Create a Zero Trust Gateway rule

client.zeroTrust.gateway.rules.create(, ?): GatewayRule { action, enabled, filters, 18 more }

POST/accounts/{account_id}/gateway/rules

Create a new Zero Trust Gateway rule.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

ParametersExpand Collapse

params: RuleCreateParams { account_id, action, name, 10 more }

account_id: string

Path param

action: "on" | "off" | "allow" | 13 more

Body param: Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

One of the following:

"on"

"off"

"allow"

"block"

"scan"

"noscan"

"safesearch"

"ytrestricted"

"isolate"

"noisolate"

"override"

"l4_override"

"egress"

"resolve"

"quarantine"

"redirect"

name: string

Body param: Specify the rule name.

description?: string

Body param: Specify the rule description.

device_posture?: string

Body param: Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

enabled?: boolean

Body param: Specify whether the rule is enabled.

expiration?: Expiration | null

Body param: Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy’s schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

expires_at: string

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

formatdate-time

duration?: number

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

minimum5

expired?: boolean

Indicates whether the policy is expired.

filters?: Array<GatewayFilter>

Body param: Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

One of the following:

"http"

"dns"

"l4"

"egress"

"dns_resolver"

identity?: string

Body param: Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

precedence?: number

Body param: Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

rule_settings?: RuleSetting { add_headers, allow_child_bypass, audit_ssh, 23 more }

Body param: Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

add_headers?: Record<string, Array<string>> | null

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass?: boolean | null

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh?: AuditSSH | null

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging?: boolean

Enable SSH command logging.

biso_admin_controls?: BISOAdminControls { copy, dcp, dd, 10 more }

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy?: "enabled" | "disabled" | "remote_only"

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

"remote_only"

dcp?: boolean

Set to false to enable copy-pasting. Only applies when version == "v1".

dd?: boolean

Set to false to enable downloading. Only applies when version == "v1".

dk?: boolean

Set to false to enable keyboard usage. Only applies when version == "v1".

download?: "enabled" | "disabled" | "remote_only"

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. If this field is absent, downloading remains enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

"remote_only"

dp?: boolean

Set to false to enable printing. Only applies when version == "v1".

du?: boolean

Set to false to enable uploading. Only applies when version == "v1".

keyboard?: "enabled" | "disabled"

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

paste?: "enabled" | "disabled" | "remote_only"

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

"remote_only"

printing?: "enabled" | "disabled"

Configure print behavior. Default, Printing is enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

upload?: "enabled" | "disabled"

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

version?: "v1" | "v2"

Indicate which version of the browser isolation controls should apply.

One of the following:

"v1"

"v2"

wm_id?: string

Specify the watermark ID (UUID) to apply to the isolated browser session. When present, enables watermark rendering in the isolated browser.

formatuuid

maxLength36

minLength1

block_page?: BlockPage | null

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: string

Specify the URI to which the user is redirected.

formaturi

include_context?: boolean

Specify whether to pass the context information as query parameters.

block_page_enabled?: boolean

Enable the custom block page. Settable only for dns rules with action block.

block_reason?: string | null

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule?: boolean | null

Set to enable MSP accounts to bypass their parent’s rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session?: CheckSession | null

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration?: string

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce?: boolean

Enable session enforcement.

dns_resolvers?: DNSResolvers | null

Configure custom resolvers to route queries that match the resolver policy. Unused with ‘resolve_dns_through_cloudflare’ or ‘resolve_dns_internally’ settings. DNS queries get routed to the address closest to their origin. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.

ipv4?: Array<DNSResolverSettingsV4 { ip, port, route_through_private_network, vnet_id } >

ip: string

Specify the IPv4 address of the upstream resolver.

port?: number

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network?: boolean

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id?: string

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6?: Array<DNSResolverSettingsV6 { ip, port, route_through_private_network, vnet_id } >

ip: string

Specify the IPv6 address of the upstream resolver.

port?: number

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network?: boolean

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id?: string

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress?: Egress | null

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

ipv4?: string

Specify the IPv4 address to use for egress.

ipv4_fallback?: string

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set ‘0.0.0.0’ to indicate local egress via WARP IPs.

