Network policies
With Cloudflare Zero Trust, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare Zero Trust integrates with your identity provider, it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they access that resource from.
A network policy consists of an Action as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field. You can use And and Or logical operators to evaluate multiple conditions.
If a condition in an expression joins a query attribute (such as Source IP) and a response attribute (such as Resolved IP), then the condition will be evaluated when the response is received.
Like actions in DNS and HTTP policies, actions in network policies define which decision you want to apply to a given set of elements. You can assign one action per policy.
API value: allow
Available selectors
Traffic
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Destination Port
- Detected Protocol
- Protocol
- Proxy Endpoint
- Security Risks
- SNI
- SNI Domain
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Source Port
- Virtual Network
Identity
Device Posture
Policies with Allow actions allow network traffic to reach certain IPs or ports. For example, the following configuration allows specific users to reach a given IP address:
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Destination IP | in | 92.100.02.102 | And | Allow |
in | *@example.com |
API value: audit_ssh
Available selectors
Traffic
- Application
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Source Port
- Virtual Network
Identity
Device Posture
Policies with Audit SSH actions allow administrators to log SSH traffic. Gateway will detect SSH traffic over port 22
. For example, the following configuration logs SSH commands sent to a given IP address:
Selector | Operator | Value | Action |
---|---|---|---|
Destination IP | in | 203.0.113.83 | Audit SSH |
For more information on SSH logging, refer to Configure SSH proxy and command logs.
API value: block
Available selectors
Traffic
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Destination Port
- Detected Protocol
- Protocol
- Proxy Endpoint
- Security Risks
- SNI
- SNI Domain
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Source Port
- Virtual Network
Identity
Device Posture
Policies with Block actions block network traffic from reaching certain IPs or ports. For example, the following configuration blocks all traffic directed to port 443:
Selector | Operator | Value | Action |
---|---|---|---|
Destination Port | in | 443 | Block |
Feature availability
WARP modes | Zero Trust plans ↗ |
---|---|
| Enterprise |
System | Availability | Minimum WARP version |
---|---|---|
Windows | ✅ | 2024.1.159.0 |
macOS | ✅ | 2024.1.160.0 |
Linux | ❌ | |
iOS | ✅ | 1.7 |
Android | ✅ | 1.4 |
ChromeOS | ✅ | 1.4 |
Turn on Display block notification for WARP client to display notifications for Gateway block events. Blocked users will receive an operating system notification from the WARP client with a custom message you set. If you do not set a custom message, the WARP client will display a default message. Custom messages must be 100 characters or less. WARP will only display one notification per minute.
Upon selecting the notification, WARP will direct your users to a block page. Optionally, you can direct users to a custom URL, such as an internal support form.
Your device may not display block notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the macOS documentation ↗.
API value: l4_override
Available selectors
Traffic
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Destination Port
- Protocol
- SNI
- SNI Domain
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Source Port
- Virtual Network
Identity
Device Posture
Policies with Network Override actions override traffic directed to or coming from certain IPv4/IPv6 addresses or ports. Destination IPs can be public IPs or private IPs connected to your Zero Trust network. For example, the following configuration overrides traffic sent to a public IP with a private IP based on a user's identity:
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Destination IP | in | 95.92.143.151 | And | Network Override |
User Email | in | *@example.com | And | |
Override IP | 10.0.0.1 |
Gateway will only log successful override connections in your network logs. If the override destination IP does not exist, Gateway will override the destination IP but will not log the override action.
Gateway matches network traffic against the following selectors, or criteria.
You can apply network policies to a growing list of popular web applications. Refer to Application and app types for more information.
UI name | API example | Evaluation phase |
---|---|---|
Application | any(app.ids[*] in {505}) | Before DNS resolution |
UI name | API example |
---|---|
Content Categories | not(any(net.fqdn.content_category[*] in {1})) |
For more information, refer to the list of content categories.
The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the Value field:
Continent | Code |
---|---|
Africa | AF |
Antarctica | AN |
Asia | AS |
Europe | EU |
North America | NA |
Oceania | OC |
South America | SA |
Tor network | T1 |
UI name | API example |
---|---|
Destination Continent IP Geolocation | net.dst.geo.continent == "EU" |
The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its ISO 3166-1 Alpha 2 code ↗ in the Value field.
UI name | API example |
---|---|
Destination Country IP Geolocation | net.dst.geo.country == "RU" |
The IP address of the request's target.
UI name | API example |
---|---|
Destination IP | net.dst.ip == "10.0.0.0/8" |
The port number of the request's target.
