Cloudflare Docs
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Applications and app types

Gateway allows you to build DNS, Network, and HTTP policies based on applications and app types. This feature gives you more granular control over how web applications are used on your network.

​​ Creating policies with applications and app types

  1. On the Zero Trust dashboard, navigate to Gateway > Policies.

  2. Navigate to the DNS, Network, or HTTP tab, depending on what kind of policy you want to create.

  3. Create a new policy, or edit an existing one.

  4. In the Selector drop-down menu, select the Application option.

  5. In the Operator drop-down menu, select in or not in, depending on whether you want to include or exclude applications or app types from your policy.

  6. In the Value drop-down menu, check the applications or app types you would like to control with your policy.

    Creating a policy for applications

  7. Next, select an Action for your policy.

  8. Click Create policy to finalize your changes.

​​ Supported applications and app types

​​ Applications

When you create a policy for applications from the Zero Trust dashboard, the Value drop-down menu lists all supported applications and their respective app types. To view an up-to-date list outside of the UI, please refer to the Gateway API guide.

​​ App types

Application typeDefinition
Collaboration & Online MeetingsApplications used to communicate or collaborate in a business setting.
DevelopmentApplications used for software development and development operations.
EmailApplications used for email.
Encrypted DNSApplications used for encrypting DNS.
File SharingApplications used to share files.
Finance & AccountingApplications used as finance and accounting tools.
Human ResourcesApplications used to manage employees and workforce tools.
Instant MessagingApplications used for instant messaging.
IT ManagementApplications used to manage IT deployments.
LegalApplications used as legal tools.
ProductivityApplications used as business tools.
Public CloudApplications used to manage public cloud infrastructure.
Sales & MarketingApplications used as sales and marketing tools.
SecurityApplications used for information security.
Social NetworkingApplications used for social networking.
StreamingApplications used for streaming video or audio.
Do Not InspectApplications that are incompatible with the TLS man-in the middle certificate that is required for Cloudflare Gateway’s proxy to function. These applications either use certificate pinning or send non-web traffic such as Session Initiation Protocol (SIP) or Extensible Messaging and Presence Protocol (XMPP) over TLS.

​​ Do Not Inspect applications

Some applications are incompatible with TLS decryption for a variety of reasons, one of which is certificate pinning. This is a process used by applications to verify that the TLS certificate presented from the origin server matches a known, specified list of certificates hardcoded in the application.

This is a countermeasure to man-in-the-middle attacks where an attacker presents a trusted, but false, certificate on behalf of the origin in order to decrypt the traffic. This is exactly what TLS interception in a Secure Web Gateway does, although for the purposes of securing a user’s web traffic.

Gateway automatically groups applications incompatible with TLS decryption into the Do Not Inspect app type. To ensure that traffic gets through to these applications, you can create an HTTP policy, select Application as a Selector, in as an Operator, and check the Do Not Inspect app type in the Value field. Then, set the HTTP policy Action to Do Not Inspect.

Gateway periodically updates the Do Not Inspect app type to include new applications. By creating this Do Not Inspect HTTP policy and selecting all applications within the Do Not Inspect app type, you will ensure that your Do Not Inspect policy will apply to any new applications added to the app type.

Creating an HTTP policy for the Do Not Inspect app type