# Gateway ## Get Zero Trust account information `client.ZeroTrust.Gateway.List(ctx, query) (*GatewayListResponse, error)` **get** `/accounts/{account_id}/gateway` Retrieve information about the current Zero Trust account. ### Parameters - `query GatewayListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayListResponse struct{…}` - `ID string` Specify the Cloudflare account ID. - `GatewayTag string` Specify the gateway internal ID. - `ProviderName string` Specify the provider name (usually Cloudflare). ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gateways, err := client.ZeroTrust.Gateway.List(context.TODO(), zero_trust.GatewayListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gateways.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` ## Create Zero Trust account `client.ZeroTrust.Gateway.New(ctx, body) (*GatewayNewResponse, error)` **post** `/accounts/{account_id}/gateway` Create a Zero Trust account for an existing Cloudflare account. ### Parameters - `body GatewayNewParams` - `AccountID param.Field[string]` ### Returns - `type GatewayNewResponse struct{…}` - `ID string` Specify the Cloudflare account ID. - `GatewayTag string` Specify the gateway internal ID. - `ProviderName string` Specify the provider name (usually Cloudflare). ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gateway, err := client.ZeroTrust.Gateway.New(context.TODO(), zero_trust.GatewayNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gateway.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` # Audit SSH Settings ## Get Zero Trust SSH settings `client.ZeroTrust.Gateway.AuditSSHSettings.Get(ctx, query) (*GatewaySettings, error)` **get** `/accounts/{account_id}/gateway/audit_ssh_settings` Retrieve all Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Parameters - `query GatewayAuditSSHSettingGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewaySettings struct{…}` - `CreatedAt Time` - `PublicKey string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `SeedID string` Identify the seed ID. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewaySettings, err := client.ZeroTrust.Gateway.AuditSSHSettings.Get(context.TODO(), zero_trust.GatewayAuditSSHSettingGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewaySettings.SeedID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust SSH settings `client.ZeroTrust.Gateway.AuditSSHSettings.Update(ctx, params) (*GatewaySettings, error)` **put** `/accounts/{account_id}/gateway/audit_ssh_settings` Update Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Parameters - `params GatewayAuditSSHSettingUpdateParams` - `AccountID param.Field[string]` Path param - `PublicKey param.Field[string]` Body param: Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. ### Returns - `type GatewaySettings struct{…}` - `CreatedAt Time` - `PublicKey string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `SeedID string` Identify the seed ID. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewaySettings, err := client.ZeroTrust.Gateway.AuditSSHSettings.Update(context.TODO(), zero_trust.GatewayAuditSSHSettingUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), PublicKey: cloudflare.F("1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA="), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewaySettings.SeedID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Zero Trust SSH account seed `client.ZeroTrust.Gateway.AuditSSHSettings.RotateSeed(ctx, body) (*GatewaySettings, error)` **post** `/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed` Rotate the SSH account seed that generates the host key identity when connecting through the Cloudflare SSH Proxy. ### Parameters - `body GatewayAuditSSHSettingRotateSeedParams` - `AccountID param.Field[string]` ### Returns - `type GatewaySettings struct{…}` - `CreatedAt Time` - `PublicKey string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `SeedID string` Identify the seed ID. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewaySettings, err := client.ZeroTrust.Gateway.AuditSSHSettings.RotateSeed(context.TODO(), zero_trust.GatewayAuditSSHSettingRotateSeedParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewaySettings.SeedID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Gateway Settings - `type GatewaySettings struct{…}` - `CreatedAt Time` - `PublicKey string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `SeedID string` Identify the seed ID. - `UpdatedAt Time` # Categories ## List categories `client.ZeroTrust.Gateway.Categories.List(ctx, query) (*SinglePage[Category], error)` **get** `/accounts/{account_id}/gateway/categories` List all categories. ### Parameters - `query GatewayCategoryListParams` - `AccountID param.Field[string]` Provide the identifier string. ### Returns - `type Category struct{…}` - `ID int64` Identify this category. Only one category per ID. - `Beta bool` Indicate whether the category is in beta and subject to change. - `Class CategoryClass` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `const CategoryClassFree CategoryClass = "free"` - `const CategoryClassPremium CategoryClass = "premium"` - `const CategoryClassBlocked CategoryClass = "blocked"` - `const CategoryClassRemovalPending CategoryClass = "removalPending"` - `const CategoryClassNoBlock CategoryClass = "noBlock"` - `Description string` Provide a short summary of domains in the category. - `Name string` Specify the category name. - `Subcategories []CategorySubcategory` Provide all subcategories for this category. - `ID int64` Identify this category. Only one category per ID. - `Beta bool` Indicate whether the category is in beta and subject to change. - `Class CategorySubcategoriesClass` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `const CategorySubcategoriesClassFree CategorySubcategoriesClass = "free"` - `const CategorySubcategoriesClassPremium CategorySubcategoriesClass = "premium"` - `const CategorySubcategoriesClassBlocked CategorySubcategoriesClass = "blocked"` - `const CategorySubcategoriesClassRemovalPending CategorySubcategoriesClass = "removalPending"` - `const CategorySubcategoriesClassNoBlock CategorySubcategoriesClass = "noBlock"` - `Description string` Provide a short summary of domains in the category. - `Name string` Specify the category name. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Categories.List(context.TODO(), zero_trust.GatewayCategoryListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education", "subcategories": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education" } ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Category - `type Category struct{…}` - `ID int64` Identify this category. Only one category per ID. - `Beta bool` Indicate whether the category is in beta and subject to change. - `Class CategoryClass` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `const CategoryClassFree CategoryClass = "free"` - `const CategoryClassPremium CategoryClass = "premium"` - `const CategoryClassBlocked CategoryClass = "blocked"` - `const CategoryClassRemovalPending CategoryClass = "removalPending"` - `const CategoryClassNoBlock CategoryClass = "noBlock"` - `Description string` Provide a short summary of domains in the category. - `Name string` Specify the category name. - `Subcategories []CategorySubcategory` Provide all subcategories for this category. - `ID int64` Identify this category. Only one category per ID. - `Beta bool` Indicate whether the category is in beta and subject to change. - `Class CategorySubcategoriesClass` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `const CategorySubcategoriesClassFree CategorySubcategoriesClass = "free"` - `const CategorySubcategoriesClassPremium CategorySubcategoriesClass = "premium"` - `const CategorySubcategoriesClassBlocked CategorySubcategoriesClass = "blocked"` - `const CategorySubcategoriesClassRemovalPending CategorySubcategoriesClass = "removalPending"` - `const CategorySubcategoriesClassNoBlock CategorySubcategoriesClass = "noBlock"` - `Description string` Provide a short summary of domains in the category. - `Name string` Specify the category name. # App Types ## List application and application type mappings `client.ZeroTrust.Gateway.AppTypes.List(ctx, query) (*SinglePage[AppType], error)` **get** `/accounts/{account_id}/gateway/app_types` List all application and application type mappings. ### Parameters - `query GatewayAppTypeListParams` - `AccountID param.Field[string]` Provide the identifier string. ### Returns - `type AppType interface{…}` - `type AppTypeZeroTrustGatewayApplication struct{…}` - `ID int64` Identify this application. Only one application per ID. - `ApplicationTypeID int64` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `CreatedAt Time` - `Name string` Specify the name of the application or application type. - `type AppTypeZeroTrustGatewayApplicationType struct{…}` - `ID int64` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `CreatedAt Time` - `Description string` Provide a short summary of applications with this type. - `Name string` Specify the name of the application or application type. