Rules
List Zero Trust Gateway rules
Get Zero Trust Gateway rule details.
Create a Zero Trust Gateway rule
Update a Zero Trust Gateway rule
Delete a Zero Trust Gateway rule
List Zero Trust Gateway rules inherited from the parent account
Reset the expiration of a Zero Trust Gateway Rule
ModelsExpand Collapse
DNSResolverSettingsV4 { ip, port, route_through_private_network, vnet_id }
DNSResolverSettingsV6 { ip, port, route_through_private_network, vnet_id }
GatewayRule { action, enabled, filters, 18 more }
action: "on" or "off" or "allow" or 13 moreSpecify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.
Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.
Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.
Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.
Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.
Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
expiration: optional { expires_at, duration, expired } Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy’s schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.
Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy’s schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.
Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.
Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
RuleSetting { add_headers, allow_child_bypass, audit_ssh, 23 more } Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.
Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.
audit_ssh: optional { command_logging } Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.
Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.
biso_admin_controls: optional { copy, dcp, dd, 9 more } Configure browser isolation behavior. Settable only for http rules with the action set to isolate.
Configure browser isolation behavior. Settable only for http rules with the action set to isolate.
copy: optional "enabled" or "disabled" or "remote_only"Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == “v2”.
Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == “v2”.
download: optional "enabled" or "disabled" or "remote_only"Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == “v2”.
Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == “v2”.
keyboard: optional "enabled" or "disabled"Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == “v2”.
Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == “v2”.
paste: optional "enabled" or "disabled" or "remote_only"Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == “v2”.
Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == “v2”.
printing: optional "enabled" or "disabled"Configure print behavior. Default, Printing is enabled. Applies only when version == “v2”.
Configure print behavior. Default, Printing is enabled. Applies only when version == “v2”.
block_page: optional { target_uri, include_context } Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.
Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.
Enable the custom block page. Settable only for dns rules with action block.
Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.
Set to enable MSP accounts to bypass their parent’s rules. Only MSP child accounts can set this. Settable for all types of rules.
check_session: optional { duration, enforce } Configure session check behavior. Settable only for l4 and http rules with the action set to allow.
Configure session check behavior. Settable only for l4 and http rules with the action set to allow.
dns_resolvers: optional { ipv4, ipv6 } Configure custom resolvers to route queries that match the resolver policy. Unused with ‘resolve_dns_through_cloudflare’ or ‘resolve_dns_internally’ settings. DNS queries get routed to the address closest to their origin. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
Configure custom resolvers to route queries that match the resolver policy. Unused with ‘resolve_dns_through_cloudflare’ or ‘resolve_dns_internally’ settings. DNS queries get routed to the address closest to their origin. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
egress: optional { ipv4, ipv4_fallback, ipv6 } Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.
Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.
forensic_copy: optional { enabled } Configure whether a copy of the HTTP request will be sent to storage when the rule matches.
Configure whether a copy of the HTTP request will be sent to storage when the rule matches.
Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.
Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.
Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.
Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.
l4override: optional { ip, port } Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.
Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.
notification_settings: optional { enabled, include_context, msg, support_url } Configure a notification to display on the user’s device when this rule matched. Settable for all types of rules with the action set to block.
Configure a notification to display on the user’s device when this rule matched. Settable for all types of rules with the action set to block.
Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.
Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.
quarantine: optional { file_types } Configure settings that apply to quarantine rules. Settable only for http rules.
Configure settings that apply to quarantine rules. Settable only for http rules.
redirect: optional { target_uri, include_context, preserve_path_and_query } Apply settings to redirect rules. Settable only for http rules with the action set to redirect.
Apply settings to redirect rules. Settable only for http rules with the action set to redirect.
resolve_dns_internally: optional { fallback, view_id } Configure to forward the query to the internal DNS service, passing the specified ‘view_id’ as input. Not used when ‘dns_resolvers’ is specified or ‘resolve_dns_through_cloudflare’ is set. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
Configure to forward the query to the internal DNS service, passing the specified ‘view_id’ as input. Not used when ‘dns_resolvers’ is specified or ‘resolve_dns_through_cloudflare’ is set. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
Enable to send queries that match the policy to Cloudflare’s default 1.1.1.1 DNS resolver. Cannot set when ‘dns_resolvers’ specified or ‘resolve_dns_internally’ is set. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
Schedule { fri, mon, sat, 5 more } Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.
Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.
Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user’s IP address. Colo time zone is used when the user’s IP address does not resolve to a location.
Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.