Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Global policies

Cloudflare Zero Trust applies a set of global policies to all accounts.

Zero Trust logs prepend an identifier to global policy names. For example, matches for the global policy Allow Zero Trust Services will appear in your logs with the name Global Policy - Allow Zero Trust Services.

​​ DNS policies

NameIDCriteriaValueActionDescription
Allow CF Network Error Logging L400000001-e4af-4b82-8f8c-c79c1d5d212eHostname*.nel.cloudflare.comallowAllows SNI domains for WARP registration.
Allow CF Client00000001-8c3d-4e27-a01b-af8418000077Hostname*.cloudflareclient.comallowAllows Zero Trust client.
Allow Gateway Proxy PAC00000001-776e-438d-9856-987d7053762bHostname*.cloudflare-gateway.comallowAllows Gateway proxy with PAC files.
Allow Zero Trust Services00000001-e1e8-421b-a0fe-895397489f28Hostnamedash.teams.cloudflare.com, help.teams.cloudflare.com, blocked.teams.cloudflare.com, api.cloudflare.com, cloudflarestatus.com, www.cloudflarestatus.com, and one.dash.cloudflare.comallowAllows Cloudflare Zero Trust services.
Allow Access Apps L400000001-daa2-41e2-8a88-698af4066951Hostname*.cloudflareaccess.comallowAllows Cloudflare Access applications.

​​ Network proxy policies

NameIDCriteriaValueActionDescription
Allow Access Apps L700000001-8d6b-4951-8a18-3bbc9010976cHostname*.cloudflareaccess.comallowAllows Cloudflare Access applications.
Allow Gateway Help Page00000001-8e9a-4429-b3c2-d267d0ce6114Hostnamehelp.teams.cloudflare.comallowUsed by the WARP client to check if Gateway is on by inspecting the certificate and checking if it is properly installed on the client device.
Always Blocked Categories00000001-bed5-462e-b0f1-2e2c3555e9f7Content CategoryChild AbuseblockBlocks child abuse materials.

​​ HTTP inspection policies

NameIDCriteriaValueActionDescription
Prevent Account Change Block00000001-d1f2-461a-8253-501c8d882a15Hostname*.cloudflareclient.combypassEnsures users cannot accidentally block themselves from making account changes.
Bypass CF Status00000001-5399-4b71-a9fc-d4d90ccf0758Hostname*.cloudflarestatus.combypassBypasses cloudflarestatus.com so users can reach the status page in case of a Gateway outage.
Bypass Gateway DNS00000001-d9c0-46b0-8704-2ea5b9d7bdfcHostname*.cloudflare-gateway.combypassEnsures requests to the cloudflare-gateway.com DNS endpoint will not be inspected.
Bypass CF Network Error Logging00000001-dfe0-4737-8d1e-8191e8f637dfHostname*.nel.cloudflare.combypassBypasses *.nel.cloudflarestatus.com for Cloudflare’s network error logging feature.
Bypass CF API00000001-a424-43fb-b1f1-d3eb35ed7dddHostnameapi.cloudflare.combypassBypasses Cloudflare’s API endpoint.
Prevent ZT Dashboard Lockout00000001-d38e-42db-96fe-60613b6b308fHostnamedash.teams.cloudflare.combypassPrevents users from being locked out of the Zero Trust dashboard.
Bypass CF Dashboard00000001-d343-4ded-908e-b3fe43c5e61eHostname*.dash.cloudflare.combypassBypasses the Cloudflare dashboard and subdomains.
Bypass Zero Trust Captive Portal Sites00000001-8b62-4367-919e-5c160a06ddf7Hostnamecloudflareportal.com, cloudflareok.com, and cloudflarecp.combypassBypasses the Zero Trust captive portal detection sites.
Prevent Block Page Loop00000001-48b1-4ade-93c1-f0f3759dc19cHostnameblocked.teams.cloudflare.combypassPrevents an infinite loop on the Gateway block page.
Don’t Isolate RBI Help Pages00000001-1a18-431f-9c9d-bce431f1002aHostnamedevelopers.cloudflare.com and help.cloudflarebrowser.comnoisolatePrevents isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues.
Bypass RBI Assets00000001-df61-4068-aa6c-0f684c3cd4e6Hostname*.assets.browser.runbypassRequired for Remote Browser Isolation (RBI).
Inspect RBI Urls00000001-3faa-4f59-98d4-0f6d6af4b6d0Hostname*.edge.browser.run and *.cloudflarebrowser.combypassRequired for RBI.
Don’t AV Scan CF Speed00000001-c194-408f-87dd-9a366ce76e12Hostnamespeed.cloudflare.comnoscanAllows files transferred by the Cloudflare speed test.
Bypass OCSP00000001-34ce-47c7-ad0f-199f46eba194ApplicationOnline Certificate Status ProtocolbypassEnables OCSP stapling.