Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Applications and app types

Gateway allows you to create DNS, Network, and HTTP policies based on applications and app types. You can select individual applications or groups of app types to filter specific traffic on your network.

​​ Applications

When you choose the Application selector in a Gateway policy builder, the Value field will include all supported applications and their respective app types. Alternatively, you can use the Gateway API to fetch a list of applications, app types, and ID numbers.

​​ App types

Artificial IntelligenceAI assistance applications
Audio StreamingMusic streaming, podcasts, and other audio applications
Collaboration & Online MeetingsBusiness communication and collaboration applications
DatingOnline dating applications
DevelopmentSoftware development and development operations applications
EmailEmail applications
Encrypted DNSDNS encryption applications
File SharingFile sharing applications
Finance & AccountingFinancial and accounting applications
GamingGames and gaming applications
Human ResourcesEmployee management applications and workforce tools
Instant MessagingInstant messaging applications
IT ManagementIT deployment management applications
LegalLegal tools and applications
NewsNews applications
ProductivityBusiness and productivity applications
Public CloudPublic cloud infrastructure management applications
Sales & MarketingSales and marketing applications
Search EnginesWeb search engines and applications
SecurityInformation security applications, including shadow IT
ShoppingOnline shopping applications
Social NetworkingSocial networking applications
SportsSports streaming and news applications
Video StreamingVideo streaming applications
Do Not InspectApplications incompatible with the TLS certificate required by the Gateway proxy

​​ Do Not Inspect applications

​​ TLS decryption limitations

Applications can be incompatible with TLS decryption for various reasons:

  • Certificate pinning: Certificate pinning is a security mechanism used to prevent on-path attacks on the Internet by hardcoding information about the certificate that the application expects to receive. If the wrong certificate is received, even if it is trusted by the system, the application will refuse to connect.
  • Non-web traffic: Some applications send non-web traffic, such as Session Initiation Protocol (SIP) and Extensible Messaging and Presence Protocol (XMPP), over TLS. Gateway cannot inspect these protocols.

​​ Application grouping

Gateway automatically groups applications incompatible with TLS decryption into the Do Not Inspect app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can create a Do Not Inspect HTTP policy with the entire Do Not Inspect app type selected.

​​ Microsoft 365 integration

To optimize performance for Microsoft 365 applications and services, you can bypass TLS decryption by turning on the Microsoft 365 traffic integration. This will create a Do Not Inspect policy for all Microsoft 365 domains and IP addresses specified by Microsoft. This policy also uses Cloudflare intelligence to identify other Microsoft 365 traffic not explicitly defined.

To turn on the Microsoft 365 integration:

  1. In Zero Trust, go to Settings > Network > Integrated experiences.
  2. In Bypass decryption of Microsoft 365 traffic, select Create policy.
  3. To verify the policy was created, select View policy. Alternatively, go to Gateway > Firewall Policies > HTTP. A policy named Microsoft 365 Auto Generated will be enabled in your list.

All future Microsoft 365 traffic will bypass Gateway logging and filtering. To disable this behavior, turn off or delete the policy.