API Reference

Zero Trust

Gateway

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Configurations

Get Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Get(ctx, query) (*GatewayConfigurationGetResponse, error)

GET/accounts/{account_id}/gateway/configuration

Update Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Update(ctx, params) (*GatewayConfigurationUpdateResponse, error)

PUT/accounts/{account_id}/gateway/configuration

Patch Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Edit(ctx, params) (*GatewayConfigurationEditResponse, error)

PATCH/accounts/{account_id}/gateway/configuration

ModelsExpand Collapse

type ActivityLogSettings struct{…}

Specify activity log settings.

Enabled booloptional

Specify whether to log activity.

type AntiVirusSettings struct{…}

Specify anti-virus settings.

EnabledDownloadPhase booloptional

Specify whether to enable anti-virus scanning on downloads.

EnabledUploadPhase booloptional

Specify whether to enable anti-virus scanning on uploads.

FailClosed booloptional

Specify whether to block requests for unscannable files.

NotificationSettings NotificationSettingsoptional

Configure the message the user’s device shows during an antivirus scan.

type BlockPageSettings struct{…}

Specify block page layout settings.

BackgroundColor stringoptional

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

Enabled booloptional

Specify whether to enable the custom block page.

FooterText stringoptional

Specify the block page footer text when the mode is customized_block_page.

HeaderText stringoptional

Specify the block page header text when the mode is customized_block_page.

IncludeContext booloptional

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

LogoPath stringoptional

Specify the full URL to the logo file when the mode is customized_block_page.

MailtoAddress stringoptional

Specify the admin email for users to contact when the mode is customized_block_page.

MailtoSubject stringoptional

Specify the subject line for emails created from the block page when the mode is customized_block_page.

Mode BlockPageSettingsModeoptional

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

One of the following:

const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""

const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"

const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"

Name stringoptional

Specify the block page title when the mode is customized_block_page.

ReadOnly booloptional

Indicate that this setting was shared via the Orgs API and read only for the current account.

SourceAccount stringoptional

Indicate the account tag of the account that shared this setting.

SuppressFooter booloptional

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

TargetURI stringoptional

Specify the URI to redirect users to when the mode is redirect_uri.

formaturi

Version int64optional

Indicate the version number of the setting.

type BodyScanningSettings struct{…}

Specify the DLP inspection mode.

InspectionMode BodyScanningSettingsInspectionModeoptional

Specify the inspection mode as either deep or shallow.

One of the following:

const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"

const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"

type BrowserIsolationSettings struct{…}

Specify Clientless Browser Isolation settings.

NonIdentityEnabled booloptional

Specify whether to enable non-identity onramp support for Browser Isolation.

URLBrowserIsolationEnabled booloptional

Specify whether to enable Clientless Browser Isolation.

type CustomCertificateSettings struct{…}

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

Enabled bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

ID stringoptional

Specify the UUID of the certificate (ID from MTLS certificate store).

BindingStatus stringoptional

Indicate the internal certificate status.

UpdatedAt Timeoptional

formatdate-time

type ExtendedEmailMatching struct{…}

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

Enabled booloptional

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

ReadOnly booloptional

Indicate that this setting was shared via the Orgs API and read only for the current account.

SourceAccount stringoptional

Indicate the account tag of the account that shared this setting.

Version int64optional

Indicate the version number of the setting.

type FipsSettings struct{…}

Specify FIPS settings.

TLS booloptional

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

type GatewayConfigurationSettings struct{…}

Specify account settings.

ActivityLog ActivityLogSettingsoptional

Specify activity log settings.

Antivirus AntiVirusSettingsoptional

Specify anti-virus settings.

BlockPage BlockPageSettingsoptional

Specify block page layout settings.

BodyScanning BodyScanningSettingsoptional

Specify the DLP inspection mode.

BrowserIsolation BrowserIsolationSettingsoptional

Specify Clientless Browser Isolation settings.

Certificate GatewayConfigurationSettingsCertificateoptional

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

ID string

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called ‘active’). A nil UUID directs Cloudflare to use the Root CA.

DeprecatedCustomCertificate CustomCertificateSettingsoptional

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

ExtendedEmailMatching ExtendedEmailMatchingoptional

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

Fips FipsSettingsoptional

Specify FIPS settings.

HostSelector GatewayConfigurationSettingsHostSelectoroptional

Enable host selection in egress policies.

Enabled booloptional

Specify whether to enable filtering via hosts for egress policies.

Inspection GatewayConfigurationSettingsInspectionoptional

Define the proxy inspection mode.

Mode GatewayConfigurationSettingsInspectionModeoptional

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

One of the following:

const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"

const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"

ProtocolDetection ProtocolDetectionoptional

Specify whether to detect protocols from the initial bytes of client traffic.

Sandbox GatewayConfigurationSettingsSandboxoptional

Specify whether to enable the sandbox.

Enabled booloptional

Specify whether to enable the sandbox.

FallbackAction GatewayConfigurationSettingsSandboxFallbackActionoptional

Specify the action to take when the system cannot scan the file.

One of the following:

const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"

const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"

TLSDecrypt TLSSettingsoptional

Specify whether to inspect encrypted HTTP traffic.

type NotificationSettings struct{…}

Configure the message the user’s device shows during an antivirus scan.

Enabled booloptional

Specify whether to enable notifications.

IncludeContext booloptional

Specify whether to include context information as query parameters.

Msg stringoptional

Specify the message to show in the notification.

SupportURL stringoptional

Specify a URL that directs users to more information. If unset, the notification opens a block page.

type ProtocolDetection struct{…}

Specify whether to detect protocols from the initial bytes of client traffic.

Enabled booloptional

Specify whether to detect protocols from the initial bytes of client traffic.

type TLSSettings struct{…}

Specify whether to inspect encrypted HTTP traffic.

Enabled booloptional

Specify whether to inspect encrypted HTTP traffic.

ConfigurationsCustom Certificate

Get Zero Trust certificate configuration

Deprecated

client.ZeroTrust.Gateway.Configurations.CustomCertificate.Get(ctx, query) (*CustomCertificateSettings, error)

GET/accounts/{account_id}/gateway/configuration/custom_certificate