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.AppTypes.List(context.TODO(), zero_trust.GatewayAppTypeListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "application_type_id": 0, "created_at": "2014-01-01T05:20:00.12345Z", "name": "Facebook" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### App Type - `type AppType interface{…}` - `type AppTypeZeroTrustGatewayApplication struct{…}` - `ID int64` Identify this application. Only one application per ID. - `ApplicationTypeID int64` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `CreatedAt Time` - `Name string` Specify the name of the application or application type. - `type AppTypeZeroTrustGatewayApplicationType struct{…}` - `ID int64` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `CreatedAt Time` - `Description string` Provide a short summary of applications with this type. - `Name string` Specify the name of the application or application type. # Configurations ## Get Zero Trust account configuration `client.ZeroTrust.Gateway.Configurations.Get(ctx, query) (*GatewayConfigurationGetResponse, error)` **get** `/accounts/{account_id}/gateway/configuration` Retrieve the current Zero Trust account configuration. ### Parameters - `query GatewayConfigurationGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayConfigurationGetResponse struct{…}` Specify account settings. - `CreatedAt Time` - `Settings GatewayConfigurationSettings` Specify account settings. - `ActivityLog ActivityLogSettings` Specify activity log settings. - `Enabled bool` Specify whether to log activity. - `Antivirus AntiVirusSettings` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `BlockPage BlockPageSettings` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. - `BodyScanning BodyScanningSettings` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` - `BrowserIsolation BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. - `Certificate GatewayConfigurationSettingsCertificate` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `ID string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `CustomCertificate CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` - `ExtendedEmailMatching ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. - `Fips FipsSettings` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `HostSelector GatewayConfigurationSettingsHostSelector` Enable host selection in egress policies. - `Enabled bool` Specify whether to enable filtering via hosts for egress policies. - `Inspection GatewayConfigurationSettingsInspection` Define the proxy inspection mode. - `Mode GatewayConfigurationSettingsInspectionMode` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"` - `const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"` - `ProtocolDetection ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. - `Sandbox GatewayConfigurationSettingsSandbox` Specify whether to enable the sandbox. - `Enabled bool` Specify whether to enable the sandbox. - `FallbackAction GatewayConfigurationSettingsSandboxFallbackAction` Specify the action to take when the system cannot scan the file. - `const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"` - `const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"` - `TLSDecrypt TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) configuration, err := client.ZeroTrust.Gateway.Configurations.Get(context.TODO(), zero_trust.GatewayConfigurationGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", configuration.CreatedAt) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust account configuration `client.ZeroTrust.Gateway.Configurations.Update(ctx, params) (*GatewayConfigurationUpdateResponse, error)` **put** `/accounts/{account_id}/gateway/configuration` Update the current Zero Trust account configuration. ### Parameters - `params GatewayConfigurationUpdateParams` - `AccountID param.Field[string]` Path param - `Settings param.Field[GatewayConfigurationSettings]` Body param: Specify account settings. ### Returns - `type GatewayConfigurationUpdateResponse struct{…}` Specify account settings. - `CreatedAt Time` - `Settings GatewayConfigurationSettings` Specify account settings. - `ActivityLog ActivityLogSettings` Specify activity log settings. - `Enabled bool` Specify whether to log activity. - `Antivirus AntiVirusSettings` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `BlockPage BlockPageSettings` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. - `BodyScanning BodyScanningSettings` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` - `BrowserIsolation BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. - `Certificate GatewayConfigurationSettingsCertificate` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `ID string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `CustomCertificate CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` - `ExtendedEmailMatching ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. - `Fips FipsSettings` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `HostSelector GatewayConfigurationSettingsHostSelector` Enable host selection in egress policies. - `Enabled bool` Specify whether to enable filtering via hosts for egress policies. - `Inspection GatewayConfigurationSettingsInspection` Define the proxy inspection mode. - `Mode GatewayConfigurationSettingsInspectionMode` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"` - `const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"` - `ProtocolDetection ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. - `Sandbox GatewayConfigurationSettingsSandbox` Specify whether to enable the sandbox. - `Enabled bool` Specify whether to enable the sandbox. - `FallbackAction GatewayConfigurationSettingsSandboxFallbackAction` Specify the action to take when the system cannot scan the file. - `const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"` - `const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"` - `TLSDecrypt TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) configuration, err := client.ZeroTrust.Gateway.Configurations.Update(context.TODO(), zero_trust.GatewayConfigurationUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", configuration.CreatedAt) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust account configuration `client.ZeroTrust.Gateway.Configurations.Edit(ctx, params) (*GatewayConfigurationEditResponse, error)` **patch** `/accounts/{account_id}/gateway/configuration` Update (PATCH) a single subcollection of settings such as `antivirus`, `tls_decrypt`, `activity_log`, `block_page`, `browser_isolation`, `fips`, `body_scanning`, or `certificate` without updating the entire configuration object. This endpoint returns an error if any settings collection lacks proper configuration. ### Parameters - `params GatewayConfigurationEditParams` - `AccountID param.Field[string]` Path param - `Settings param.Field[GatewayConfigurationSettings]` Body param: Specify account settings. ### Returns - `type GatewayConfigurationEditResponse struct{…}` Specify account settings. - `CreatedAt Time` - `Settings GatewayConfigurationSettings` Specify account settings. - `ActivityLog ActivityLogSettings` Specify activity log settings. - `Enabled bool` Specify whether to log activity. - `Antivirus AntiVirusSettings` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `BlockPage BlockPageSettings` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. - `BodyScanning BodyScanningSettings` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` - `BrowserIsolation BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. - `Certificate GatewayConfigurationSettingsCertificate` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `ID string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `CustomCertificate CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` - `ExtendedEmailMatching ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. - `Fips FipsSettings` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `HostSelector GatewayConfigurationSettingsHostSelector` Enable host selection in egress policies. - `Enabled bool` Specify whether to enable filtering via hosts for egress policies. - `Inspection GatewayConfigurationSettingsInspection` Define the proxy inspection mode. - `Mode GatewayConfigurationSettingsInspectionMode` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"` - `const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"` - `ProtocolDetection ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. - `Sandbox GatewayConfigurationSettingsSandbox` Specify whether to enable the sandbox. - `Enabled bool` Specify whether to enable the sandbox. - `FallbackAction GatewayConfigurationSettingsSandboxFallbackAction` Specify the action to take when the system cannot scan the file. - `const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"` - `const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"` - `TLSDecrypt TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Gateway.Configurations.Edit(context.TODO(), zero_trust.GatewayConfigurationEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.CreatedAt) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Activity Log Settings - `type ActivityLogSettings struct{…}` Specify activity log settings. - `Enabled bool` Specify whether to log activity. ### Anti Virus Settings - `type AntiVirusSettings struct{…}` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Block Page Settings - `type BlockPageSettings struct{…}` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. ### Body Scanning Settings - `type BodyScanningSettings struct{…}` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` ### Browser Isolation Settings - `type BrowserIsolationSettings struct{…}` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. ### Custom Certificate Settings - `type CustomCertificateSettings struct{…}` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` ### Extended Email Matching - `type ExtendedEmailMatching struct{…}` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. ### Fips Settings - `type FipsSettings struct{…}` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. ### Gateway Configuration Settings - `type GatewayConfigurationSettings struct{…}` Specify account settings. - `ActivityLog ActivityLogSettings` Specify activity log settings. - `Enabled bool` Specify whether to log activity. - `Antivirus AntiVirusSettings` Specify anti-virus settings. - `EnabledDownloadPhase bool` Specify whether to enable anti-virus scanning on downloads. - `EnabledUploadPhase bool` Specify whether to enable anti-virus scanning on uploads. - `FailClosed bool` Specify whether to block requests for unscannable files. - `NotificationSettings NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `BlockPage BlockPageSettings` Specify block page layout settings. - `BackgroundColor string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `Enabled bool` Specify whether to enable the custom block page. - `FooterText string` Specify the block page footer text when the mode is customized_block_page. - `HeaderText string` Specify the block page header text when the mode is customized_block_page. - `IncludeContext bool` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `LogoPath string` Specify the full URL to the logo file when the mode is customized_block_page. - `MailtoAddress string` Specify the admin email for users to contact when the mode is customized_block_page. - `MailtoSubject string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `Mode BlockPageSettingsMode` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""` - `const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"` - `const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"` - `Name string` Specify the block page title when the mode is customized_block_page. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `SuppressFooter bool` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `TargetURI string` Specify the URI to redirect users to when the mode is redirect_uri. - `Version int64` Indicate the version number of the setting. - `BodyScanning BodyScanningSettings` Specify the DLP inspection mode. - `InspectionMode BodyScanningSettingsInspectionMode` Specify the inspection mode as either `deep` or `shallow`. - `const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"` - `const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"` - `BrowserIsolation BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `NonIdentityEnabled bool` Specify whether to enable non-identity onramp support for Browser Isolation. - `URLBrowserIsolationEnabled bool` Specify whether to enable Clientless Browser Isolation. - `Certificate GatewayConfigurationSettingsCertificate` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `ID string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `CustomCertificate CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` - `ExtendedEmailMatching ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `Enabled bool` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `ReadOnly bool` Indicate that this setting was shared via the Orgs API and read only for the current account. - `SourceAccount string` Indicate the account tag of the account that shared this setting. - `Version int64` Indicate the version number of the setting. - `Fips FipsSettings` Specify FIPS settings. - `TLS bool` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `HostSelector GatewayConfigurationSettingsHostSelector` Enable host selection in egress policies. - `Enabled bool` Specify whether to enable filtering via hosts for egress policies. - `Inspection GatewayConfigurationSettingsInspection` Define the proxy inspection mode. - `Mode GatewayConfigurationSettingsInspectionMode` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"` - `const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"` - `ProtocolDetection ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. - `Sandbox GatewayConfigurationSettingsSandbox` Specify whether to enable the sandbox. - `Enabled bool` Specify whether to enable the sandbox. - `FallbackAction GatewayConfigurationSettingsSandboxFallbackAction` Specify the action to take when the system cannot scan the file. - `const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"` - `const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"` - `TLSDecrypt TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. ### Notification Settings - `type NotificationSettings struct{…}` Configure the message the user's device shows during an antivirus scan. - `Enabled bool` Specify whether to enable notifications. - `IncludeContext bool` Specify whether to include context information as query parameters. - `Msg string` Specify the message to show in the notification. - `SupportURL string` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Protocol Detection - `type ProtocolDetection struct{…}` Specify whether to detect protocols from the initial bytes of client traffic. - `Enabled bool` Specify whether to detect protocols from the initial bytes of client traffic. ### TLS Settings - `type TLSSettings struct{…}` Specify whether to inspect encrypted HTTP traffic. - `Enabled bool` Specify whether to inspect encrypted HTTP traffic. # Custom Certificate ## Get Zero Trust certificate configuration `client.ZeroTrust.Gateway.Configurations.CustomCertificate.Get(ctx, query) (*CustomCertificateSettings, error)` **get** `/accounts/{account_id}/gateway/configuration/custom_certificate` Retrieve the current Zero Trust certificate configuration. ### Parameters - `query GatewayConfigurationCustomCertificateGetParams` - `AccountID param.Field[string]` ### Returns - `type CustomCertificateSettings struct{…}` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `Enabled bool` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `ID string` Specify the UUID of the certificate (ID from MTLS certificate store). - `BindingStatus string` Indicate the internal certificate status. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) customCertificateSettings, err := client.ZeroTrust.Gateway.Configurations.CustomCertificate.Get(context.TODO(), zero_trust.GatewayConfigurationCustomCertificateGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", customCertificateSettings.ID) } ``` #### Response ```json { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" } ``` # Lists ## List Zero Trust lists `client.ZeroTrust.Gateway.Lists.List(ctx, params) (*SinglePage[GatewayList], error)` **get** `/accounts/{account_id}/gateway/lists` Fetch all Zero Trust lists for an account. ### Parameters - `params GatewayListListParams` - `AccountID param.Field[string]` Path param - `Type param.Field[GatewayListListParamsType]` Query param: Specify the list type. - `const GatewayListListParamsTypeSerial GatewayListListParamsType = "SERIAL"` - `const GatewayListListParamsTypeURL GatewayListListParamsType = "URL"` - `const GatewayListListParamsTypeDomain GatewayListListParamsType = "DOMAIN"` - `const GatewayListListParamsTypeEmail GatewayListListParamsType = "EMAIL"` - `const GatewayListListParamsTypeIP GatewayListListParamsType = "IP"` - `const GatewayListListParamsTypeCategory GatewayListListParamsType = "CATEGORY"` - `const GatewayListListParamsTypeLocation GatewayListListParamsType = "LOCATION"` - `const GatewayListListParamsTypeDevice GatewayListListParamsType = "DEVICE"` ### Returns - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Lists.List(context.TODO(), zero_trust.GatewayListListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust list details `client.ZeroTrust.Gateway.Lists.Get(ctx, listID, query) (*GatewayList, error)` **get** `/accounts/{account_id}/gateway/lists/{list_id}` Fetch a single Zero Trust list. ### Parameters - `listID string` Identify the API resource with a UUID. - `query GatewayListGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayList, err := client.ZeroTrust.Gateway.Lists.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayList.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust list `client.ZeroTrust.Gateway.Lists.New(ctx, params) (*GatewayListNewResponse, error)` **post** `/accounts/{account_id}/gateway/lists` Creates a new Zero Trust list. ### Parameters - `params GatewayListNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the list name. - `Type param.Field[GatewayListNewParamsType]` Body param: Specify the list type. - `const GatewayListNewParamsTypeSerial GatewayListNewParamsType = "SERIAL"` - `const GatewayListNewParamsTypeURL GatewayListNewParamsType = "URL"` - `const GatewayListNewParamsTypeDomain GatewayListNewParamsType = "DOMAIN"` - `const GatewayListNewParamsTypeEmail GatewayListNewParamsType = "EMAIL"` - `const GatewayListNewParamsTypeIP GatewayListNewParamsType = "IP"` - `const GatewayListNewParamsTypeCategory GatewayListNewParamsType = "CATEGORY"` - `const GatewayListNewParamsTypeLocation GatewayListNewParamsType = "LOCATION"` - `const GatewayListNewParamsTypeDevice GatewayListNewParamsType = "DEVICE"` - `Description param.Field[string]` Body param: Provide the list description. - `Items param.Field[[]GatewayListNewParamsItem]` Body param: Add items to the list. - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. ### Returns - `type GatewayListNewResponse struct{…}` - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListNewResponseType` Specify the list type. - `const GatewayListNewResponseTypeSerial GatewayListNewResponseType = "SERIAL"` - `const GatewayListNewResponseTypeURL GatewayListNewResponseType = "URL"` - `const GatewayListNewResponseTypeDomain GatewayListNewResponseType = "DOMAIN"` - `const GatewayListNewResponseTypeEmail GatewayListNewResponseType = "EMAIL"` - `const GatewayListNewResponseTypeIP GatewayListNewResponseType = "IP"` - `const GatewayListNewResponseTypeCategory GatewayListNewResponseType = "CATEGORY"` - `const GatewayListNewResponseTypeLocation GatewayListNewResponseType = "LOCATION"` - `const GatewayListNewResponseTypeDevice GatewayListNewResponseType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) list, err := client.ZeroTrust.Gateway.Lists.New(context.TODO(), zero_trust.GatewayListNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Admin Serial Numbers"), Type: cloudflare.F(zero_trust.GatewayListNewParamsTypeSerial), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", list.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust list `client.ZeroTrust.Gateway.Lists.Update(ctx, listID, params) (*GatewayList, error)` **put** `/accounts/{account_id}/gateway/lists/{list_id}` Updates a configured Zero Trust list. Skips updating list items if not included in the payload. A non empty list items will overwrite the existing list. ### Parameters - `listID string` Identify the API resource with a UUID. - `params GatewayListUpdateParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the list name. - `Description param.Field[string]` Body param: Provide the list description. - `Items param.Field[[]GatewayListUpdateParamsItem]` Body param: Add items to the list. - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. ### Returns - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayList, err := client.ZeroTrust.Gateway.Lists.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Admin Serial Numbers"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayList.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust list. `client.ZeroTrust.Gateway.Lists.Edit(ctx, listID, params) (*GatewayList, error)` **patch** `/accounts/{account_id}/gateway/lists/{list_id}` Appends or removes an item from a configured Zero Trust list. ### Parameters - `listID string` Identify the API resource with a UUID. - `params GatewayListEditParams` - `AccountID param.Field[string]` Path param - `Append param.Field[[]GatewayListEditParamsAppend]` Body param: Add items to the list. - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Remove param.Field[[]string]` Body param: Lists of item values you want to remove. ### Returns - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayList, err := client.ZeroTrust.Gateway.Lists.Edit( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayList.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust list `client.ZeroTrust.Gateway.Lists.Delete(ctx, listID, body) (*GatewayListDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/lists/{list_id}` Deletes a Zero Trust list. ### Parameters - `listID string` Identify the API resource with a UUID. - `body GatewayListDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayListDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) list, err := client.ZeroTrust.Gateway.Lists.