Gateway

Get Zero Trust account information

client.ZeroTrust.Gateway.List(ctx, query) (*GatewayListResponse, error)

GET/accounts/{account_id}/gateway

Create Zero Trust account

client.ZeroTrust.Gateway.New(ctx, body) (*GatewayNewResponse, error)

POST/accounts/{account_id}/gateway

GatewayAudit SSH Settings

Get Zero Trust SSH settings

client.ZeroTrust.Gateway.AuditSSHSettings.Get(ctx, query) (*GatewaySettings, error)

GET/accounts/{account_id}/gateway/audit_ssh_settings

Update Zero Trust SSH settings

client.ZeroTrust.Gateway.AuditSSHSettings.Update(ctx, params) (*GatewaySettings, error)

PUT/accounts/{account_id}/gateway/audit_ssh_settings

Rotate Zero Trust SSH account seed

client.ZeroTrust.Gateway.AuditSSHSettings.RotateSeed(ctx, body) (*GatewaySettings, error)

POST/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed

ModelsExpand Collapse

type GatewaySettings struct{…}

CreatedAt Timeoptional

formatdate-time

PublicKey stringoptional

Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging.

SeedID stringoptional

Identify the seed ID.

maxLength36

UpdatedAt Timeoptional

formatdate-time

GatewayCategories

List categories

client.ZeroTrust.Gateway.Categories.List(ctx, query) (*SinglePage[Category], error)

GET/accounts/{account_id}/gateway/categories

ModelsExpand Collapse

type Category struct{…}

ID int64optional

Identify this category. Only one category per ID.

Beta booloptional

Indicate whether the category is in beta and subject to change.

Class CategoryClassoptional

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

One of the following:

const CategoryClassFree CategoryClass = "free"

const CategoryClassPremium CategoryClass = "premium"

const CategoryClassBlocked CategoryClass = "blocked"

const CategoryClassRemovalPending CategoryClass = "removalPending"

const CategoryClassNoBlock CategoryClass = "noBlock"

Description stringoptional

Provide a short summary of domains in the category.

Name stringoptional

Specify the category name.

Subcategories []CategorySubcategoryoptional

Provide all subcategories for this category.

ID int64optional

Identify this category. Only one category per ID.

Beta booloptional

Indicate whether the category is in beta and subject to change.

Class CategorySubcategoriesClassoptional

One of the following:

const CategorySubcategoriesClassFree CategorySubcategoriesClass = "free"

const CategorySubcategoriesClassPremium CategorySubcategoriesClass = "premium"

const CategorySubcategoriesClassBlocked CategorySubcategoriesClass = "blocked"

const CategorySubcategoriesClassRemovalPending CategorySubcategoriesClass = "removalPending"

const CategorySubcategoriesClassNoBlock CategorySubcategoriesClass = "noBlock"

Description stringoptional

Provide a short summary of domains in the category.

Name stringoptional

Specify the category name.

GatewayApp Types

List application and application type mappings

client.ZeroTrust.Gateway.AppTypes.List(ctx, query) (*SinglePage[AppType], error)

GET/accounts/{account_id}/gateway/app_types

ModelsExpand Collapse

type AppType interface{…}

One of the following:

type AppTypeZeroTrustGatewayApplication struct{…}

ID int64optional

Identify this application. Only one application per ID.

ApplicationTypeID int64optional

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

CreatedAt Timeoptional

formatdate-time

Name stringoptional

Specify the name of the application or application type.

type AppTypeZeroTrustGatewayApplicationType struct{…}

ID int64optional

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

CreatedAt Timeoptional

formatdate-time

Description stringoptional

Provide a short summary of applications with this type.

Name stringoptional

Specify the name of the application or application type.

GatewayConfigurations

Get Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Get(ctx, query) (*GatewayConfigurationGetResponse, error)

GET/accounts/{account_id}/gateway/configuration

Update Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Update(ctx, params) (*GatewayConfigurationUpdateResponse, error)

PUT/accounts/{account_id}/gateway/configuration

Patch Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Edit(ctx, params) (*GatewayConfigurationEditResponse, error)

PATCH/accounts/{account_id}/gateway/configuration

ModelsExpand Collapse

type ActivityLogSettings struct{…}

Specify activity log settings.

