diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/firewall.mdx
index 2d62ba01ed2523..97f4fa97f75b2b 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/firewall.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/firewall.mdx
@@ -5,23 +5,27 @@ sidebar:
order: 9
---
-import { Render } from "~/components";
+import { Render, Details } from "~/components";
If your organization uses a firewall or other policies to restrict or intercept Internet traffic, you may need to exempt the following IP addresses and domains to allow the WARP client to connect.
## Client orchestration API
-The WARP client connects to Cloudflare via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow `zero-trust-client.cloudflareclient.com` which will lookup the following IP addresses:
+The WARP client connects to Cloudflare via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow the following IPs and domains:
-
+Even though `zero-trust-client.cloudflareclient.com` and `notifications.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.
+
+
+
+To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall:
+
+- IPv4 API endpoints: `162.159.213.1` and `172.64.98.1`
+- IPv6 API endpoints: `2606:54c1:11::` and `2a06:98c1:4b::`
+- SNIs: `api.devices.fed.cloudflare.com` and `notifications.devices.fed.cloudflare.com`
+
+
## DoH IP
@@ -29,18 +33,21 @@ The WARP client connects to Cloudflare via a standard HTTPS connection outside t
Only required for [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode.
:::
-In [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection. For DNS to work correctly, you must allow `.cloudflare-gateway.com` which will lookup the following IPs:
+In [Gateway with DoH](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection. For DNS to work correctly, you must allow the following IPs and domains:
+
+- IPv4 DoH addresses: `162.159.36.1` and `162.159.46.1`
+- IPv6 DoH addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001`
+- SNIs: `.cloudflare-gateway.com`
+
+Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.
-- IPv4 DoH Addresses: `162.159.36.1` and `162.159.46.1`
-- IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001`
+
+To deploy WARP in FedRAMP High environments, you will need to allow a different set of IPs and domains through your firewall:
-.cloudflare-gateway.com",
- }}
-/>
+- IPv4 DoH addresses: `172.64.100.3` and `172.64.101.3`
+- IPv6 DoH addresses: `2606:54c1:13::2`
+- SNIs: `.fed.cloudflare-gateway.com`
+
### Android devices
@@ -48,11 +55,19 @@ If you are deploying the Cloudflare One Agent on Android/ChromeOS, you must also
## Client authentication endpoint
-When you [log in to your Zero Trust organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains:
+When you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains:
-- The IdP used to authenticate to Cloudflare Zero Trust
+- The IdP used to authenticate to Cloudflare One
- `.cloudflareaccess.com`
+
+To deploy WARP in FedRAMP High environments, you will need to allow different domains through your firewall:
+
+- FedRAMP High IdP used to authenticate to Cloudflare One
+- `.fed.cloudflareaccess.com`.
+
+
+
## WARP ingress IP
WARP connects to the following IP addresses, depending on which [tunnel protocol](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#device-tunnel-protocol) is configured for your device (WireGuard or MASQUE). All network traffic from your device to Cloudflare goes through these IPs and ports over UDP.
@@ -79,9 +94,24 @@ WARP connects to the following IP addresses, depending on which [tunnel protocol
:::note
-Before you [log in to your Zero Trust organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you may see the IPv4 range `162.159.192.0/24`. This IP is used for consumer WARP services ([1.1.1.1 w/ WARP](/warp-client/)) and is not required for Zero Trust deployments.
+Before you [log in to your Cloudflare One organization](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/), you may see the IPv4 range `162.159.192.0/24`. This IP is used for consumer WARP ([1.1.1.1 w/ WARP](/warp-client/)) and is not required for Zero Trust services.
:::
+
+
+Devices will use the MASQUE protocol in FedRAMP High environments. To deploy WARP for FedRAMP High, you will need to allow the following IPs and ports:
+
+| | |
+| -------------- | ------------------------------------------------------------------------------------------------------------------- |
+| IPv4 address | `162.159.239.0/24` |
+| IPv6 address | `2606:4700:105::/48` |
+| Default port | `UDP 443` |
+| Fallback ports | `UDP 500`
`UDP 1701`
`UDP 4500`
`UDP 4443`
`UDP 8443`
`UDP 8095`
`TCP 443` [^1] |
+
+[^1]: Required for HTTP/2 fallback
+
+
+
## Captive portal
The following domains are used as part of our captive portal check:
@@ -101,34 +131,21 @@ As part of establishing the WARP connection, the client runs connectivity checks
The client connects to the following destinations to verify general Internet connectivity outside of the WARP tunnel. Make sure that these IPs and domains are on your firewall allowlist.
