Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

WARP with firewall

If your organization uses a firewall or other policies to restrict Internet traffic, you may need to make a few changes to allow WARP to connect.

​​ Client Orchestration API

The WARP client talks with our edge via a standard HTTPS connection outside the tunnel for operations like registration or settings changes. To perform these operations, you must allow which will lookup the following IP addresses:

  • IPv4 API Endpoint: and
  • IPv6 API Endpoint: 2606:4700:7::a29f:8969 and 2606:4700:7::a29f:8a69

​​ DoH IP

All DNS requests through WARP are sent outside the tunnel via DoH (DNS over HTTPS). The following IP addresses must be reachable for DNS to work correctly.

  • IPv4 DoH Address:
  • IPv6 DoH Address: 2606:4700:4700::1111

​​ WARP Ingress IP

These are the IP addresses that the WARP client will connect to. All traffic from your device to the Cloudflare edge will go through these IP addresses.

  • IPv4 Range:
  • IPv6 Range: 2606:4700:100::/48

​​ WARP UDP Ports

WARP utilizes UDP for all of its communications. By default, the UDP Port required for WARP is: UDP 2408. WARP can fallback to: UDP 500, UDP 1701, or UDP 4500.

​​ Creating firewall rules

If your organization does not currently allow Inbound/Outbound communication over the IP addresses and ports described above you must manually add an exception. The rule at a minimum needs to be scoped to the following process based on your platform:

  • Windows: C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe
  • macOS: /Applications/Cloudflare