--- title: Client modes description: Reference information for Client modes in Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ DNS ](https://developers.cloudflare.com/search/?tags=DNS)[ Posture ](https://developers.cloudflare.com/search/?tags=Posture) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Client modes You can deploy the Cloudflare One Client (formerly WARP) in different modes to control the types of traffic sent to Cloudflare Gateway. The client mode determines which Zero Trust features are available on the device. ## Traffic and DNS mode (default) The Cloudflare One Client routes device traffic for all ports and protocols, and forwards DNS resolution to the [client DNS resolver](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/). Use when you want full security coverage, including DNS filtering, HTTP inspection, network firewall policies, and device posture checks. | DNS filtering | Network filtering | HTTP filtering | Features enabled | | ------------- | ----------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | Yes | Yes | Yes | DNS policies, network policies, HTTP policies, Browser Isolation, identity-based policies, device posture checks, AV scanning, and Data Loss Prevention | ## DNS only mode The Cloudflare One Client forwards DNS resolution to the Cloudflare account resolver, but does not route device traffic. Network and HTTP traffic is handled by the default mechanisms on your devices. Use when you only want to apply DNS filtering to outbound traffic from your company devices. | DNS filtering | Network filtering | HTTP filtering | Features enabled | | ------------- | ----------------- | -------------- | ---------------- | | Yes | No | No | DNS policies | ## Traffic only mode The Cloudflare One Client routes device traffic for all ports and protocols. DNS resolution remains managed by the device operating system. Use when you want to proxy network and HTTP traffic but keep your existing DNS filtering software. | DNS filtering | Network filtering | HTTP filtering | Features enabled | | ------------- | ----------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | No | Yes | Yes | Network policies, HTTP policies, Browser Isolation, identity-based policies, device posture checks, AV scanning, and Data Loss Prevention | Note * Traffic only mode disables all features that rely on the Cloudflare One Client for DNS resolution, including [domain-based split tunneling](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#domain-based-split-tunnels) and [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/). * Only available on Windows, Linux, and macOS. * Traffic only mode has a known limitation concerning [DNS servers with IPv6 addresses](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/known-limitations/#ipv6-dns-resolution-in-traffic-only-mode). ## Local proxy mode The Cloudflare One Client only forwards explicitly-directed local HTTP traffic. Use when you want to filter traffic directed to specific applications. | DNS filtering | Network filtering | HTTP filtering | Features enabled | | ------------- | ----------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | No | No | Yes | HTTP policies, Browser Isolation, identity-based policies, AV scanning, and Data Loss Prevention for traffic sent through localhost proxy | ### Set up Local proxy mode When you create a Cloudflare One account, a default [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) is created in Traffic and DNS mode. To set up Local proxy mode, you will need to edit the default device profile or create a new device profile and set the client mode to Local proxy mode. The default profile is used for all devices that are not assigned to a specific profile. If you want to apply Local proxy mode to a specific group of devices, you will need to create a new device profile and assign it to those devices. To set up Local proxy mode: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Teams & Resources** \> **Device profiles**. 2. Decide whether you would like to edit the default profile or create a new device profile. 3. Select the device profile you want to configure > **Edit** (If you only see **View**, you lack the permissions required to modify profiles). 4. Ensure the **Device tunnel protocol** is set to `MASQUE`. 5. Under **Service mode**, select **Local proxy mode**. 6. Select **Save profile**. MDM deployment If you are deploying the Cloudflare One Client through MDM, the configuration file will override any device profile settings, including the client mode. Refer to the [service\_mode parameter](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#service%5Fmode) for more information. For devices using Local proxy mode, the Cloudflare One Client listens on the configured port at the address `127.0.0.1` (`localhost`). Cloudflare uses `40000` as the default port for the Cloudflare One Client in Local proxy mode, but you can modify this to any available port. You must explicitly configure individual applications or your system proxy settings to use this proxy. Once configured, traffic to and from these applications will securely tunnel through the Cloudflare One Client. To make more complex routing decisions (such as, routing traffic directly to the Internet or other proxies), you can use a [PAC file](https://developers.cloudflare.com/learning-paths/secure-internet-traffic/configure-device-agent/pac-files/). ### Limitations * Local proxy mode can only be used by applications/operating systems that support SOCKS5/HTTP proxy communication. * Requires the MASQUE [device tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol). Wireguard is not supported. * Only available on Windows, Linux, and macOS. * Local proxy mode has a timeout limit of 10 seconds for requests. If a request goes above the 10 second limit, Cloudflare will drop the connection. ## Posture only mode The Cloudflare One Client collects device health and posture data, which you can reference in your security policies. The client does not route traffic or forward DNS queries in this mode. Use when you only want to enforce [Cloudflare One Client device posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/) for zones in your account. To set up Posture only mode, refer to the [dedicated page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/device-information-only/). | DNS filtering | Network filtering | HTTP filtering | Features enabled | | ------------- | ----------------- | -------------- | --------------------------------------------------------------------------------------------------------------------- | | No | No | No | Device posture rules in [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) | ## Modes comparison Each client mode offers a different set of Zero Trust features. | Client mode | Best for | DNS Filtering | Network Filtering | HTTP Filtering | Service mode (displayed in warp-cli settings) | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ------------- | ----------------- | -------------- | --------------------------------------------- | | [**Traffic and DNS mode (default)**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) | Full security with all filtering capabilities | ✅ | ✅ | ✅ | WarpWithDnsOverHttps | | [**DNS only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) | DNS filtering without routing device traffic | ✅ | ❌ | ❌ | DnsOverHttps | | [**Traffic only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-only-mode) | Traffic routing with existing DNS infrastructure | ❌ | ✅ | ✅ | TunnelOnly | | [**Local proxy mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) | Filtering traffic to specific applications | ❌ | ❌ | ✅ | WarpProxy on port 40000 | | [**Posture only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#posture-only-mode) | Device posture checks without traffic routing | ❌ | ❌ | ❌ | PostureOnly | ## Related resources * [Connectivity status](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/connectivity-status/) \- Learn about the status messages displayed by the Cloudflare One Client during its connection process, and understand each stage as the client establishes a secure tunnel to Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/team-and-resources/","name":"Team and resources"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/team-and-resources/devices/","name":"Devices"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/","name":"Cloudflare One Client"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/","name":"Configure the Cloudflare One Client"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/","name":"Client modes"}}]} ```