ipv6?: string

Specify the IPv6 range to use for egress.

forensic_copy?: ForensicCopy | null

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled?: boolean

Enable sending the copy to storage.

ignore_cname_category_matches?: boolean

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

insecure_disable_dnssec_validation?: boolean

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories?: boolean

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds?: boolean

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override?: L4override | null

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip?: string

Defines the IPv4 or IPv6 address.

port?: number

Defines a port number to use for TCP/UDP overrides.

notification_settings?: NotificationSettings | null

Configure a notification to display on the user’s device when this rule matched. Settable for all types of rules with the action set to block.

enabled?: boolean

Enable notification.

include_context?: boolean

Indicates whether to pass the context information as query parameters.

msg?: string

Customize the message shown in the notification.

support_url?: string

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host?: string

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips?: Array<string> | null

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log?: PayloadLog | null

Configure DLP payload logging. Settable only for http rules.

enabled?: boolean

Enable DLP payload logging for this rule.

quarantine?: Quarantine | null

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types?: Array<"exe" | "pdf" | "doc" | 10 more>

Specify the types of files to sandbox.

One of the following:

"exe"

"pdf"

"doc"

"docm"

"docx"

"rtf"

"ppt"

"pptx"

"xls"

"xlsm"

"xlsx"

"zip"

"rar"

redirect?: Redirect | null

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: string

Specify the URI to which the user is redirected.

formaturi

include_context?: boolean

Specify whether to pass the context information as query parameters.

preserve_path_and_query?: boolean

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally?: ResolveDNSInternally | null

Configure to forward the query to the internal DNS service, passing the specified ‘view_id’ as input. Not used when ‘dns_resolvers’ is specified or ‘resolve_dns_through_cloudflare’ is set. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.

fallback?: "none" | "public_dns"

Specify the fallback behavior to apply when the internal DNS response code differs from ‘NOERROR’ or when the response data contains only CNAME records for ‘A’ or ‘AAAA’ queries.

One of the following:

"none"

"public_dns"

view_id?: string

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare?: boolean | null

Enable to send queries that match the policy to Cloudflare’s default 1.1.1.1 DNS resolver. Cannot set when ‘dns_resolvers’ specified or ‘resolve_dns_internally’ is set. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.

untrusted_cert?: UntrustedCERT | null

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action?: "pass_through" | "block" | "error"

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

One of the following:

"pass_through"

"block"

"error"

schedule?: Schedule { fri, mon, sat, 5 more } | null

Body param: Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri?: string

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

mon?: string

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sat?: string

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sun?: string

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

thu?: string

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

time_zone?: string

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user’s IP address. Colo time zone is used when the user’s IP address does not resolve to a location.

tue?: string

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

wed?: string

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

traffic?: string

Body param: Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

ReturnsExpand Collapse

GatewayRule { action, enabled, filters, 18 more }

action: "on" | "off" | "allow" | 13 more

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

One of the following:

"on"

"off"

"allow"

"block"

"scan"

"noscan"

"safesearch"

"ytrestricted"

"isolate"

"noisolate"

"override"

"l4_override"

"egress"

"resolve"

"quarantine"

"redirect"

enabled: boolean

Specify whether the rule is enabled.

filters: Array<GatewayFilter>

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

One of the following:

"http"

"dns"

"l4"

"egress"

"dns_resolver"

name: string

Specify the rule name.

precedence: number

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

traffic: string

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

id?: string

Identify the API resource with a UUID.

maxLength36

created_at?: string

formatdate-time

deleted_at?: string | null

Indicate the date of deletion, if any.

formatdate-time

description?: string

Specify the rule description.

device_posture?: string

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

expiration?: Expiration | null

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy’s schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

expires_at: string

formatdate-time

duration?: number

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

minimum5

expired?: boolean

Indicates whether the policy is expired.

identity?: string

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

read_only?: boolean

Indicate that this rule is shared via the Orgs API and read only.

rule_settings?: RuleSetting { add_headers, allow_child_bypass, audit_ssh, 23 more }

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

add_headers?: Record<string, Array<string>> | null

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass?: boolean | null

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh?: AuditSSH | null

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging?: boolean

Enable SSH command logging.

