Skip to content

Block page

Gateway responds to any domain blocked at the DNS level with 0.0.0.0 for IPv4 queries or :: for IPv6 queries, and does not return that blocked domain's IP address. As a result, the browser will show a browser default error page, and users will not be able to reach that website. This may cause confusion and lead some users to think that their Internet connection is not working.

Configuring a custom block page in Zero Trust helps avoid this confusion. Your block page will display information such as the rule ID of the policy blocking the website, a policy-specific block message, your organization's name, and a global message you may want to show — for example, a message explaining that the website has been blocked by Gateway and providing any points of contact for support within the organization.

Gateway supports custom block pages for DNS and HTTP policies.

Prerequisites

In order to display the block page as the URL of the blocked domain, your devices must have a Cloudflare certificate installed. Enterprise users can also deploy their own root CA certificate.

Turn on the block page

For all HTTP Block policies, Gateway automatically displays a generic Cloudflare block page. For DNS Block policies, you will need to enable the block page on a per-policy basis.

To turn on the block page and specify a custom block message:

  1. In Zero Trust, go to Gateway > Firewall Policies > DNS or Gateway > Firewall Policies > HTTP.
  2. Find the policy you want to customize and select Edit. You can only edit the block page for policies with a Block action.
  3. Under Configure policy settings, go to Display block page. Choose Show a custom message.
  4. In Custom message, enter a block message to show users.
  5. Select Save policy.

Gateway will display a custom message in your users' browsers when they are blocked by this policy.

Troubleshoot the block page

If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly installed a Cloudflare certificate on their devices.

Customize the block page

You can customize the block page by making global changes that will show up every time a user visits a block page, independently of the type of rule (DNS or HTTP) that is blocking the website.

To apply customizations to your block page:

  1. In Zero Trust, go to Settings > Custom Pages.

  2. Under Block page, enable the custom block page feature.

  3. Select Customize. Available global customizations include:

    • Adding your organization's name
    • Adding a logo
    • Adding a header text
    • Adding a global block message, which will be displayed above the policy-specific block message
    • Adding a Mailto link
    • Choosing a background color
  4. Select Save.

Users will now get a custom block page when visiting a blocked website.

Add a logo image

You can include an external logo image to display on your custom block page. The block page resizes all images to 146x146 pixels. The URL must be valid and no longer than 2048 characters. Accepted file types include SVG, PNG, JPEG, and GIF.

Allow users to email an administrator

You can add a Mailto link to your custom block page, which allows users to directly email you about the blocked site. When users select Contact your Administrator on your block page, an email template opens with the email address and subject line you configure, as well as the following diagnostic information:

FieldDescription
Site URLThe URL of the blocked page.
Rule IDThe ID of the Gateway policy that blocked the page.
Source IPThe public source IP of the user device.
Account IDThe Cloudflare account associated with the block policy.
User IDThe ID of the user who visited the page. Currently, User IDs are not surfaced in the dashboard and can only be viewed by calling the API.
Device IDThe ID of the device that visited the page. This is generated by the WARP client.
Block ReasonYour policy-specific block message.