Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

WARP settings

This page describes the WARP configuration options available on the Zero Trust dashboard. To configure these settings, open the Zero Trust dashboard and go to Settings > WARP Client.

​​ Admin override

Feature availability

When this toggle is enabled, you can provide end users with an one-time password that will allow them to toggle off the WARP client in case they need to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).

When the toggle is disabled, one-time passwords will not be generated, and end users will not be able to toggle the client off when *Switch Locked is true.

You can also set a timeout to define how long the WARP client is allowed to be paused once the end user disables it. Once the time is up, the WARP client will automatically reconnect.

When you want to allow a user to disable the WARP client:

  1. Log in to the Zero Trust Dashboard and ensure the Admin override toggle is enabled.
  2. Retrieve the 7-digit override code for their device by navigating to My Team > Devices > Connected devices, clicking on View for the desired device, and scrolling down to User details.
  3. Copy the code and share it with the end user for them to enter on their device.

Users will then need to open the WARP client on their devices, navigate to Preferences > Advanced > Enter code, and enter the override code in the pop-up window. The WARP client will now show as Disconnected and will mention the time when it will automatically reconnect.

​​ Device enrollment permissions

Feature availability

Cloudflare Zero Trust allows you to establish which users in your organization can enroll new devices or revoke access to connected devices. To do that, you can create a device enrollment rule on the Zero Trust dashboard:

  1. Navigate to Settings > WARP Client.
  2. In the Device enrollment permissions card, click Manage.
  3. In the rule builder, configure one or more rules to define who can enroll or revoke devices.
  4. Click Save.

​​ Captive portal detection

Feature availability
Operating SystemsWARP mode requiredZero Trust plans
All systemsWARP with GatewayAll plans

Captive Portal detection is the ability for the WARP client to detect a third-party onboarding flow before Internet access is obtained. This is most frequent in places such as airports, cafes, and hotels.

When the toggle is enabled, the WARP client will automatically turn off when it detects a captive portal, and it will automatically turn on after the amount of time you specify in the card.

​​ Mode switch

Feature availability
Operating SystemsWARP mode requiredZero Trust plans
All systemsWARP with GatewayAll plans

When the toggle is enabled, users have the option to switch between Gateway with WARP mode and Gateway with DoH mode. When the toggle is disabled, end users will not be able to switch between modes.

​​ Lock WARP switch

Feature availability

Allows the user to turn off the WARP switch and disconnect the client.


  • Disabled — (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
  • Enabled — The user is prevented from turning off the switch. The WARP Agent will start in the connected state when this is enabled.

On new deployments, you must also include the auto_connect parameter with at least a value of 0. This will prevent clients from being deployed in the off state without a way for users to manually enable them.

​​ Allow device to leave organization

Feature availability

When the toggle is enabled, users who manually logged in to their organization on WARP are prevented from leaving that organization. This disables the Logout from Zero Trust and Reset All Settings button in the WARP client interface. If the WARP client has been deployed with a management tool and a local policy exists, then this switch is bypassed and clients are always prevented from leaving.

​​ Allow updates

Feature availability
Operating SystemsWARP mode requiredZero Trust plans
macOS, Windows, LinuxAny modeAll plans

When the toggle is enabled, users will receive update notifications when a new version of the client is available. Only turn this on if your users are local administrators with the ability to add/remove software from their device.

​​ Auto Connect

Feature availability

When the toggle is enabled, the client will automatically reconnect if it has been disabled for the specified Timeout value. This setting is best used in conjunction with Lock WARP Switch above.

We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport WiFi. If any value is specified, the default state the app will always be Connected (ex. after reboot, after initial install, etc.)


  • 0 — Allow the switch to stay in the off position indefinitely until the user turns it back on.
  • 1 to 1440 — Turn switch back on automatically after the specified number of minutes.

​​ Support URL

Feature availability

When the toggle is enabled, the Send Feedback button in the WARP client appears and will launch the URL specified. Example Support URL values are:

  • Use an https:// link to open your companies internal help site.
  • mailto:[email protected] Use a mailto: link to open your default mail client.

​​ Service Mode

Feature availability

Allows you to choose the operational mode of the client. See WARP Modes for a detailed description of each mode.

  • Gateway with WARP DNS and Device traffic is encrypted and processed by Gateway. This mode is required if you want to enable HTTP rules, Browser Isolation, Anti-Virus scanning and DLP.
  • Gateway with DoH Enforcement of DNS policies only through DoH. All other traffic is handled by default mechanisms on your devices.
  • Proxy Only Only traffic sent to the localhost proxy is encrypted by Gateway. This mode does not process DNS traffic.

​​ Integrated experiences

Cloudflare Zero Trust allows you to perform one-click actions to accelerate Office 365 traffic. Navigate to Settings > Network on the Zero Trust dash and either: