cloudflare · TownLake · Dec 16, 2020 · Dec 15, 2020 · Dec 15, 2020 · Dec 15, 2020
@@ -61,6 +61,9 @@ Here is a list of all the criteria you can apply:
 * **Service Token** - the request will need to present the correct service token headers configured for the specific application
 * **Identity provider groups** — employs the user groups (if supported) you configured with your identity provider (IdP) or LDAP with Access. The IdP group option only displays if you use an identity provider that passes groups using SAML or OAuth Scope.
 * **Authentication Method** - checks the [multifactor authentication](/learning/mfa-requirements) method used by the user, if supported by the identity provider.
+* **WARP** - checks if the Cloudflare WARP client is running on the machine.
+* **Gateway** - checks if your Gateway instance is running on the machine.
+
 
 ## Policy management
 

@@ -2,7 +2,7 @@
 order: 10
 ---
 
-# Teams Glossary
+# Glossary
 
 ## [Cloudflare for Teams](https://www.cloudflare.com/teams-home/)
 Cloudflare for Teams brings the power of Cloudflare’s global network to your internal teams and infrastructure. Teams empowers users with secure, fast and seamless access to any device on the Internet.

@@ -1,9 +1,8 @@
 ---
 order: 2
-hidden: true
 ---
 
-# Learning
+# Teams documentation
 
 We're building this section to help you make the most of your experience with Cloudflare for Teams. We plan on having learning materials, readings, and technical deep-dives about what you can do with our products and features.
 