Enabled booloptional

Specify whether to log activity.

type AntiVirusSettings struct{…}

Specify anti-virus settings.

EnabledDownloadPhase booloptional

Specify whether to enable anti-virus scanning on downloads.

EnabledUploadPhase booloptional

Specify whether to enable anti-virus scanning on uploads.

FailClosed booloptional

Specify whether to block requests for unscannable files.

NotificationSettings NotificationSettingsoptional

Configure the message the user's device shows during an antivirus scan.

type BlockPageSettings struct{…}

Specify block page layout settings.

BackgroundColor stringoptional

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

Enabled booloptional

Specify whether to enable the custom block page.

FooterText stringoptional

Specify the block page footer text when the mode is customized_block_page.

HeaderText stringoptional

Specify the block page header text when the mode is customized_block_page.

IncludeContext booloptional

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

LogoPath stringoptional

Specify the full URL to the logo file when the mode is customized_block_page.

MailtoAddress stringoptional

Specify the admin email for users to contact when the mode is customized_block_page.

MailtoSubject stringoptional

Specify the subject line for emails created from the block page when the mode is customized_block_page.

Mode BlockPageSettingsModeoptional

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

One of the following:

const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""

const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"

const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"

Name stringoptional

Specify the block page title when the mode is customized_block_page.

ReadOnly booloptional

Indicate that this setting was shared via the Orgs API and read only for the current account.

SourceAccount stringoptional

Indicate the account tag of the account that shared this setting.

SuppressFooter booloptional

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

TargetURI stringoptional

Specify the URI to redirect users to when the mode is redirect_uri.

formaturi

Version int64optional

Indicate the version number of the setting.

type BodyScanningSettings struct{…}

Specify the DLP inspection mode.

InspectionMode BodyScanningSettingsInspectionModeoptional

Specify the inspection mode as either deep or shallow.

One of the following:

const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"

const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"

type BrowserIsolationSettings struct{…}

Specify Clientless Browser Isolation settings.

NonIdentityEnabled booloptional

Specify whether to enable non-identity onramp support for Browser Isolation.

URLBrowserIsolationEnabled booloptional

Specify whether to enable Clientless Browser Isolation.

type CustomCertificateSettings struct{…}

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

Enabled bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

ID stringoptional

Specify the UUID of the certificate (ID from MTLS certificate store).

BindingStatus stringoptional

Indicate the internal certificate status.

UpdatedAt Timeoptional

formatdate-time

type ExtendedEmailMatching struct{…}

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

Enabled booloptional

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

ReadOnly booloptional

Indicate that this setting was shared via the Orgs API and read only for the current account.

SourceAccount stringoptional

Indicate the account tag of the account that shared this setting.

Version int64optional

Indicate the version number of the setting.

type FipsSettings struct{…}

Specify FIPS settings.

TLS booloptional

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

type GatewayConfigurationSettings struct{…}

Specify account settings.

ActivityLog ActivityLogSettingsoptional

Specify activity log settings.

Antivirus AntiVirusSettingsoptional

Specify anti-virus settings.

BlockPage BlockPageSettingsoptional

Specify block page layout settings.

BodyScanning BodyScanningSettingsoptional

Specify the DLP inspection mode.

BrowserIsolation BrowserIsolationSettingsoptional

Specify Clientless Browser Isolation settings.

Certificate GatewayConfigurationSettingsCertificateoptional

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

ID string

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

DeprecatedCustomCertificate CustomCertificateSettingsoptional

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

ExtendedEmailMatching ExtendedEmailMatchingoptional

Fips FipsSettingsoptional

Specify FIPS settings.

HostSelector GatewayConfigurationSettingsHostSelectoroptional

Enable host selection in egress policies.

Enabled booloptional

Specify whether to enable filtering via hosts for egress policies.

Inspection GatewayConfigurationSettingsInspectionoptional

Define the proxy inspection mode.

Mode GatewayConfigurationSettingsInspectionModeoptional

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

One of the following:

const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"

const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"

ProtocolDetection ProtocolDetectionoptional

Specify whether to detect protocols from the initial bytes of client traffic.