-- `engage.cloudflareclient.com`: The client will always send requests directly to an IP in the [WARP ingress IPv4 or IPv6 range](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/#warp-ingress-ip) (or to your [`override_warp_endpoint`](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/#override_warp_endpoint) if set). Requests will not use a proxy server, even if one is configured for the system.
- `162.159.197.3`
- `2606:4700:102::3`
+- `engage.cloudflareclient.com`: The client will always send requests directly to an IP in the [WARP ingress IPv4 or IPv6 range](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/#warp-ingress-ip) (or to your [`override_warp_endpoint`](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/#override_warp_endpoint) if set). Requests will not use a proxy server, even if one is configured for the system.
-
+Even though `engage.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.
### Inside tunnel
-The WARP client connects to the following IPs to verify connectivity inside of the WARP tunnel:
+The WARP client connects to the following destinations to verify connectivity inside of the WARP tunnel:
- `162.159.197.4`
- `2606:4700:102::4`
+- `connectivity.cloudflareclient.com`
-Because this check happens inside of the tunnel, you do not need to add these IPs to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy.
-
-
+Because this check happens inside of the tunnel, you do not need to add these IPs and domains to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy.
## NEL reporting (optional)
diff --git a/src/content/partials/cloudflare-one/warp/client-orchestration-ips.mdx b/src/content/partials/cloudflare-one/warp/client-orchestration-ips.mdx
index 6e42db550e9a8f..885e29755b6d36 100644
--- a/src/content/partials/cloudflare-one/warp/client-orchestration-ips.mdx
+++ b/src/content/partials/cloudflare-one/warp/client-orchestration-ips.mdx
@@ -3,5 +3,6 @@
---
-* IPv4 API Endpoints: `162.159.137.105` and `162.159.138.105`
-* IPv6 API Endpoints: `2606:4700:7::a29f:8969` and `2606:4700:7::a29f:8a69`
+- IPv4 API endpoints: `162.159.137.105` and `162.159.138.105`
+- IPv6 API endpoints: `2606:4700:7::a29f:8969` and `2606:4700:7::a29f:8a69`
+- SNIs: `zero-trust-client.cloudflareclient.com` and `notifications.cloudflareclient.com`
diff --git a/src/content/partials/cloudflare-one/warp/firewall.mdx b/src/content/partials/cloudflare-one/warp/firewall.mdx
deleted file mode 100644
index f9f7d4c707ace9..00000000000000
--- a/src/content/partials/cloudflare-one/warp/firewall.mdx
+++ /dev/null
@@ -1,6 +0,0 @@
----
-params:
- - domain
----
-
-If your firewall allows traffic only by domain, you may need to explicitly allow {props.domain}. Even though {props.domain} may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.
diff --git a/src/content/partials/learning-paths/zero-trust/install-agent.mdx b/src/content/partials/learning-paths/zero-trust/install-agent.mdx
index 7c33d8948a9911..f372f6f0deeb0f 100644
--- a/src/content/partials/learning-paths/zero-trust/install-agent.mdx
+++ b/src/content/partials/learning-paths/zero-trust/install-agent.mdx
@@ -10,7 +10,7 @@ Most admins test by manually downloading the WARP client and enrolling in your o
## Install WARP
1. First, uninstall any existing third-party VPN software if possible. Sometimes products placed in a disconnected or disabled state will still interfere with the WARP client.
-2. If you are running third-party firewall or TLS decryption software, verify that it does not inspect or block traffic to the WARP client orchestration IPs:
+2. If you are running third-party firewall or TLS decryption software, verify that it does not inspect or block traffic to the following destinations:
For more information, refer to [WARP with firewall](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/).