By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logs or only log blocked requests. To customize what type of events are recorded, log in to Zero TrustOpen external link and go to Settings > Network. Under Activity Logging, indicate your DNS, Network, and HTTP log preferences.
These settings will only apply to logs displayed in Zero Trust. Logpush data is unaffected.
Email address of the user who registered the WARP client where traffic originated from. If a non-identity on-ramp (such as a proxy endpoint) or machine-level authentication (such as a service token) was used, this value will be non_identity@<team-domain>.cloudflareaccess.com.
The Action Gateway applied to the query (for example, Allow or Block).
Date and time of the DNS query.
Public source IP address of the DNS query.
Port that was used to make the DNS query.
Source IP Country
Country code of the DNS query.
Public IP address of the DNS resolver.
Source Internal IP
Private IP address assigned by the user’s local network.
Protocol that was used to make the DNS query (for example, https).
User-configured location from where the DNS query was made.
Name of the matched policy (if there is one).
ID of the matched policy (if there is one).
Content categories that the domain belongs to.
UUID of the user. Each unique email address in your organization will have a UUID associated with it.
UUID of the device connected with the WARP client. Each unique device in your organization will have a UUID associated with it each time the device is registered for a particular email. The same physical device may have multiple UUIDs associated with it.
Display name of the device returned by the operating system to the WARP client. Typically this is the hostname of a device. Not all devices will have a device name. Device names are not guaranteed to be unique.
Resolved IP addresses in the response (if any).
Matched Indicator Feed Name
Name of the indicator feeds that matched a Gateway policy (if any).
Query Indicator Feed Name
Name of the indicator feeds that a matched domain or IP belongs to (if any).
Enhanced file detection is an optional feature to extract more file information from HTTP traffic. When enabled, Gateway will read file information from the HTTP body rather than the HTTP headers, offering greater accuracy and reliability. This feature may have a minor impact on performance for file-heavy organizations.
When a user creates a policy to isolate traffic, the initial request that triggers isolation will be logged as an Isolate decision and the is_isolated field will return false. This is because that initial request is not isolated yet — but it initiates an isolated session.
Since the request is generated in an isolated browser, the result is rendered in the isolated browser and rendered back to the user securely. This request and all subsequent requests in the isolated browser are logged to include the terminal Gateway action that gets applied (e.g. Allow / Block) and the is_isolated field as true.