Sandbox GatewayConfigurationSettingsSandboxoptional

Specify whether to enable the sandbox.

Enabled booloptional

Specify whether to enable the sandbox.

FallbackAction GatewayConfigurationSettingsSandboxFallbackActionoptional

Specify the action to take when the system cannot scan the file.

One of the following:

const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"

const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"

TLSDecrypt TLSSettingsoptional

Specify whether to inspect encrypted HTTP traffic.

type NotificationSettings struct{…}

Configure the message the user's device shows during an antivirus scan.

Enabled booloptional

Specify whether to enable notifications.

IncludeContext booloptional

Specify whether to include context information as query parameters.

Msg stringoptional

Specify the message to show in the notification.

SupportURL stringoptional

Specify a URL that directs users to more information. If unset, the notification opens a block page.

type ProtocolDetection struct{…}

Specify whether to detect protocols from the initial bytes of client traffic.

Enabled booloptional

Specify whether to detect protocols from the initial bytes of client traffic.

type TLSSettings struct{…}

Specify whether to inspect encrypted HTTP traffic.

Enabled booloptional

Specify whether to inspect encrypted HTTP traffic.

GatewayConfigurationsCustom Certificate

Get Zero Trust certificate configuration

Deprecated

client.ZeroTrust.Gateway.Configurations.CustomCertificate.Get(ctx, query) (*CustomCertificateSettings, error)

GET/accounts/{account_id}/gateway/configuration/custom_certificate

GatewayLists

List Zero Trust lists

client.ZeroTrust.Gateway.Lists.List(ctx, params) (*SinglePage[GatewayList], error)

GET/accounts/{account_id}/gateway/lists

Get Zero Trust list details

client.ZeroTrust.Gateway.Lists.Get(ctx, listID, query) (*GatewayList, error)

GET/accounts/{account_id}/gateway/lists/{list_id}

Create Zero Trust list

client.ZeroTrust.Gateway.Lists.New(ctx, params) (*GatewayListNewResponse, error)

POST/accounts/{account_id}/gateway/lists

Update Zero Trust list

client.ZeroTrust.Gateway.Lists.Update(ctx, listID, params) (*GatewayList, error)

PUT/accounts/{account_id}/gateway/lists/{list_id}

Patch Zero Trust list.

client.ZeroTrust.Gateway.Lists.Edit(ctx, listID, params) (*GatewayList, error)

PATCH/accounts/{account_id}/gateway/lists/{list_id}

Delete Zero Trust list

client.ZeroTrust.Gateway.Lists.Delete(ctx, listID, body) (*GatewayListDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/lists/{list_id}

ModelsExpand Collapse

type GatewayItem struct{…}

CreatedAt Timeoptional

formatdate-time

Description stringoptional

Provide the list item description (optional).

minimum0

Value stringoptional

Specify the item value.

type GatewayList struct{…}

ID stringoptional

Identify the API resource with a UUID.

maxLength36

Count float64optional

Indicate the number of items in the list.

CreatedAt Timeoptional

formatdate-time

Description stringoptional

Provide the list description.

Items []GatewayItemoptional

Provide the list items.

CreatedAt Timeoptional

formatdate-time

Description stringoptional

Provide the list item description (optional).

minimum0

Value stringoptional

Specify the item value.

Name stringoptional

Specify the list name.

Type GatewayListTypeoptional

Specify the list type.

One of the following:

const GatewayListTypeSerial GatewayListType = "SERIAL"

const GatewayListTypeURL GatewayListType = "URL"

const GatewayListTypeDomain GatewayListType = "DOMAIN"

const GatewayListTypeEmail GatewayListType = "EMAIL"

const GatewayListTypeIP GatewayListType = "IP"

const GatewayListTypeCategory GatewayListType = "CATEGORY"

const GatewayListTypeLocation GatewayListType = "LOCATION"

const GatewayListTypeDevice GatewayListType = "DEVICE"

UpdatedAt Timeoptional

formatdate-time

GatewayListsItems

Get Zero Trust list items

client.ZeroTrust.Gateway.Lists.Items.List(ctx, listID, query) (*SinglePage[[]GatewayItem], error)