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", list) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway Item - `type GatewayItem struct{…}` - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. ### Gateway List - `type GatewayList struct{…}` - `ID string` Identify the API resource with a UUID. - `Count float64` Indicate the number of items in the list. - `CreatedAt Time` - `Description string` Provide the list description. - `Items []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. - `Name string` Specify the list name. - `Type GatewayListType` Specify the list type. - `const GatewayListTypeSerial GatewayListType = "SERIAL"` - `const GatewayListTypeURL GatewayListType = "URL"` - `const GatewayListTypeDomain GatewayListType = "DOMAIN"` - `const GatewayListTypeEmail GatewayListType = "EMAIL"` - `const GatewayListTypeIP GatewayListType = "IP"` - `const GatewayListTypeCategory GatewayListType = "CATEGORY"` - `const GatewayListTypeLocation GatewayListType = "LOCATION"` - `const GatewayListTypeDevice GatewayListType = "DEVICE"` - `UpdatedAt Time` # Items ## Get Zero Trust list items `client.ZeroTrust.Gateway.Lists.Items.List(ctx, listID, query) (*SinglePage[[]GatewayItem], error)` **get** `/accounts/{account_id}/gateway/lists/{list_id}/items` Fetch all items in a single Zero Trust list. ### Parameters - `listID string` Identify the API resource with a UUID. - `query GatewayListItemListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayListItemListResponseEnvelopeResult []GatewayItem` Provide the list items. - `CreatedAt Time` - `Description string` Provide the list item description (optional). - `Value string` Specify the item value. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Lists.Items.List( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayListItemListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ] ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Locations ## List Zero Trust Gateway locations `client.ZeroTrust.Gateway.Locations.List(ctx, query) (*SinglePage[Location], error)` **get** `/accounts/{account_id}/gateway/locations` List Zero Trust Gateway locations for an account. ### Parameters - `query GatewayLocationListParams` - `AccountID param.Field[string]` ### Returns - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Locations.List(context.TODO(), zero_trust.GatewayLocationListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway location details `client.ZeroTrust.Gateway.Locations.Get(ctx, locationID, query) (*Location, error)` **get** `/accounts/{account_id}/gateway/locations/{location_id}` Get a single Zero Trust Gateway location. ### Parameters - `locationID string` - `query GatewayLocationGetParams` - `AccountID param.Field[string]` ### Returns - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) location, err := client.ZeroTrust.Gateway.Locations.Get( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayLocationGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", location.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Zero Trust Gateway location `client.ZeroTrust.Gateway.Locations.New(ctx, params) (*Location, error)` **post** `/accounts/{account_id}/gateway/locations` Create a new Zero Trust Gateway location. ### Parameters - `params GatewayLocationNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the location name. - `ClientDefault param.Field[bool]` Body param: Indicate whether this location is the default location. - `DNSDestinationIPsID param.Field[string]` Body param: Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ECSSupport param.Field[bool]` Body param: Indicate whether the location must resolve EDNS queries. - `Endpoints param.Field[Endpoint]` Body param: Configure the destination endpoints for this location. - `Networks param.Field[[]GatewayLocationNewParamsNetwork]` Body param: Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) location, err := client.ZeroTrust.Gateway.Locations.New(context.TODO(), zero_trust.GatewayLocationNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Austin Office Location"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", location.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Zero Trust Gateway location `client.ZeroTrust.Gateway.Locations.Update(ctx, locationID, params) (*Location, error)` **put** `/accounts/{account_id}/gateway/locations/{location_id}` Update a configured Zero Trust Gateway location. ### Parameters - `locationID string` - `params GatewayLocationUpdateParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the location name. - `ClientDefault param.Field[bool]` Body param: Indicate whether this location is the default location. - `DNSDestinationIPsID param.Field[string]` Body param: Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ECSSupport param.Field[bool]` Body param: Indicate whether the location must resolve EDNS queries. - `Endpoints param.Field[Endpoint]` Body param: Configure the destination endpoints for this location. - `Networks param.Field[[]GatewayLocationUpdateParamsNetwork]` Body param: Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) location, err := client.ZeroTrust.Gateway.Locations.Update( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayLocationUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Name: cloudflare.F("Austin Office Location"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", location.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Zero Trust Gateway location `client.ZeroTrust.Gateway.Locations.Delete(ctx, locationID, body) (*GatewayLocationDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/locations/{location_id}` Delete a configured Zero Trust Gateway location. ### Parameters - `locationID string` - `body GatewayLocationDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayLocationDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) location, err := client.ZeroTrust.Gateway.Locations.Delete( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayLocationDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", location) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### DOH Endpoint - `type DOHEndpoint struct{…}` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. ### DOT Endpoint - `type DOTEndpoint struct{…}` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. ### Endpoint - `type Endpoint struct{…}` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. ### IP Network - `type IPNetwork struct{…}` - `Network string` Specify the IP address or IP CIDR. ### IPV4 Endpoint - `type IPV4Endpoint struct{…}` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. ### IPV6 Endpoint - `type IPV6Endpoint struct{…}` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. ### IPV6 Network - `type IPV6Network struct{…}` - `Network string` Specify the IPv6 address or IPv6 CIDR. ### Location - `type Location struct{…}` - `ID string` - `ClientDefault bool` Indicate whether this location is the default location. - `CreatedAt Time` - `DNSDestinationIPsID string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `DNSDestinationIPV6BlockID string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `DOHSubdomain string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ECSSupport bool` Indicate whether the location must resolve EDNS queries. - `Endpoints Endpoint` Configure the destination endpoints for this location. - `DOH DOHEndpoint` - `Enabled bool` Indicate whether the DOH endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `RequireToken bool` Specify whether the DOH endpoint requires user identity authentication. - `DOT DOTEndpoint` - `Enabled bool` Indicate whether the DOT endpoint is enabled for this location. - `Networks []IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IP address or IP CIDR. - `IPV4 IPV4Endpoint` - `Enabled bool` Indicate whether the IPv4 endpoint is enabled for this location. - `IPV6 IPV6Endpoint` - `Enabled bool` Indicate whether the IPV6 endpoint is enabled for this location. - `Networks []IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `Network string` Specify the IPv6 address or IPv6 CIDR. - `IP string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `IPV4Destination string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `IPV4DestinationBackup string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `Name string` Specify the location name. - `Networks []LocationNetwork` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `Network string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `UpdatedAt Time` # Logging ## Get logging settings for the Zero Trust account `client.ZeroTrust.Gateway.Logging.Get(ctx, query) (*LoggingSetting, error)` **get** `/accounts/{account_id}/gateway/logging` Retrieve the current logging settings for the Zero Trust account. ### Parameters - `query GatewayLoggingGetParams` - `AccountID param.Field[string]` ### Returns - `type LoggingSetting struct{…}` - `RedactPii bool` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `SettingsByRuleType LoggingSettingSettingsByRuleType` Configure logging settings for each rule type. - `DNS LoggingSettingSettingsByRuleTypeDNS` Configure logging settings for DNS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `HTTP LoggingSettingSettingsByRuleTypeHTTP` Configure logging settings for HTTP/HTTPS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `L4 LoggingSettingSettingsByRuleTypeL4` Configure logging settings for Network firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) loggingSetting, err := client.ZeroTrust.Gateway.Logging.Get(context.TODO(), zero_trust.GatewayLoggingGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", loggingSetting.RedactPii) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Update Zero Trust account logging settings `client.ZeroTrust.Gateway.Logging.Update(ctx, params) (*LoggingSetting, error)` **put** `/accounts/{account_id}/gateway/logging` Update logging settings for the current Zero Trust account. ### Parameters - `params GatewayLoggingUpdateParams` - `AccountID param.Field[string]` Path param - `LoggingSetting param.Field[LoggingSetting]` Body param ### Returns - `type LoggingSetting struct{…}` - `RedactPii bool` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `SettingsByRuleType LoggingSettingSettingsByRuleType` Configure logging settings for each rule type. - `DNS LoggingSettingSettingsByRuleTypeDNS` Configure logging settings for DNS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `HTTP