WARP

About Cloudflare WARP

The Cloudflare WARP client allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare's global network, where Cloudflare Gateway can apply advanced web filtering. The WARP client also makes it possible to apply advanced Zero Trust policies that check for a device's health before it connects to corporate applications.

How WARP works

WARP is a device client that builds proxy tunnels using either Wireguard or MASQUE, and builds a DNS proxy using DNS-over-HTTPS. WARP supports all major operating systems, all common forms of endpoint management tooling, and has a robust series of management parameters and profiles to accurately scope the needs of a diverse user base.

The WARP client consists of:

• Graphical User Interface (GUI): Control panel that allows end users to view WARP's status and perform actions such as turning WARP on or off.
• WARP daemon (or service): Core background component responsible for establishing secure tunnels (using WireGuard or MASQUE) and handling all WARP functionality on your device.

For more information on how the WARP client routes traffic, refer to the WARP architecture page and watch the video below.

Chapters

• 
  Introduction and WARP GUI Basics 0s
• 
  Consumer vs. Corporate WARP 57s
• 
  Device Profiles Explained 1m35s
• 
  WARP Operating Modes 2m12s
• 
  Split Tunneling 3m44s
• 
  Conclusion 4m56s

Key benefits of using WARP

Deploying the WARP client significantly enhances your organization's security and visibility within Cloudflare Zero Trust:

• Unified security policies everywhere: With the WARP client deployed in the Gateway with WARP mode, Gateway policies are not location-dependent — they can be enforced anywhere.

• Advanced web filtering and threat protection: Activate Gateway features for your device traffic, including:

  • Anti-Virus scanning
  • HTTP filtering
  • Browser Isolation
  • Identity-based policies

• Application and device-specific insights: With WARP installed on your corporate devices, you can view detailed application and user-level activity on the Zero Trust Shadow IT Discovery page, while also monitoring device and network performance with Digital Experience Monitoring (DEX) to proactively detect and resolve issues.

• Device posture checks: The WARP client provides advanced Zero Trust protection by making it possible to check for device posture. By setting up device posture checks, you can build Zero Trust policies that check for a device's location, disk encryption status, OS version, and more.

• Secure private and infrastructure access: WARP lets devices connect to private networks over Cloudflare Tunnel and is required for Access for Infrastructure, enabling secure SSH with short-lived certificates and detailed logging.

WARP modes

WARP offers flexible operating modes to suit your specific needs. WARP can control device traffic as a full proxy, manage only DNS traffic as a DNS proxy, or both. WARP is the most common method for sending user device traffic through Cloudflare Gateway for filtering and decryption.

Next steps

• Review the first-time setup guide to install and deploy the WARP client on your corporate devices.
• Review possible WARP modes and settings to best suit your organization's needs.
• Explore Cloudflare Gateway to enforce advanced DNS, network, HTTP, and egress policies with WARP.