GET/accounts/{account_id}/gateway/lists/{list_id}/items

GatewayLocations

List Zero Trust Gateway locations

client.ZeroTrust.Gateway.Locations.List(ctx, query) (*SinglePage[Location], error)

GET/accounts/{account_id}/gateway/locations

Get Zero Trust Gateway location details

client.ZeroTrust.Gateway.Locations.Get(ctx, locationID, query) (*Location, error)

GET/accounts/{account_id}/gateway/locations/{location_id}

Create a Zero Trust Gateway location

client.ZeroTrust.Gateway.Locations.New(ctx, params) (*Location, error)

POST/accounts/{account_id}/gateway/locations

Update a Zero Trust Gateway location

client.ZeroTrust.Gateway.Locations.Update(ctx, locationID, params) (*Location, error)

PUT/accounts/{account_id}/gateway/locations/{location_id}

Delete a Zero Trust Gateway location

client.ZeroTrust.Gateway.Locations.Delete(ctx, locationID, body) (*GatewayLocationDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/locations/{location_id}

ModelsExpand Collapse

type DOHEndpoint struct{…}

Enabled booloptional

Indicate whether the DOH endpoint is enabled for this location.

Networks []IPNetworkoptional

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

Network string

Specify the IP address or IP CIDR.

RequireToken booloptional

Specify whether the DOH endpoint requires user identity authentication.

type DOTEndpoint struct{…}

Enabled booloptional

Indicate whether the DOT endpoint is enabled for this location.

Networks []IPNetworkoptional

Network string

Specify the IP address or IP CIDR.

type Endpoint struct{…}

Configure the destination endpoints for this location.

DOH DOHEndpoint

DOT DOTEndpoint

IPV4 IPV4Endpoint

IPV6 IPV6Endpoint

type IPNetwork struct{…}

Network string

Specify the IP address or IP CIDR.

type IPV4Endpoint struct{…}

Enabled booloptional

Indicate whether the IPv4 endpoint is enabled for this location.

type IPV6Endpoint struct{…}

Enabled booloptional

Indicate whether the IPV6 endpoint is enabled for this location.

Networks []IPV6Networkoptional

Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

Network string

Specify the IPv6 address or IPv6 CIDR.

type IPV6Network struct{…}

Network string

Specify the IPv6 address or IPv6 CIDR.

type Location struct{…}

ID stringoptional

ClientDefault booloptional

Indicate whether this location is the default location.

CreatedAt Timeoptional

formatdate-time

DNSDestinationIPsID stringoptional

Indicate the identifier of the pair of IPv4 addresses assigned to this location.

DNSDestinationIPV6BlockID stringoptional

Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.

DOHSubdomain stringoptional

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ECSSupport booloptional

Indicate whether the location must resolve EDNS queries.

Endpoints Endpointoptional

Configure the destination endpoints for this location.

IP stringoptional

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

IPV4Destination stringoptional

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

IPV4DestinationBackup stringoptional

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

Name stringoptional

Specify the location name.

Networks []LocationNetworkoptional

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

Network string

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

UpdatedAt Timeoptional

formatdate-time

GatewayLogging

Get logging settings for the Zero Trust account

client.ZeroTrust.Gateway.Logging.Get(ctx, query) (*LoggingSetting, error)

GET/accounts/{account_id}/gateway/logging

Update Zero Trust account logging settings

client.ZeroTrust.Gateway.Logging.Update(ctx, params) (*LoggingSetting, error)

PUT/accounts/{account_id}/gateway/logging

ModelsExpand Collapse

type LoggingSetting struct{…}

RedactPii booloptional

Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent).

SettingsByRuleType LoggingSettingSettingsByRuleTypeoptional

Configure logging settings for each rule type.

DNS LoggingSettingSettingsByRuleTypeDNSoptional

Configure logging settings for DNS firewall.

LogAll booloptional

Specify whether to log all requests to this service.

LogBlocks booloptional

Specify whether to log only blocking requests to this service.

HTTP LoggingSettingSettingsByRuleTypeHTTPoptional

Configure logging settings for HTTP/HTTPS firewall.

LogAll booloptional

Specify whether to log all requests to this service.