LoggingSettingSettingsByRuleTypeHTTP` Configure logging settings for HTTP/HTTPS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `L4 LoggingSettingSettingsByRuleTypeL4` Configure logging settings for Network firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) loggingSetting, err := client.ZeroTrust.Gateway.Logging.Update(context.TODO(), zero_trust.GatewayLoggingUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), LoggingSetting: zero_trust.LoggingSettingParam{ }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", loggingSetting.RedactPii) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Domain Types ### Logging Setting - `type LoggingSetting struct{…}` - `RedactPii bool` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `SettingsByRuleType LoggingSettingSettingsByRuleType` Configure logging settings for each rule type. - `DNS LoggingSettingSettingsByRuleTypeDNS` Configure logging settings for DNS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `HTTP LoggingSettingSettingsByRuleTypeHTTP` Configure logging settings for HTTP/HTTPS firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. - `L4 LoggingSettingSettingsByRuleTypeL4` Configure logging settings for Network firewall. - `LogAll bool` Specify whether to log all requests to this service. - `LogBlocks bool` Specify whether to log only blocking requests to this service. # Proxy Endpoints ## List proxy endpoints `client.ZeroTrust.Gateway.ProxyEndpoints.List(ctx, query) (*SinglePage[ProxyEndpoint], error)` **get** `/accounts/{account_id}/gateway/proxy_endpoints` List all Zero Trust Gateway proxy endpoints for an account. ### Parameters - `query GatewayProxyEndpointListParams` - `AccountID param.Field[string]` ### Returns - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.ProxyEndpoints.List(context.TODO(), zero_trust.GatewayProxyEndpointListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a proxy endpoint `client.ZeroTrust.Gateway.ProxyEndpoints.Get(ctx, proxyEndpointID, query) (*ProxyEndpoint, error)` **get** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Get a single Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointID string` - `query GatewayProxyEndpointGetParams` - `AccountID param.Field[string]` ### Returns - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) proxyEndpoint, err := client.ZeroTrust.Gateway.ProxyEndpoints.Get( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayProxyEndpointGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", proxyEndpoint) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a proxy endpoint `client.ZeroTrust.Gateway.ProxyEndpoints.New(ctx, params) (*ProxyEndpoint, error)` **post** `/accounts/{account_id}/gateway/proxy_endpoints` Create a new Zero Trust Gateway proxy endpoint. ### Parameters - `params GatewayProxyEndpointNewParams` - `AccountID param.Field[string]` Path param - `Name param.Field[string]` Body param: Specify the name of the proxy endpoint. - `Kind param.Field[GatewayProxyEndpointNewParamsZeroTrustGatewayProxyEndpointIPCreateKind]` Body param: The proxy endpoint kind - `const GatewayProxyEndpointNewParamsZeroTrustGatewayProxyEndpointIPCreateKindIP GatewayProxyEndpointNewParamsZeroTrustGatewayProxyEndpointIPCreateKind = "ip"` ### Returns - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) proxyEndpoint, err := client.ZeroTrust.Gateway.ProxyEndpoints.New(context.TODO(), zero_trust.GatewayProxyEndpointNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: zero_trust.GatewayProxyEndpointNewParamsBodyZeroTrustGatewayProxyEndpointIPCreate{ Name: cloudflare.F("Devops team"), Kind: cloudflare.F(zero_trust.GatewayProxyEndpointNewParamsBodyZeroTrustGatewayProxyEndpointIPCreateKindIP), }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", proxyEndpoint) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a proxy endpoint `client.ZeroTrust.Gateway.ProxyEndpoints.Edit(ctx, proxyEndpointID, params) (*ProxyEndpoint, error)` **patch** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Update a configured Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointID string` - `params GatewayProxyEndpointEditParams` - `AccountID param.Field[string]` Path param - `IPs param.Field[[]GatewayIPs]` Body param: Specify the list of CIDRs to restrict ingress connections. - `Name param.Field[string]` Body param: Specify the name of the proxy endpoint. ### Returns - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) proxyEndpoint, err := client.ZeroTrust.Gateway.ProxyEndpoints.Edit( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayProxyEndpointEditParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", proxyEndpoint) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a proxy endpoint `client.ZeroTrust.Gateway.ProxyEndpoints.Delete(ctx, proxyEndpointID, body) (*GatewayProxyEndpointDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Delete a configured Zero Trust Gateway proxy endpoint. ### Parameters - `proxyEndpointID string` - `body GatewayProxyEndpointDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayProxyEndpointDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) proxyEndpoint, err := client.ZeroTrust.Gateway.ProxyEndpoints.Delete( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayProxyEndpointDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", proxyEndpoint) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway IPs - `type GatewayIPs string` Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25. ### Proxy Endpoint - `type ProxyEndpoint interface{…}` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}` - `IPs []GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIPKindIP ProxyEndpointZeroTrustGatewayProxyEndpointIPKind = "ip"` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` - `type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}` - `Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind` The proxy endpoint kind - `const ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKindIdentity ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind = "identity"` - `Name string` Specify the name of the proxy endpoint. - `ID string` - `CreatedAt Time` - `Subdomain string` Specify the subdomain to use as the destination in the proxy client. - `UpdatedAt Time` # Rules ## List Zero Trust Gateway rules `client.ZeroTrust.Gateway.Rules.List(ctx, query) (*SinglePage[GatewayRule], error)` **get** `/accounts/{account_id}/gateway/rules` List Zero Trust Gateway rules for an account. ### Parameters - `query GatewayRuleListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Rules.List(context.TODO(), zero_trust.GatewayRuleListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway rule details. `client.ZeroTrust.Gateway.Rules.Get(ctx, ruleID, query) (*GatewayRule, error)` **get** `/accounts/{account_id}/gateway/rules/{rule_id}` Get a single Zero Trust Gateway rule. ### Parameters - `ruleID string` Identify the API resource with a UUID. - `query GatewayRuleGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayRule, err := client.ZeroTrust.Gateway.Rules.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayRuleGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Create a Zero Trust Gateway rule `client.ZeroTrust.Gateway.Rules.New(ctx, params) (*GatewayRule, error)` **post** `/accounts/{account_id}/gateway/rules` Create a new Zero Trust Gateway rule. ### Parameters - `params GatewayRuleNewParams` - `AccountID param.Field[string]` Path param - `Action param.Field[GatewayRuleNewParamsAction]` Body param: Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleNewParamsActionOn GatewayRuleNewParamsAction = "on"` - `const GatewayRuleNewParamsActionOff GatewayRuleNewParamsAction = "off"` - `const GatewayRuleNewParamsActionAllow GatewayRuleNewParamsAction = "allow"` - `const GatewayRuleNewParamsActionBlock GatewayRuleNewParamsAction = "block"` - `const GatewayRuleNewParamsActionScan GatewayRuleNewParamsAction = "scan"` - `const GatewayRuleNewParamsActionNoscan GatewayRuleNewParamsAction = "noscan"` - `const GatewayRuleNewParamsActionSafesearch GatewayRuleNewParamsAction = "safesearch"` - `const GatewayRuleNewParamsActionYtrestricted GatewayRuleNewParamsAction = "ytrestricted"` - `const GatewayRuleNewParamsActionIsolate GatewayRuleNewParamsAction = "isolate"` - `const GatewayRuleNewParamsActionNoisolate GatewayRuleNewParamsAction = "noisolate"` - `const GatewayRuleNewParamsActionOverride GatewayRuleNewParamsAction = "override"` - `const GatewayRuleNewParamsActionL4Override GatewayRuleNewParamsAction = "l4_override"` - `const GatewayRuleNewParamsActionEgress GatewayRuleNewParamsAction = "egress"` - `const GatewayRuleNewParamsActionResolve GatewayRuleNewParamsAction = "resolve"` - `const GatewayRuleNewParamsActionQuarantine GatewayRuleNewParamsAction = "quarantine"` - `const GatewayRuleNewParamsActionRedirect GatewayRuleNewParamsAction = "redirect"` - `Name param.Field[string]` Body param: Specify the rule name. - `Description param.Field[string]` Body param: Specify the rule description. - `DevicePosture param.Field[string]` Body param: Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Enabled param.Field[bool]` Body param: Specify whether the rule is enabled. - `Expiration param.Field[GatewayRuleNewParamsExpiration]` Body param: Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Filters param.Field[[]GatewayFilter]` Body param: Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Identity param.Field[string]` Body param: Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Precedence param.Field[int64]` Body param: Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `RuleSettings param.Field[RuleSetting]` Body param: Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `Schedule param.Field[Schedule]` Body param: Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Traffic param.Field[string]` Body param: Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayRule, err := client.ZeroTrust.Gateway.Rules.New(context.TODO(), zero_trust.GatewayRuleNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Action: cloudflare.F(zero_trust.GatewayRuleNewParamsActionAllow), Name: cloudflare.F("block bad websites"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Update a Zero Trust Gateway rule `client.ZeroTrust.Gateway.Rules.Update(ctx, ruleID, params) (*GatewayRule, error)` **put** `/accounts/{account_id}/gateway/rules/{rule_id}` Update a configured Zero Trust Gateway rule. ### Parameters - `ruleID string` Identify the API resource with a UUID. - `params GatewayRuleUpdateParams` - `AccountID