UI name | API example |
---|---|
Destination Port | net.dst.port == "2222" |
The inferred network protocol based on our protocol detection.
UI name | API example |
---|---|
Detected Protocol | net.protocol.detection == "ssh" |
With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way.
For more information on device posture checks, refer to Device posture.
UI name | API example |
---|---|
Passed Device Posture Checks | any(device_posture.checks.failed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}) , any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" |
The protocol used to send the packet.
UI name | API example |
---|---|
Protocol | net.protocol == "tcp" |
The proxy server where your browser forwards HTTP traffic.
UI name | API example |
---|---|
Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" |
UI name | API example |
---|---|
Security Risks | any(net.fqdn.security_category[*] in {1}) |
For more information, refer to the list of security categories.
The host whose Server Name Indication (SNI) header Gateway will filter traffic against. This will allow for an exact match.
This selector only applies to traffic on port 443
.
UI name | API example |
---|---|
SNI | net.sni.host == "www.example.com" |
The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for example.com
will match example.com
, www.example.com
, and my.test.example.com
.
This selector only applies to traffic on port 443
.
UI name | API example |
---|---|
SNI Domain | net.sni.domains == "example.com" |
The continent of the user making the request.
Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the Value field:
Continent | Code |
---|---|
Africa | AF |
Antarctica | AN |
Asia | AS |
Europe | EU |
North America | NA |
Oceania | OC |
South America | SA |
Tor network | T1 |
UI name | API example | Evaluation phase |
---|---|---|
Source Continent IP Geolocation | net.src.geo.continent == "North America" | Before DNS resolution |
The country of the user making the request.
Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its ISO 3166-1 Alpha-2 code ↗ in the Value field.
UI name | API example | Evaluation phase |
---|---|---|
Source Country IP Geolocation | net.src.geo.country == "RU" | Before DNS resolution |
Use this selector to apply network policies to a private IP address, assigned by a user's local network, that requests arrive to Gateway from. This selector will only apply to users connected through a Magic GRE or IPSec tunnel.
UI name | API example |
---|---|
Source Internal IP | net.src.internal_src_ip == "192.168.86.0/27" |
UI name | API example |
---|---|
Source IP | net.src.ip == "10.0.0.0/8" |
UI name | API example |
---|---|
Source Port | net.src.port == "2222" |
Identity-based selectors include:
- SAML Attributes
- User Email
- User Group Emails
- User Group IDs
- User Group Names
- User Name
To use identity-based selectors, enable Gateway with WARP in the Zero Trust WARP client and enroll your user in your organization. For more information, refer to Identity-based policies.
Use this selector to match all traffic routed through a specific Tunnel Virtual Network via the WARP client.
UI name | API example |
---|---|
Virtual Network | net.vnet_id == "957fc748-591a-e96s-a15d-1j90204a7923" |
Comparison operators are the way Gateway matches traffic to a selector. When you choose a Selector in the dashboard policy builder, the Operator dropdown menu will display the available options for that selector.
Operator | Meaning |
---|---|
is | equals the defined value |
is not | does not equal the defined value |
in | matches at least one of the defined values |
not in | does not match any of the defined values |
in list | in a pre-defined list of values |
not in list | not in a pre-defined list of values |
matches regex | regex evaluates to true |
does not match regex | regex evaluates to false |
greater than | exceeds the defined number |
greater than or equal to | exceeds or equals the defined number |
less than | below the defined number |
less than or equal to | below or equals the defined number |
In the Value field, you can input a single value when using an equality comparison operator (such as is) or multiple values when using a containment comparison operator (such as in). Additionally, you can use regular expressions (or regex) to specify a range of values for supported selectors.
Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for Wildcards. To evaluate if your regex matches, you can use Rustexp ↗.
If you want to match multiple values, you can use the pipe symbol (|
) as an OR operator. In Gateway, you do not need to use an escape character (\
) before the pipe symbol. For example, the following policy blocks requests to two SNI hosts if either appears in a request header:
Selector | Operator | Value | Action |
---|---|---|---|
SNI | matches regex | .\*whispersystems.org|.\*signal.org | Block |
In addition to regular expressions, you can use logical operators to match multiple values.
To evaluate multiple conditions in an expression, select the And logical operator. These expressions can be compared further with the Or logical operator.
Operator | Meaning |
---|---|
And | match all of the conditions in the expression |
Or | match any of the conditions in the expression |
The Or operator will only work with conditions in the same expression group. For example, you cannot compare conditions in Traffic with conditions in Identity or Device Posture.