biso_admin_controls?: BISOAdminControls { copy, dcp, dd, 10 more }

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy?: "enabled" | "disabled" | "remote_only"

One of the following:

"enabled"

"disabled"

"remote_only"

dcp?: boolean

Set to false to enable copy-pasting. Only applies when version == "v1".

dd?: boolean

Set to false to enable downloading. Only applies when version == "v1".

dk?: boolean

Set to false to enable keyboard usage. Only applies when version == "v1".

download?: "enabled" | "disabled" | "remote_only"

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. If this field is absent, downloading remains enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

"remote_only"

dp?: boolean

Set to false to enable printing. Only applies when version == "v1".

du?: boolean

Set to false to enable uploading. Only applies when version == "v1".

keyboard?: "enabled" | "disabled"

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

paste?: "enabled" | "disabled" | "remote_only"

One of the following:

"enabled"

"disabled"

"remote_only"

printing?: "enabled" | "disabled"

Configure print behavior. Default, Printing is enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

upload?: "enabled" | "disabled"

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == “v2”.

One of the following:

"enabled"

"disabled"

version?: "v1" | "v2"

Indicate which version of the browser isolation controls should apply.

One of the following:

"v1"

"v2"

wm_id?: string

Specify the watermark ID (UUID) to apply to the isolated browser session. When present, enables watermark rendering in the isolated browser.

formatuuid

maxLength36

minLength1

block_page?: BlockPage | null

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: string

Specify the URI to which the user is redirected.

formaturi

include_context?: boolean

Specify whether to pass the context information as query parameters.

block_page_enabled?: boolean

Enable the custom block page. Settable only for dns rules with action block.

block_reason?: string | null

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule?: boolean | null

Set to enable MSP accounts to bypass their parent’s rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session?: CheckSession | null

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration?: string

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce?: boolean

Enable session enforcement.

dns_resolvers?: DNSResolvers | null

ipv4?: Array<DNSResolverSettingsV4 { ip, port, route_through_private_network, vnet_id } >

ip: string

Specify the IPv4 address of the upstream resolver.

port?: number

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network?: boolean

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id?: string

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6?: Array<DNSResolverSettingsV6 { ip, port, route_through_private_network, vnet_id } >

ip: string

Specify the IPv6 address of the upstream resolver.

port?: number

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network?: boolean

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id?: string

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress?: Egress | null

ipv4?: string

Specify the IPv4 address to use for egress.

ipv4_fallback?: string

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set ‘0.0.0.0’ to indicate local egress via WARP IPs.

ipv6?: string

Specify the IPv6 range to use for egress.

forensic_copy?: ForensicCopy | null

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled?: boolean

Enable sending the copy to storage.

ignore_cname_category_matches?: boolean

insecure_disable_dnssec_validation?: boolean

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories?: boolean

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds?: boolean

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override?: L4override | null

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip?: string

Defines the IPv4 or IPv6 address.

port?: number

Defines a port number to use for TCP/UDP overrides.

notification_settings?: NotificationSettings | null

Configure a notification to display on the user’s device when this rule matched. Settable for all types of rules with the action set to block.

enabled?: boolean

Enable notification.

include_context?: boolean

Indicates whether to pass the context information as query parameters.

msg?: string

Customize the message shown in the notification.

support_url?: string

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host?: string

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips?: Array<string> | null

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log?: PayloadLog | null

Configure DLP payload logging. Settable only for http rules.

enabled?: boolean

Enable DLP payload logging for this rule.

quarantine?: Quarantine | null

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types?: Array<"exe" | "pdf" | "doc" | 10 more>

Specify the types of files to sandbox.

One of the following:

"exe"

"pdf"

"doc"

"docm"

"docx"

"rtf"

"ppt"

"pptx"

"xls"

"xlsm"

"xlsx"

"zip"

"rar"

redirect?: Redirect | null

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: string

Specify the URI to which the user is redirected.

formaturi

include_context?: boolean

Specify whether to pass the context information as query parameters.

preserve_path_and_query?: boolean

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally?: ResolveDNSInternally | null

fallback?: "none" | "public_dns"

Specify the fallback behavior to apply when the internal DNS response code differs from ‘NOERROR’ or when the response data contains only CNAME records for ‘A’ or ‘AAAA’ queries.