LogBlocks booloptional

Specify whether to log only blocking requests to this service.

L4 LoggingSettingSettingsByRuleTypeL4optional

Configure logging settings for Network firewall.

LogAll booloptional

Specify whether to log all requests to this service.

LogBlocks booloptional

Specify whether to log only blocking requests to this service.

GatewayProxy Endpoints

List proxy endpoints

client.ZeroTrust.Gateway.ProxyEndpoints.List(ctx, query) (*SinglePage[ProxyEndpoint], error)

GET/accounts/{account_id}/gateway/proxy_endpoints

Get a proxy endpoint

client.ZeroTrust.Gateway.ProxyEndpoints.Get(ctx, proxyEndpointID, query) (*ProxyEndpoint, error)

GET/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Create a proxy endpoint

client.ZeroTrust.Gateway.ProxyEndpoints.New(ctx, params) (*ProxyEndpoint, error)

POST/accounts/{account_id}/gateway/proxy_endpoints

Update a proxy endpoint

client.ZeroTrust.Gateway.ProxyEndpoints.Edit(ctx, proxyEndpointID, params) (*ProxyEndpoint, error)

PATCH/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Delete a proxy endpoint

client.ZeroTrust.Gateway.ProxyEndpoints.Delete(ctx, proxyEndpointID, body) (*GatewayProxyEndpointDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

ModelsExpand Collapse

type GatewayIPs string

Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25.

type ProxyEndpoint interface{…}

One of the following:

type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}

IPs []GatewayIPs

Specify the list of CIDRs to restrict ingress connections.

Name string

Specify the name of the proxy endpoint.

ID stringoptional

CreatedAt Timeoptional

formatdate-time

Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKindoptional

The proxy endpoint kind

Subdomain stringoptional

Specify the subdomain to use as the destination in the proxy client.

UpdatedAt Timeoptional

formatdate-time

type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}

Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind

The proxy endpoint kind

Name string

Specify the name of the proxy endpoint.

ID stringoptional

CreatedAt Timeoptional

formatdate-time

Subdomain stringoptional

Specify the subdomain to use as the destination in the proxy client.

UpdatedAt Timeoptional

formatdate-time

GatewayRules

List Zero Trust Gateway rules

client.ZeroTrust.Gateway.Rules.List(ctx, query) (*SinglePage[GatewayRule], error)

GET/accounts/{account_id}/gateway/rules

Get Zero Trust Gateway rule details.

client.ZeroTrust.Gateway.Rules.Get(ctx, ruleID, query) (*GatewayRule, error)

GET/accounts/{account_id}/gateway/rules/{rule_id}

Create a Zero Trust Gateway rule

client.ZeroTrust.Gateway.Rules.New(ctx, params) (*GatewayRule, error)

POST/accounts/{account_id}/gateway/rules

Update a Zero Trust Gateway rule

client.ZeroTrust.Gateway.Rules.Update(ctx, ruleID, params) (*GatewayRule, error)

PUT/accounts/{account_id}/gateway/rules/{rule_id}

Delete a Zero Trust Gateway rule

client.ZeroTrust.Gateway.Rules.Delete(ctx, ruleID, body) (*GatewayRuleDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/rules/{rule_id}

List Zero Trust Gateway rules inherited from the parent account

client.ZeroTrust.Gateway.Rules.ListTenant(ctx, query) (*SinglePage[GatewayRule], error)

GET/accounts/{account_id}/gateway/rules/tenant

Reset the expiration of a Zero Trust Gateway Rule

client.ZeroTrust.Gateway.Rules.ResetExpiration(ctx, ruleID, body) (*GatewayRule, error)

POST/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration

ModelsExpand Collapse

type DNSResolverSettingsV4 struct{…}

IP string

Specify the IPv4 address of the upstream resolver.

Port int64optional

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

RouteThroughPrivateNetwork booloptional

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

VnetID stringoptional

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

type DNSResolverSettingsV6 struct{…}

IP string

Specify the IPv6 address of the upstream resolver.

Port int64optional

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

RouteThroughPrivateNetwork booloptional

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

VnetID stringoptional

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

type GatewayFilter string

Specify the protocol or layer to use.

