 4. Select **TCP**. 5. (Optional) Select **UDP**. This will allow HTTP/3 traffic to egress with your dedicated IPs. diff --git a/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx index 0a26ecf0b47b8a7..e792b006526fe91 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/network-policies/index.mdx @@ -318,7 +318,7 @@ The inferred network protocol based on Cloudflare's [protocol detection](/cloudf :::note -To enable Gateway filtering on TCP and UDP, go to **Settings** > **Network** > **Proxy**. Network policies apply to all enabled protocols unless you use the **Protocol** selector within a policy. +To enable Gateway filtering on TCP and UDP, go to **Traffic policies** > **Traffic settings** > **Allow Secure Web Gateway to proxy traffic**. Network policies apply to all enabled protocols unless you use the **Protocol** selector within a policy. ::: ### Proxy Endpoint diff --git a/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx index 8afb9c357be702f..b274e4098f79f15 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/configure-device-agent/enable-proxy.mdx @@ -11,8 +11,8 @@ import { Render } from "~/components"; ## Enable the proxy -1. Go to **Settings** > **Network**. -2. Enable **Proxy** for TCP. +1. Go to **Traffic policies** > **Traffic settings**. +2. Enable **Allow Secure Web Gateway to proxy traffic** for TCP. 3. (Recommended) To proxy all port `443` traffic, including internal DNS queries, select **UDP**. 4. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/). diff --git a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx index b4fc070e092651e..0ed7f41fa8a3a7c 100644 --- a/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx +++ b/src/content/partials/cloudflare-one/tunnel/troubleshoot-private-networks.mdx @@ -64,7 +64,7 @@ Determine whether the user is matching any policy, or if they are matching a pol ## 6. Are the correct Gateway proxy settings enabled? -Under **Settings** > **Network**, ensure that **Proxy** is enabled for TCP, UDP, and ICMP traffic. UDP is required for proxying DNS traffic and other UDP packets, while ICMP is required for `ping` and other administrative functions. +Under **Traffic policies** > **Traffic settings**, ensure that **Allow Secure Web Gateway to proxy traffic** is enabled for TCP, UDP, and ICMP traffic. UDP is required for proxying DNS traffic and other UDP packets, while ICMP is required for `ping` and other administrative functions. ## 7. Is the user's traffic reaching the tunnel?