One of the following:

"none"

"public_dns"

view_id?: string

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare?: boolean | null

untrusted_cert?: UntrustedCERT | null

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action?: "pass_through" | "block" | "error"

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

One of the following:

"pass_through"

"block"

"error"

schedule?: Schedule { fri, mon, sat, 5 more } | null

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri?: string

mon?: string

sat?: string

sun?: string

thu?: string

time_zone?: string

tue?: string

wed?: string

sharable?: boolean

Indicate that this rule is sharable via the Orgs API.

source_account?: string

Provide the account tag of the account that created the rule.

updated_at?: string

formatdate-time

version?: number

Indicate the version number of the rule(read-only).

warning_status?: string | null

Indicate a warning for a misconfigured rule, if any.

Create a Zero Trust Gateway rule

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const gatewayRule = await client.zeroTrust.gateway.rules.create({
  account_id: '699d98642c564d2e855e9661899b7252',
  action: 'allow',
  name: 'block bad websites',
});

console.log(gatewayRule.id);

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "action": "allow",
    "enabled": true,
    "filters": [
      "http"
    ],
    "name": "block bad websites",
    "precedence": 0,
    "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10",
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "deleted_at": "2019-12-27T18:11:19.117Z",
    "description": "Block bad websites based on their host name.",
    "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})",
    "expiration": {
      "expires_at": "2014-01-01T05:20:20Z",
      "duration": 10,
      "expired": false
    },
    "identity": "any(identity.groups.name[*] in {\"finance\"})",
    "read_only": true,
    "rule_settings": {
      "add_headers": {
        "My-Next-Header": [
          "foo",
          "bar"
        ],
        "X-Custom-Header-Name": [
          "somecustomvalue"
        ]
      },
      "allow_child_bypass": false,
      "audit_ssh": {
        "command_logging": false
      },
      "biso_admin_controls": {
        "copy": "remote_only",
        "dcp": true,
        "dd": true,
        "dk": true,
        "download": "enabled",
        "dp": false,
        "du": true,
        "keyboard": "enabled",
        "paste": "enabled",
        "printing": "enabled",
        "upload": "enabled",
        "version": "v1",
        "wm_id": "475345dc-5299-4b6e-8f6a-3d3e4c8e9f1a"
      },
      "block_page": {
        "target_uri": "https://example.com",
        "include_context": true
      },
      "block_page_enabled": true,
      "block_reason": "This website is a security risk",
      "bypass_parent_rule": false,
      "check_session": {
        "duration": "300s",
        "enforce": true
      },
      "dns_resolvers": {
        "ipv4": [
          {
            "ip": "2.2.2.2",
            "port": 5053,
            "route_through_private_network": true,
            "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
          }
        ],
        "ipv6": [
          {
            "ip": "2001:DB8::",
            "port": 5053,
            "route_through_private_network": true,
            "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
          }
        ]
      },
      "egress": {
        "ipv4": "192.0.2.2",
        "ipv4_fallback": "192.0.2.3",
        "ipv6": "2001:DB8::/64"
      },
      "forensic_copy": {
        "enabled": true
      },
      "ignore_cname_category_matches": true,
      "insecure_disable_dnssec_validation": false,
      "ip_categories": true,
      "ip_indicator_feeds": true,
      "l4override": {
        "ip": "1.1.1.1",
        "port": 0
      },
      "notification_settings": {
        "enabled": true,
        "include_context": true,
        "msg": "msg",
        "support_url": "support_url"
      },
      "override_host": "example.com",
      "override_ips": [
        "1.1.1.1",
        "2.2.2.2"
      ],
      "payload_log": {
        "enabled": true
      },
      "quarantine": {
        "file_types": [
          "exe"
        ]
      },
      "redirect": {
        "target_uri": "https://example.com",
        "include_context": true,
        "preserve_path_and_query": true
      },
      "resolve_dns_internally": {
        "fallback": "none",
        "view_id": "view_id"
      },