param.Field[string]` Path param - `Action param.Field[GatewayRuleUpdateParamsAction]` Body param: Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleUpdateParamsActionOn GatewayRuleUpdateParamsAction = "on"` - `const GatewayRuleUpdateParamsActionOff GatewayRuleUpdateParamsAction = "off"` - `const GatewayRuleUpdateParamsActionAllow GatewayRuleUpdateParamsAction = "allow"` - `const GatewayRuleUpdateParamsActionBlock GatewayRuleUpdateParamsAction = "block"` - `const GatewayRuleUpdateParamsActionScan GatewayRuleUpdateParamsAction = "scan"` - `const GatewayRuleUpdateParamsActionNoscan GatewayRuleUpdateParamsAction = "noscan"` - `const GatewayRuleUpdateParamsActionSafesearch GatewayRuleUpdateParamsAction = "safesearch"` - `const GatewayRuleUpdateParamsActionYtrestricted GatewayRuleUpdateParamsAction = "ytrestricted"` - `const GatewayRuleUpdateParamsActionIsolate GatewayRuleUpdateParamsAction = "isolate"` - `const GatewayRuleUpdateParamsActionNoisolate GatewayRuleUpdateParamsAction = "noisolate"` - `const GatewayRuleUpdateParamsActionOverride GatewayRuleUpdateParamsAction = "override"` - `const GatewayRuleUpdateParamsActionL4Override GatewayRuleUpdateParamsAction = "l4_override"` - `const GatewayRuleUpdateParamsActionEgress GatewayRuleUpdateParamsAction = "egress"` - `const GatewayRuleUpdateParamsActionResolve GatewayRuleUpdateParamsAction = "resolve"` - `const GatewayRuleUpdateParamsActionQuarantine GatewayRuleUpdateParamsAction = "quarantine"` - `const GatewayRuleUpdateParamsActionRedirect GatewayRuleUpdateParamsAction = "redirect"` - `Name param.Field[string]` Body param: Specify the rule name. - `Description param.Field[string]` Body param: Specify the rule description. - `DevicePosture param.Field[string]` Body param: Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Enabled param.Field[bool]` Body param: Specify whether the rule is enabled. - `Expiration param.Field[GatewayRuleUpdateParamsExpiration]` Body param: Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Filters param.Field[[]GatewayFilter]` Body param: Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Identity param.Field[string]` Body param: Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Precedence param.Field[int64]` Body param: Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `RuleSettings param.Field[RuleSetting]` Body param: Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `Schedule param.Field[Schedule]` Body param: Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Traffic param.Field[string]` Body param: Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayRule, err := client.ZeroTrust.Gateway.Rules.Update( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayRuleUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Action: cloudflare.F(zero_trust.GatewayRuleUpdateParamsActionAllow), Name: cloudflare.F("block bad websites"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Delete a Zero Trust Gateway rule `client.ZeroTrust.Gateway.Rules.Delete(ctx, ruleID, body) (*GatewayRuleDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/rules/{rule_id}` Delete a Zero Trust Gateway rule. ### Parameters - `ruleID string` Identify the API resource with a UUID. - `body GatewayRuleDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRuleDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) rule, err := client.ZeroTrust.Gateway.Rules.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayRuleDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", rule) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## List Zero Trust Gateway rules inherited from the parent account `client.ZeroTrust.Gateway.Rules.ListTenant(ctx, query) (*SinglePage[GatewayRule], error)` **get** `/accounts/{account_id}/gateway/rules/tenant` List Zero Trust Gateway rules for the parent account of an account in the MSP configuration. ### Parameters - `query GatewayRuleListTenantParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Rules.ListTenant(context.TODO(), zero_trust.GatewayRuleListTenantParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Reset the expiration of a Zero Trust Gateway Rule `client.ZeroTrust.Gateway.Rules.ResetExpiration(ctx, ruleID, body) (*GatewayRule, error)` **post** `/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration` Resets the expiration of a Zero Trust Gateway Rule if its duration elapsed and it has a default duration. The Zero Trust Gateway Rule must have values for both `expiration.expires_at` and `expiration.duration`. ### Parameters - `ruleID string` Identify the API resource with a UUID. - `body GatewayRuleResetExpirationParams` - `AccountID param.Field[string]` ### Returns - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) gatewayRule, err := client.ZeroTrust.Gateway.Rules.ResetExpiration( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayRuleResetExpirationParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", gatewayRule.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Domain Types ### DNS Resolver Settings V4 - `type DNSResolverSettingsV4 struct{…}` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### DNS Resolver Settings V6 - `type DNSResolverSettingsV6 struct{…}` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### Gateway Filter - `type GatewayFilter string` Specify the protocol or layer to use. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` ### Gateway Rule - `type GatewayRule struct{…}` - `Action GatewayRuleAction` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `const GatewayRuleActionOn GatewayRuleAction = "on"` - `const GatewayRuleActionOff GatewayRuleAction = "off"` - `const GatewayRuleActionAllow GatewayRuleAction = "allow"` - `const GatewayRuleActionBlock GatewayRuleAction = "block"` - `const GatewayRuleActionScan GatewayRuleAction = "scan"` - `const GatewayRuleActionNoscan GatewayRuleAction = "noscan"` - `const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"` - `const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"` - `const GatewayRuleActionIsolate GatewayRuleAction = "isolate"` - `const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"` - `const GatewayRuleActionOverride GatewayRuleAction = "override"` - `const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"` - `const GatewayRuleActionEgress GatewayRuleAction = "egress"` - `const GatewayRuleActionResolve GatewayRuleAction = "resolve"` - `const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"` - `const GatewayRuleActionRedirect GatewayRuleAction = "redirect"` - `Enabled bool` Specify whether the rule is enabled. - `Filters []GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `const GatewayFilterHTTP GatewayFilter = "http"` - `const GatewayFilterDNS GatewayFilter = "dns"` - `const GatewayFilterL4 GatewayFilter = "l4"` - `const GatewayFilterEgress GatewayFilter = "egress"` - `const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"` - `Name string` Specify the rule name. - `Precedence int64` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `Traffic string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ID string` Identify the API resource with a UUID. - `CreatedAt Time` - `DeletedAt Time` Indicate the date of deletion, if any. - `Description string` Specify the rule description. - `DevicePosture string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `Expiration GatewayRuleExpiration` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `ExpiresAt Time` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `Duration int64` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `Expired bool` Indicates whether the policy is expired. - `Identity string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `ReadOnly bool` Indicate that this rule is shared via the Orgs API and read only. - `RuleSettings RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` - `Schedule Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sharable bool` Indicate that this rule is sharable via the Orgs API. - `SourceAccount string` Provide the account tag of the account that created the rule. - `UpdatedAt Time` - `Version int64` Indicate the version number of the rule(read-only). - `WarningStatus string` Indicate a warning for a misconfigured rule, if any. ### Rule Setting - `type RuleSetting struct{…}` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `AddHeaders map[string, []string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `AllowChildBypass bool` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `AuditSSH RuleSettingAuditSSH` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `CommandLogging bool` Enable SSH command logging. - `BISOAdminControls RuleSettingBISOAdminControls` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `Copy RuleSettingBISOAdminControlsCopy` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"` - `const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"` - `const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"` - `DCP bool` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `DD bool` Set to false to enable downloading. Only applies when `version == "v1"`. - `DK bool` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `Download RuleSettingBISOAdminControlsDownload` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"` - `const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"` - `const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"` - `DP bool` Set to false to enable printing. Only applies when `version == "v1"`. - `DU bool` Set to false to enable uploading. Only applies when `version == "v1"`. - `Keyboard RuleSettingBISOAdminControlsKeyboard` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"` - `const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"` - `Paste RuleSettingBISOAdminControlsPaste` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"` - `const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"` - `const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"` - `Printing RuleSettingBISOAdminControlsPrinting` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"` - `const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"` - `Upload RuleSettingBISOAdminControlsUpload` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"` - `const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"` - `Version RuleSettingBISOAdminControlsVersion` Indicate which version of the browser isolation controls should apply. - `const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"` - `const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"` - `BlockPage