Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Applications and app types

Cloudflare Gateway’s HTTP policies allow you to filter HTTP traffic on the L7 firewall. To make it easier to manage firewall policies for cloud applications, Gateway allows you to build policies based on applications and app types.

Using these two selectors in the HTTP rule builder, you can have more granular control over how web applications are used on your network.

Creating rules with applications and app types

  1. On the Teams dashboard, navigate to Gateway > Policies.

  2. Navigate to the HTTP tab.

  3. Create a new rule, or edit an existing one.

  4. In the Selector drop-down menu, select the Application option.

  5. In the Operator drop-down menu, select in or not in, depending on whether you want to include or exclude applications or app types from your rule.

  6. In the Value drop-down menu, check the applications or app types you would like to control with your rule.


  7. Next, select an Action for your rule.

  8. Click Create rule to finalize your changes.

Supported applications and app types


A full list of supported applications and their respective app types are available to download here.

App types

Application typeDefinition
Collaboration & Online MeetingsApplications used to communicate or collaborate in a business setting.
DevelopmentApplications used for software development and development operations.
EmailApplications used for email.
Encrypted DNSApplications used for encrypting DNS.
File SharingApplications used to share files.
Finance & AccountingApplications used as finance and accounting tools.
Human ResourcesApplications used to manage employees and workforce tools.
Instant MessagingApplications used for instant messaging.
IT ManagementApplications used to manage IT deployments.
LegalApplications used as legal tools.
ProductivityApplications used as business tools.
Public CloudApplications used to manage public cloud infrastructure.
Sales & MarketingApplications used as sales and marketing tools.
SecurityApplications used for information security.
Social NetworkingApplications used for social networking.
StreamingApplications used for streaming video or audio.
Do Not DecryptApplications that are incompatible with the TLS man-in the middle certificate that is required for Cloudflare Gateway's proxy to function. These applications either use certificate pinning or send non-web traffic such as Session Initiation Protocol (SIP) or Extensible Messaging and Presence Protocol (XMPP) over TLS.

Do Not Decrypt applications

Some applications are incompatible with TLS decryption for a variety of reasons, one of which is certificate pinning. This is a process used by applications to verify that the TLS certificate presented from the origin server matches a known, specified list of certificates hardcoded in the application.

This is a countermeasure to man-in-the-middle attacks where an attacker presents a trusted, but false, certificate on behalf of the origin in oder to decrypt the traffic. This is exactly what TLS interception in a Secure Web Gateway does, although for the purposes of securing a user's web traffic.

Gateway automatically groups applications incompatible with TLS decryption into the Do Not Decrypt app type. To ensure that traffic gets through to these applications, you can create an HTTP rule, select Application as a Selector, in as an Operator, and check the Do Not Decrypt app type in the Value field. Then, set the rule action to Do Not Inspect.

Gateway periodically updates the Do Not Decrypt app type to include new applications. By creating this Do Not Inspect rule and selecting all applications within the Do Not Decrypt app type, you'll ensure that your rule will apply to any new applications that will be added to the app type.

Do not decrypt HTTP rule

Supported actions for applications

The Applications selector allows you to create rules with the following actions:

  • Allow allows HTTP traffic to reach selected applications.
  • Block blocks any HTTP traffic from reaching selected applications.
  • Do Not Inspect bypasses SSL inspection for selected applications.