One of the following:

const GatewayFilterHTTP GatewayFilter = "http"

const GatewayFilterDNS GatewayFilter = "dns"

const GatewayFilterL4 GatewayFilter = "l4"

const GatewayFilterEgress GatewayFilter = "egress"

const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"

type GatewayRule struct{…}

Action GatewayRuleAction

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

One of the following:

const GatewayRuleActionOn GatewayRuleAction = "on"

const GatewayRuleActionOff GatewayRuleAction = "off"

const GatewayRuleActionAllow GatewayRuleAction = "allow"

const GatewayRuleActionBlock GatewayRuleAction = "block"

const GatewayRuleActionScan GatewayRuleAction = "scan"

const GatewayRuleActionNoscan GatewayRuleAction = "noscan"

const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"

const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"

const GatewayRuleActionIsolate GatewayRuleAction = "isolate"

const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"

const GatewayRuleActionOverride GatewayRuleAction = "override"

const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"

const GatewayRuleActionEgress GatewayRuleAction = "egress"

const GatewayRuleActionResolve GatewayRuleAction = "resolve"

const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"

const GatewayRuleActionRedirect GatewayRuleAction = "redirect"

Enabled bool

Specify whether the rule is enabled.

Filters []GatewayFilter

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

One of the following:

const GatewayFilterHTTP GatewayFilter = "http"

const GatewayFilterDNS GatewayFilter = "dns"

const GatewayFilterL4 GatewayFilter = "l4"

const GatewayFilterEgress GatewayFilter = "egress"

const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"

Name string

Specify the rule name.

Precedence int64

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

Traffic string

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

ID stringoptional

Identify the API resource with a UUID.

maxLength36

CreatedAt Timeoptional

formatdate-time

DeletedAt Timeoptional

Indicate the date of deletion, if any.

formatdate-time

Description stringoptional

Specify the rule description.

DevicePosture stringoptional

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

Expiration GatewayRuleExpirationoptional

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

ExpiresAt Time

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

formatdate-time

Duration int64optional

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

minimum5

Expired booloptional

Indicates whether the policy is expired.

Identity stringoptional

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

ReadOnly booloptional

Indicate that this rule is shared via the Orgs API and read only.

RuleSettings RuleSettingoptional

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

Schedule Scheduleoptional

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

Sharable booloptional

Indicate that this rule is sharable via the Orgs API.

SourceAccount stringoptional

Provide the account tag of the account that created the rule.

UpdatedAt Timeoptional

formatdate-time

Version int64optional

Indicate the version number of the rule(read-only).

WarningStatus stringoptional

Indicate a warning for a misconfigured rule, if any.

type RuleSetting struct{…}

AddHeaders map[string, []string]optional

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

AllowChildBypass booloptional

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

AuditSSH RuleSettingAuditSSHoptional

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

CommandLogging booloptional

Enable SSH command logging.

BISOAdminControls RuleSettingBISOAdminControlsoptional

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

Copy RuleSettingBISOAdminControlsCopyoptional

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"

const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"

const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"

DCP booloptional

Set to false to enable copy-pasting. Only applies when version == "v1".

DD booloptional

Set to false to enable downloading. Only applies when version == "v1".

DK booloptional

Set to false to enable keyboard usage. Only applies when version == "v1".

Download RuleSettingBISOAdminControlsDownloadoptional

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"

const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"

const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"

DP booloptional

Set to false to enable printing. Only applies when version == "v1".

DU booloptional

Set to false to enable uploading. Only applies when version == "v1".

Keyboard RuleSettingBISOAdminControlsKeyboardoptional

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"

const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"

Paste RuleSettingBISOAdminControlsPasteoptional

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"

const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"

const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"

Printing RuleSettingBISOAdminControlsPrintingoptional

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"

const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"

Upload RuleSettingBISOAdminControlsUploadoptional

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"

const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"

Version RuleSettingBISOAdminControlsVersionoptional

Indicate which version of the browser isolation controls should apply.

One of the following:

const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"

const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"

BlockPage RuleSettingBlockPageoptional

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

TargetURI string

Specify the URI to which the user is redirected.

formaturi

IncludeContext booloptional

Specify whether to pass the context information as query parameters.

