Skip to content

Common policies

The following policies are commonly used to secure network traffic.

Refer to the network policies page for a comprehensive list of other selectors, operators, and actions.

Block unauthorized applications

To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks AI assistants:

SelectorOperatorValueAction
ApplicationinMicrosoft Copilot, ChatGPT, Google GeminiBlock

Check user identity

Configure access on a per user or group basis by adding identity-based conditions to your policies.

SelectorOperatorValueLogicAction
ApplicationinSalesforceAndBlock
User Group NamesinContractors

Enforce device posture

Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the device posture section.

In the following example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:

SelectorOperatorValueLogicAction
Passed Device Posture Checksnot inDevice serial numbersAndBlock
SNI Domainisinternalapp.com

Enforce session duration

To require users to re-authenticate after a certain amount of time has elapsed, configure WARP sessions.

Allow only approved traffic

Restrict user access to only the specific sites or applications configured in your HTTP policies.

1. Allow HTTP and HTTPS traffic

SelectorOperatorValueLogicAction
Detected ProtocolisTLSAndAllow
Destination Portin80, 443

2. Block all other traffic

SelectorOperatorValueAction
ProtocolinUDP, TCPBlock

Restrict access to private networks

Restrict access to resources which you have connected through Cloudflare Tunnel.

The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. Make sure that the Allow policy has higher priority (by positioning it towards the top of the list in the UI).

1. Allow company employees

SelectorOperatorValueLogicAction
Destination IPin10.0.0.0/8AndAllow
User Emailmatches regex.*@example.com

2. Block everyone else

SelectorOperatorValueAction
Destination IPin10.0.0.0/8Block