Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Set up network filtering

Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access.

​​ 1. Connect to Gateway

​​ Connect devices

To filter network traffic from a device such as a laptop or phone:

  1. Install the WARP client on your device.
  2. In the WARP client Settings, log in to your organization’s Zero Trust instance.
  3. (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .
  4. Enable the Gateway proxy:
    1. In the Zero Trust dashboard, navigate to Settings > Network.
    2. Enable Proxy for TCP.
    3. (Optional) Enable Proxy for UDP. All port 443 UDP traffic will be inspected by Gateway.

​​ Connect private networks

To filter traffic from private networks, refer to the Cloudflare Tunnel guide.

​​ 2. Verify device connectivity

  1. In the Zero Trust dashboard, navigate to Settings > Network.
  2. Under Gateway logging, enable activity logging for all Network logs.
  3. On your WARP-enabled device, open a browser and visit any website.
  4. Determine the Source IP for your device:
    1. Open the WARP client settings.
    2. Navigate to Preferences > General.
    3. Note the Public IP.
  5. In the Zero Trust dashboard, navigate to Logs > Gateway > Network. Before building Network policies, make sure you see Network logs from the Source IP assigned to your device.

​​ 3. Add policies

To create a new network policy, navigate to Gateway > Firewall Policies > Network in the Zero Trust dashboard. Refer to our list of common network policies for policies you may want to create.