BlockPageEnabled booloptional

Enable the custom block page. Settable only for dns rules with action block.

BlockReason stringoptional

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

BypassParentRule booloptional

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

CheckSession RuleSettingCheckSessionoptional

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

Duration stringoptional

Sets the required session freshness threshold. The API returns a normalized version of this value.

Enforce booloptional

Enable session enforcement.

DNSResolvers RuleSettingDNSResolversoptional

Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

IPV4 []DNSResolverSettingsV4optional

IP string

Specify the IPv4 address of the upstream resolver.

Port int64optional

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

RouteThroughPrivateNetwork booloptional

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

VnetID stringoptional

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

IPV6 []DNSResolverSettingsV6optional

IP string

Specify the IPv6 address of the upstream resolver.

Port int64optional

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

RouteThroughPrivateNetwork booloptional

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

VnetID stringoptional

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

Egress RuleSettingEgressoptional

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

IPV4 stringoptional

Specify the IPv4 address to use for egress.

IPV4Fallback stringoptional

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

IPV6 stringoptional

Specify the IPv6 range to use for egress.

ForensicCopy RuleSettingForensicCopyoptional

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

Enabled booloptional

Enable sending the copy to storage.

IgnoreCNAMECategoryMatches booloptional

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

InsecureDisableDNSSECValidation booloptional

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

IPCategories booloptional

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

IPIndicatorFeeds booloptional

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

L4override RuleSettingL4overrideoptional

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

IP stringoptional

Defines the IPv4 or IPv6 address.

Port int64optional

Defines a port number to use for TCP/UDP overrides.

NotificationSettings RuleSettingNotificationSettingsoptional

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

Enabled booloptional

Enable notification.

IncludeContext booloptional

Indicates whether to pass the context information as query parameters.

Msg stringoptional

Customize the message shown in the notification.

SupportURL stringoptional

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

OverrideHost stringoptional

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

OverrideIPs []stringoptional

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

PayloadLog RuleSettingPayloadLogoptional

Configure DLP payload logging. Settable only for http rules.

Enabled booloptional

Enable DLP payload logging for this rule.

Quarantine RuleSettingQuarantineoptional

Configure settings that apply to quarantine rules. Settable only for http rules.

FileTypes []RuleSettingQuarantineFileTypeoptional

Specify the types of files to sandbox.

One of the following:

const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"

const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"

const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"

const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"

const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"

const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"

const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"

const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"

const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"

const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"

const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"

const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"

const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"

Redirect RuleSettingRedirectoptional

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

TargetURI string

Specify the URI to which the user is redirected.

formaturi

IncludeContext booloptional

Specify whether to pass the context information as query parameters.

PreservePathAndQuery booloptional

Specify whether to append the path and query parameters from the original request to target_uri.

ResolveDNSInternally RuleSettingResolveDNSInternallyoptional

Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

Fallback RuleSettingResolveDNSInternallyFallbackoptional

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

One of the following:

const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"

const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"

ViewID stringoptional

Specify the internal DNS view identifier to pass to the internal DNS service.

ResolveDNSThroughCloudflare booloptional

Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

UntrustedCERT RuleSettingUntrustedCERToptional

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

Action RuleSettingUntrustedCERTActionoptional

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

One of the following:

const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"

const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"

const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"

type Schedule struct{…}

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

Fri stringoptional

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Mon stringoptional

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Sat stringoptional

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Sun stringoptional

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Thu stringoptional

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

TimeZone stringoptional

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.

Tue stringoptional

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Wed stringoptional

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Gateway

GatewayAudit SSH Settings

ModelsExpand Collapse

GatewayCategories

ModelsExpand Collapse

GatewayApp Types

ModelsExpand Collapse

GatewayConfigurations

ModelsExpand Collapse

GatewayConfigurationsCustom Certificate

GatewayLists

ModelsExpand Collapse

GatewayListsItems

GatewayLocations

ModelsExpand Collapse

GatewayLogging

ModelsExpand Collapse

GatewayProxy Endpoints

ModelsExpand Collapse

GatewayRules

ModelsExpand Collapse

GatewayCertificates

GatewayPacfiles