      "resolve_dns_through_cloudflare": true,
      "untrusted_cert": {
        "action": "error"
      }
    },
    "schedule": {
      "fri": "08:00-12:30,13:30-17:00",
      "mon": "08:00-12:30,13:30-17:00",
      "sat": "08:00-12:30,13:30-17:00",
      "sun": "08:00-12:30,13:30-17:00",
      "thu": "08:00-12:30,13:30-17:00",
      "time_zone": "America/New York",
      "tue": "08:00-12:30,13:30-17:00",
      "wed": "08:00-12:30,13:30-17:00"
    },
    "sharable": true,
    "source_account": "source_account",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "version": 1,
    "warning_status": "warning_status"
  }
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "action": "allow",
    "enabled": true,
    "filters": [
      "http"
    ],
    "name": "block bad websites",
    "precedence": 0,
    "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10",
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "deleted_at": "2019-12-27T18:11:19.117Z",
    "description": "Block bad websites based on their host name.",
    "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})",
    "expiration": {
      "expires_at": "2014-01-01T05:20:20Z",
      "duration": 10,
      "expired": false
    },
    "identity": "any(identity.groups.name[*] in {\"finance\"})",
    "read_only": true,
    "rule_settings": {
      "add_headers": {
        "My-Next-Header": [
          "foo",
          "bar"
        ],
        "X-Custom-Header-Name": [
          "somecustomvalue"
        ]
      },
      "allow_child_bypass": false,
      "audit_ssh": {
        "command_logging": false
      },
      "biso_admin_controls": {
        "copy": "remote_only",
        "dcp": true,
        "dd": true,
        "dk": true,
        "download": "enabled",
        "dp": false,
        "du": true,
        "keyboard": "enabled",
        "paste": "enabled",
        "printing": "enabled",
        "upload": "enabled",
        "version": "v1",
        "wm_id": "475345dc-5299-4b6e-8f6a-3d3e4c8e9f1a"
      },
      "block_page": {
        "target_uri": "https://example.com",
        "include_context": true
      },
      "block_page_enabled": true,
      "block_reason": "This website is a security risk",
      "bypass_parent_rule": false,
      "check_session": {
        "duration": "300s",
        "enforce": true
      },
      "dns_resolvers": {
        "ipv4": [
          {
            "ip": "2.2.2.2",
            "port": 5053,
            "route_through_private_network": true,
            "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
          }
        ],
        "ipv6": [
          {
            "ip": "2001:DB8::",
            "port": 5053,
            "route_through_private_network": true,
            "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
          }
        ]
      },
      "egress": {
        "ipv4": "192.0.2.2",
        "ipv4_fallback": "192.0.2.3",
        "ipv6": "2001:DB8::/64"
      },
      "forensic_copy": {
        "enabled": true
      },
      "ignore_cname_category_matches": true,
      "insecure_disable_dnssec_validation": false,
      "ip_categories": true,
      "ip_indicator_feeds": true,
      "l4override": {
        "ip": "1.1.1.1",
        "port": 0
      },
      "notification_settings": {
        "enabled": true,
        "include_context": true,
        "msg": "msg",
        "support_url": "support_url"
      },
      "override_host": "example.com",
      "override_ips": [
        "1.1.1.1",
        "2.2.2.2"
      ],
      "payload_log": {
        "enabled": true
      },
      "quarantine": {
        "file_types": [
          "exe"
        ]
      },
      "redirect": {
        "target_uri": "https://example.com",
        "include_context": true,
        "preserve_path_and_query": true
      },
      "resolve_dns_internally": {
        "fallback": "none",
        "view_id": "view_id"
      },
      "resolve_dns_through_cloudflare": true,
      "untrusted_cert": {
        "action": "error"
      }
    },
    "schedule": {
      "fri": "08:00-12:30,13:30-17:00",
      "mon": "08:00-12:30,13:30-17:00",
      "sat": "08:00-12:30,13:30-17:00",
      "sun": "08:00-12:30,13:30-17:00",
      "thu": "08:00-12:30,13:30-17:00",
      "time_zone": "America/New York",
      "tue": "08:00-12:30,13:30-17:00",
      "wed": "08:00-12:30,13:30-17:00"
    },
    "sharable": true,
    "source_account": "source_account",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "version": 1,
    "warning_status": "warning_status"
  }
}