WARP with firewall
If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow WARP to connect.
Client Orchestration API
The WARP client talks with our edge via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow
zero-trust-client.cloudflareclient.com which will lookup the following IP addresses:
- IPv4 API Endpoint:
- IPv6 API Endpoint:
All DNS requests through WARP are sent outside the tunnel via DoH (DNS over HTTPS). The following IP addresses must be reachable for DNS to work correctly.
- IPv4 DoH Address:
- IPv6 DoH Address:
WARP Ingress IP
These are the IP addresses that the WARP client will connect to. All traffic from your device to the Cloudflare edge will go through these IP addresses.
- IPv4 Range:
- IPv6 Range:
WARP UDP Ports
WARP utilizes UDP for all of its communications. By default, the UDP Port required for WARP is: UDP 2408. WARP can fallback to: UDP 500, UDP 1701, or UDP 4500.
Creating firewall rules
If your organization does not currently allow Inbound/Outbound communication over the IP addresses and ports described above you must manually add an exception. The rule at a minimum needs to be scoped to the following process based on your platform:
C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe