Applications and app types
Cloudflare Gateway’s HTTP policies allow you to filter HTTP traffic on the L7 firewall. To make it easier to manage firewall policies for cloud applications, Gateway allows you to build policies based on applications and app types.
Using these two selectors in the HTTP rule builder, you can have more granular control over how web applications are used on your network.
Creating rules with applications and app types
Navigate to the HTTP tab.
In the Selector drop-down menu, select the Application option.
In the Operator drop-down menu, select in or not in, depending on whether you want to include or exclude applications or app types from your rule.
In the Value drop-down menu, check the applications or app types you would like to control with your rule.
Click Create rule to finalize your changes.
Supported applications and app types
Do Not Decrypt applications
Some applications are incompatible with TLS decryption for a variety of reasons, one of which is certificate pinning. This is a process used by applications to verify that the TLS certificate presented from the origin server matches a known, specified list of certificates hardcoded in the application.
This is a countermeasure to man-in-the-middle attacks where an attacker presents a trusted, but false, certificate on behalf of the origin in oder to decrypt the traffic. This is exactly what TLS interception in a Secure Web Gateway does, although for the purposes of securing a user's web traffic.
Gateway automatically groups applications incompatible with TLS decryption into the Do Not Decrypt app type. To ensure that traffic gets through to these applications, you can create an , select Application as a Selector, in as an Operator, and check the Do Not Decrypt app type in the Value field. Then, set the rule action to Do Not Inspect.
Gateway periodically updates the Do Not Decrypt app type to include new applications. By creating this Do Not Inspect rule and selecting all applications within the Do Not Decrypt app type, you'll ensure that your rule will apply to any new applications that will be added to the app type.
Supported actions for applications
The Applications selector allows you to create rules with the following actions:
- Allow allows HTTP traffic to reach selected applications.
- Block blocks any HTTP traffic from reaching selected applications.
- Do Not Inspect bypasses SSL inspection for selected applications.