@@ -1,5 +1,6 @@
 ---
 order: 2
+hidden: true
 ---
 
 # Policies
@@ -172,6 +173,109 @@ When a DNS query matches with a DNS policy, Gateway follows this order of operat
 
 <Aside>
 
+This feature is only available for Gateway and Teams paid plans. For more information, see the Cloudflare for Teams [pricing page](https://www.cloudflare.com/teams-pricing/).
+
+</Aside>
+
+You can decide to add a policy to filter HTTP traffic on the L7 firewall. Gateway will intercept all HTTP and HTTPS traffic and apply the rules you have configured in your policy to either block, allow, or override specific elements such as websites, IP addresses, and file types.
+
+You can build an HTTP policy by configuring the following elements:
+
+* **Actions**
+* **Expressions**
+* **Selectors**
+* **Operators**
+
+#### Actions
+
+Just like actions on destinations in DNS policies, actions in HTTP policies allow you to choose what to do with a given set of elements (domains, IP addresses, file types, and so on). You can assign one action per policy.
+
+These are the action types you can choose from:
+
+* **Allow** 
+* **Block** 
+* **Bypass**
+
+*Bypass* lets administrators bypass certain elements from inspection. Administrators who wish to bypass a site must match against the host in order to prevent HTTP inspection from occuring on both encrypted and plaintext traffic. The bypass action is only available when matching against the host criteria.
+
+#### Selectors
+Gateway matches HTTP traffic against the following selectors, or criteria:
+* **Host**
+* **URL**
+* **URL Query**
+* **URL Path**
+* **URL Path and Query**
+* **HTTP Method**
+* **HTTP Response**
+* **Uploaded and Downloaded File Extension**
+* **Uploaded and Downloaded Mime Type**
+* **Content categories**
+
+List of file extensions Gateway can match against:
+
+<TableWrap>
+
+| Image | Executable | Audio | Documents | Data | Compressed | System | Video |
+|------|------|-------|------|--------|--------|--------|-----|
+| avif | apk | m4a | doc | avro | 7z | bak | avi |
+| bmp | bat | mid | docx | csv | arj | cab | flv |
+| gif | bin | mp3 | odp | dat | bz2 | cpl | h264 |
+| ico | cgi | mpa | ods | dmg | deb | cur | m4v |
+| jpeg | com | wav | odt | iso | gz | emu | mkv |
+| png | dll | wma | pdf | json | lz | ini | mov |
+| psd | exe | ppt | | log | lz4 | scr | mp4 |
+| svg | hta | pptx | | mdb | lzh | sys | mpeg |
+| tif | jar | rtf | | nzb | lzma | tmp | wmv |
+| webp | moo | txt | | orc | pak
+|  | pif | xls | | parquet | rar
+|  | pl | xlsx | | rc | rpm
+|  | prg | | | sav | sz
+|  | | | | wasm | xz | | 
+|  |      | | | sql lite | z
+|  |      | | | tar | zip
+|  |      | | | toml | zlib |
+|  |      | | | torrent | zst |
+|  |      | | | xml |  |
+|  |      | | | yaml | | 
+
+</TableWrap>
+
+#### Operators
+Operators are the way Gateway matches traffic to a selector. Matching happens as follows:
+
+| Operator              |          Meaning
+|:---------------------:|:---------------------------:|
+|  is                   |  exact match, equals        |
+|  is not               |  all except exact match     |
+|  in                   |  in any of defined entries  |
+|  not in               |  not in defined entries     |
+|  matches regex        | regex evaluates to true         |
+|  does not match regex |  all except when regex evals to true   |
+
+#### Expressions
+Expressions are sets of conditions with which you can combine [selectors](#selectors) and [operators](#operators). By configuring one or more expressions, you can define the scope of your HTTP policy. 
+
+#### Example scenarios
+
+| Action | Selector | Operator | 
+| ------ | ---- | -------- | 
+| Block  | Content categories | in: `Gaming` | 
+
+**Result**: this configuration blocks any traffic to domains categorized as `Gaming`. 
+
+#### FAQ
+
+* **How can I bypass the L7 firewall for a website?**
+
+Cloudflare Gateway uses the hostname in the HTTP CONNECT header to identify the destination of the request. Administrators who wish to bypass a site must match against the host in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. The **bypass** action is only available when matching against the **host** criteria.
+Bypassing the L7 firewall results in no HTTP traffic inspection and logging is disabled for that HTTP session.
+
+* **In what order are rules evaluated?**
+
+The L7 firewall evaluates rules starting with the rule containing the lowest precedence (e.g., rule number one). Rules with a higher value precedence are evaluated after those with a lower value.
+
+<Aside>
+
 This feature is only available on the **Teams Enterprise plan**. For more information, see the Cloudflare for Teams [pricing page](https://www.cloudflare.com/teams-pricing/).
 
 </Aside>

@@ -0,0 +1,28 @@
+---
+order: 2
+---
+
+#  Enforce Gateway or WARP for Access
+
+With Access, you can require that all traffic to specific applications is monitored by Cloudflare Gateway. With Gateway protecting and filtering all requests to your applications, you will be able to see all user traffic and activity in each of these applications, broken down by user and device.
+
+Alternatively, you can require users to run WARP (Cloudflare's secure and modern VPN) in order to access an application. This ensures that all user traffic is encrypted and routed through Cloudflare.
+
+You can choose to require Gateway or WARP by configuring dedicated actions within your Access policies.
+
+The first step you need to take in order to require Gateway or WARP is to add a device posture integration.
+
+To do that:
+
+1. Log in to your [Teams dashboard](https://dash.teams.cloudflare.com/) and navigate to **Access > Authentication > Device Posture**.
+2. Select **Gateway** if you’d like to require all traffic to flow through your Gateway instance. Select **WARP** if you’d like to require all traffic to flow through Cloudflare’s VPN.
+
+![Device Posture](../static/require-gateway/device-posture.png)
+
+You are now ready to start requiring Gateway for your Access applications:
+
+1. Log in to your **Access** dashboard and open an application’s policy.
+
+1. In the policy, add an **Include** or **Require** rule with the option *Gateway* selected. If you'd like to require WARP instead, select *WARP*.
+
+The policy will now check that the Gateway instance, or the WARP client, is running on a user's machine before granting them access to the application.