RuleSettingBlockPage` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `BlockPageEnabled bool` Enable the custom block page. Settable only for `dns` rules with action `block`. - `BlockReason string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `BypassParentRule bool` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `CheckSession RuleSettingCheckSession` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `Duration string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `Enforce bool` Enable session enforcement. - `DNSResolvers RuleSettingDNSResolvers` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `IPV4 []DNSResolverSettingsV4` - `IP string` Specify the IPv4 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `IPV6 []DNSResolverSettingsV6` - `IP string` Specify the IPv6 address of the upstream resolver. - `Port int64` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `RouteThroughPrivateNetwork bool` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `VnetID string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `Egress RuleSettingEgress` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `IPV4 string` Specify the IPv4 address to use for egress. - `IPV4Fallback string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `IPV6 string` Specify the IPv6 range to use for egress. - `ForensicCopy RuleSettingForensicCopy` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `Enabled bool` Enable sending the copy to storage. - `IgnoreCNAMECategoryMatches bool` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `InsecureDisableDNSSECValidation bool` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `IPCategories bool` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `IPIndicatorFeeds bool` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `L4override RuleSettingL4override` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `IP string` Defines the IPv4 or IPv6 address. - `Port int64` Defines a port number to use for TCP/UDP overrides. - `NotificationSettings RuleSettingNotificationSettings` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `Enabled bool` Enable notification. - `IncludeContext bool` Indicates whether to pass the context information as query parameters. - `Msg string` Customize the message shown in the notification. - `SupportURL string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `OverrideHost string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `OverrideIPs []string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `PayloadLog RuleSettingPayloadLog` Configure DLP payload logging. Settable only for `http` rules. - `Enabled bool` Enable DLP payload logging for this rule. - `Quarantine RuleSettingQuarantine` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `FileTypes []RuleSettingQuarantineFileType` Specify the types of files to sandbox. - `const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"` - `const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"` - `const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"` - `const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"` - `const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"` - `const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"` - `const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"` - `const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"` - `const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"` - `const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"` - `const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"` - `const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"` - `const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"` - `Redirect RuleSettingRedirect` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `TargetURI string` Specify the URI to which the user is redirected. - `IncludeContext bool` Specify whether to pass the context information as query parameters. - `PreservePathAndQuery bool` Specify whether to append the path and query parameters from the original request to target_uri. - `ResolveDNSInternally RuleSettingResolveDNSInternally` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `Fallback RuleSettingResolveDNSInternallyFallback` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"` - `const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"` - `ViewID string` Specify the internal DNS view identifier to pass to the internal DNS service. - `ResolveDNSThroughCloudflare bool` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `UntrustedCERT RuleSettingUntrustedCERT` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `Action RuleSettingUntrustedCERTAction` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"` - `const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"` - `const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"` ### Schedule - `type Schedule struct{…}` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `Fri string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Mon string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sat string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Sun string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Thu string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `TimeZone string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `Tue string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `Wed string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. # Certificates ## List Zero Trust certificates `client.ZeroTrust.Gateway.Certificates.List(ctx, query) (*SinglePage[GatewayCertificateListResponse], error)` **get** `/accounts/{account_id}/gateway/certificates` List all Zero Trust certificates for an account. ### Parameters - `query GatewayCertificateListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayCertificateListResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateListResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateListResponseBindingStatusPendingDeployment GatewayCertificateListResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateListResponseBindingStatusAvailable GatewayCertificateListResponseBindingStatus = "available"` - `const GatewayCertificateListResponseBindingStatusPendingDeletion GatewayCertificateListResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateListResponseBindingStatusInactive GatewayCertificateListResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateListResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateListResponseTypeCustom GatewayCertificateListResponseType = "custom"` - `const GatewayCertificateListResponseTypeGatewayManaged GatewayCertificateListResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Certificates.List(context.TODO(), zero_trust.GatewayCertificateListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust certificate details `client.ZeroTrust.Gateway.Certificates.Get(ctx, certificateID, query) (*GatewayCertificateGetResponse, error)` **get** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Get a single Zero Trust certificate. ### Parameters - `certificateID string` Identify the certificate with a UUID. - `query GatewayCertificateGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayCertificateGetResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateGetResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateGetResponseBindingStatusPendingDeployment GatewayCertificateGetResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateGetResponseBindingStatusAvailable GatewayCertificateGetResponseBindingStatus = "available"` - `const GatewayCertificateGetResponseBindingStatusPendingDeletion GatewayCertificateGetResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateGetResponseBindingStatusInactive GatewayCertificateGetResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateGetResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateGetResponseTypeCustom GatewayCertificateGetResponseType = "custom"` - `const GatewayCertificateGetResponseTypeGatewayManaged GatewayCertificateGetResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Gateway.Certificates.Get( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayCertificateGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust certificate `client.ZeroTrust.Gateway.Certificates.New(ctx, params) (*GatewayCertificateNewResponse, error)` **post** `/accounts/{account_id}/gateway/certificates` Create a new Zero Trust certificate. ### Parameters - `params GatewayCertificateNewParams` - `AccountID param.Field[string]` Path param - `ValidityPeriodDays param.Field[int64]` Body param: Sets the certificate validity period in days (range: 1-10,950 days / ~30 years). Defaults to 1,825 days (5 years). **Important**: This field is only settable during the certificate creation. Certificates becomes immutable after creation - use the `/activate` and `/deactivate` endpoints to manage certificate lifecycle. ### Returns - `type GatewayCertificateNewResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateNewResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateNewResponseBindingStatusPendingDeployment GatewayCertificateNewResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateNewResponseBindingStatusAvailable GatewayCertificateNewResponseBindingStatus = "available"` - `const GatewayCertificateNewResponseBindingStatusPendingDeletion GatewayCertificateNewResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateNewResponseBindingStatusInactive GatewayCertificateNewResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateNewResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateNewResponseTypeCustom GatewayCertificateNewResponseType = "custom"` - `const GatewayCertificateNewResponseTypeGatewayManaged GatewayCertificateNewResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Gateway.Certificates.New(context.TODO(), zero_trust.GatewayCertificateNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust certificate `client.ZeroTrust.Gateway.Certificates.Delete(ctx, certificateID, body) (*GatewayCertificateDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Delete a gateway-managed Zero Trust certificate. You must deactivate the certificate from the edge (inactive) before deleting it. ### Parameters - `certificateID string` Identify the certificate with a UUID. - `body GatewayCertificateDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayCertificateDeleteResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateDeleteResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateDeleteResponseBindingStatusPendingDeployment GatewayCertificateDeleteResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateDeleteResponseBindingStatusAvailable GatewayCertificateDeleteResponseBindingStatus = "available"` - `const GatewayCertificateDeleteResponseBindingStatusPendingDeletion GatewayCertificateDeleteResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateDeleteResponseBindingStatusInactive GatewayCertificateDeleteResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateDeleteResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateDeleteResponseTypeCustom GatewayCertificateDeleteResponseType = "custom"` - `const GatewayCertificateDeleteResponseTypeGatewayManaged GatewayCertificateDeleteResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) certificate, err := client.ZeroTrust.Gateway.Certificates.Delete( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayCertificateDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", certificate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Activate a Zero Trust certificate `client.ZeroTrust.Gateway.Certificates.Activate(ctx, certificateID, params) (*GatewayCertificateActivateResponse, error)` **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/activate` Bind a single Zero Trust certificate to the edge. ### Parameters - `certificateID string` Identify the certificate with a UUID. - `params GatewayCertificateActivateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[unknown]` Body param ### Returns - `type GatewayCertificateActivateResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateActivateResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateActivateResponseBindingStatusPendingDeployment GatewayCertificateActivateResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateActivateResponseBindingStatusAvailable GatewayCertificateActivateResponseBindingStatus = "available"` - `const GatewayCertificateActivateResponseBindingStatusPendingDeletion GatewayCertificateActivateResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateActivateResponseBindingStatusInactive GatewayCertificateActivateResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateActivateResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateActivateResponseTypeCustom GatewayCertificateActivateResponseType = "custom"` - `const GatewayCertificateActivateResponseTypeGatewayManaged GatewayCertificateActivateResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Gateway.Certificates.Activate( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayCertificateActivateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: map[string]interface{}{ }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Deactivate a Zero Trust certificate `client.ZeroTrust.Gateway.Certificates.Deactivate(ctx, certificateID, params) (*GatewayCertificateDeactivateResponse, error)` **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate` Unbind a single Zero Trust certificate from the edge. ### Parameters - `certificateID string` Identify the certificate with a UUID. - `params GatewayCertificateDeactivateParams` - `AccountID param.Field[string]` Path param - `Body param.Field[unknown]` Body param ### Returns - `type GatewayCertificateDeactivateResponse struct{…}` - `ID string` Identify the certificate with a UUID. - `BindingStatus GatewayCertificateDeactivateResponseBindingStatus` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `const GatewayCertificateDeactivateResponseBindingStatusPendingDeployment GatewayCertificateDeactivateResponseBindingStatus = "pending_deployment"` - `const GatewayCertificateDeactivateResponseBindingStatusAvailable GatewayCertificateDeactivateResponseBindingStatus = "available"` - `const GatewayCertificateDeactivateResponseBindingStatusPendingDeletion GatewayCertificateDeactivateResponseBindingStatus = "pending_deletion"` - `const GatewayCertificateDeactivateResponseBindingStatusInactive GatewayCertificateDeactivateResponseBindingStatus = "inactive"` - `Certificate string` Provide the CA certificate (read-only). - `CreatedAt Time` - `ExpiresOn Time` - `Fingerprint string` Provide the SHA256 fingerprint of the certificate (read-only). - `InUse bool` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `IssuerOrg string` Indicate the organization that issued the certificate (read-only). - `IssuerRaw string` Provide the entire issuer field of the certificate (read-only). - `Type GatewayCertificateDeactivateResponseType` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `const GatewayCertificateDeactivateResponseTypeCustom GatewayCertificateDeactivateResponseType = "custom"` - `const GatewayCertificateDeactivateResponseTypeGatewayManaged GatewayCertificateDeactivateResponseType = "gateway_managed"` - `UpdatedAt Time` - `UploadedOn Time` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.ZeroTrust.Gateway.Certificates.Deactivate( context.TODO(), "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", zero_trust.GatewayCertificateDeactivateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Body: map[string]interface{}{ }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` # Pacfiles ## List PAC files `client.ZeroTrust.Gateway.Pacfiles.List(ctx, query) (*SinglePage[GatewayPacfileListResponse], error)` **get** `/accounts/{account_id}/gateway/pacfiles` List all Zero Trust Gateway PAC files for an account. ### Parameters - `query GatewayPacfileListParams` - `AccountID param.Field[string]` ### Returns - `type GatewayPacfileListResponse struct{…}` - `ID string` - `CreatedAt Time` - `Description string` Detailed description of the PAC file. - `Name string` Name of the PAC file. - `Slug string` URL-friendly version of the PAC file name. - `UpdatedAt Time` - `URL string` Unique URL to download the PAC file. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.ZeroTrust.Gateway.Pacfiles.List(context.TODO(), zero_trust.GatewayPacfileListParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a PAC file `client.ZeroTrust.Gateway.Pacfiles.Get(ctx, pacfileID, query) (*GatewayPacfileGetResponse, error)` **get** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Get a single Zero Trust Gateway PAC file. ### Parameters - `pacfileID string` - `query GatewayPacfileGetParams` - `AccountID param.Field[string]` ### Returns - `type GatewayPacfileGetResponse struct{…}` - `ID string` - `Contents string` Actual contents of the PAC file - `CreatedAt Time` - `Description string` Detailed description of the PAC file. - `Name string` Name of the PAC file. - `Slug string` URL-friendly version of the PAC file name. - `UpdatedAt Time` - `URL string` Unique URL to download the PAC file. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) pacfile, err := client.ZeroTrust.Gateway.Pacfiles.Get( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayPacfileGetParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", pacfile.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Create a PAC file `client.ZeroTrust.Gateway.Pacfiles.New(ctx, params) (*GatewayPacfileNewResponse, error)` **post** `/accounts/{account_id}/gateway/pacfiles` Create a new Zero Trust Gateway PAC file. ### Parameters - `params GatewayPacfileNewParams` - `AccountID param.Field[string]` Path param - `Contents param.Field[string]` Body param: Actual contents of the PAC file - `Name param.Field[string]` Body param: Name of the PAC file. - `Description param.Field[string]` Body param: Detailed description of the PAC file. - `Slug param.Field[string]` Body param: URL-friendly version of the PAC file name. If not provided, it will be auto-generated ### Returns - `type GatewayPacfileNewResponse struct{…}` - `ID string` - `Contents string` Actual contents of the PAC file - `CreatedAt Time` - `Description string` Detailed description of the PAC file. - `Name string` Name of the PAC file. - `Slug string` URL-friendly version of the PAC file name. - `UpdatedAt Time` - `URL string` Unique URL to download the PAC file. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) pacfile, err := client.ZeroTrust.Gateway.Pacfiles.New(context.TODO(), zero_trust.GatewayPacfileNewParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Contents: cloudflare.F(`function FindProxyForURL(url, host) { return "DIRECT"; }`), Name: cloudflare.F("Devops team"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", pacfile.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Update a Zero Trust Gateway PAC file `client.ZeroTrust.Gateway.Pacfiles.Update(ctx, pacfileID, params) (*GatewayPacfileUpdateResponse, error)` **put** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Update a configured Zero Trust Gateway PAC file. ### Parameters - `pacfileID string` - `params GatewayPacfileUpdateParams` - `AccountID param.Field[string]` Path param - `Contents param.Field[string]` Body param: Actual contents of the PAC file - `Description param.Field[string]` Body param: Detailed description of the PAC file. - `Name param.Field[string]` Body param: Name of the PAC file. ### Returns - `type GatewayPacfileUpdateResponse struct{…}` - `ID string` - `Contents string` Actual contents of the PAC file - `CreatedAt Time` - `Description string` Detailed description of the PAC file. - `Name string` Name of the PAC file. - `Slug string` URL-friendly version of the PAC file name. - `UpdatedAt Time` - `URL string` Unique URL to download the PAC file. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) pacfile, err := client.ZeroTrust.Gateway.Pacfiles.Update( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayPacfileUpdateParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), Contents: cloudflare.F(`function FindProxyForURL(url, host) { return "DIRECT"; }`), Description: cloudflare.F("PAC file for Devops team"), Name: cloudflare.F("Devops team"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", pacfile.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Delete a PAC file `client.ZeroTrust.Gateway.Pacfiles.Delete(ctx, pacfileID, body) (*GatewayPacfileDeleteResponse, error)` **delete** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Delete a configured Zero Trust Gateway PAC file. ### Parameters - `pacfileID string` - `body GatewayPacfileDeleteParams` - `AccountID param.Field[string]` ### Returns - `type GatewayPacfileDeleteResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) pacfile, err := client.ZeroTrust.Gateway.Pacfiles.Delete( context.TODO(), "ed35569b41ce4d1facfe683550f54086", zero_trust.GatewayPacfileDeleteParams{ AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", pacfile) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ```