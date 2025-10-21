Managed networks
Feature availability
|WARP modes
|Zero Trust plans ↗
|All modes
|All plans
|System
|Availability
|Minimum WARP version
|Windows
|✅
|2025.1.861.0
|macOS
|✅
|2025.1.861.0
|Linux
|✅
|2025.1.861.0
|iOS
|✅
|1.0
|Android
|✅
|1.0
|ChromeOS
|✅
|1.0
Cloudflare WARP allows you to selectively apply specific device profiles and WARP client settings when a device connects to a secure network location, such as an office. WARP identifies these managed networks by detecting a TLS endpoint you set up on the network.
On this page, you will learn how to:
- Create a TLS endpoint on your trusted network.
- Configure the TLS endpoint in Zero Trust to set up a managed network.
- Apply the appropriate device profile to a device when the WARP client detects it is on your managed network.
- The WARP client scans for managed networks when the operating system's default route changes, the SSID of the active Wi-Fi connection changes, or the DNS servers of the default interface change. To minimize performance impact, reuse the same TLS endpoint across multiple locations unless you require distinct settings profiles for each location.
- Ensure that the device can only reach one managed network at any given time. If multiple managed networks are configured and reachable, there is no way to determine which settings profile the device will receive.
When you configure a managed network, the WARP client uses the TLS endpoint to determine whether the device is on that network.
The time it takes to apply the correct device profile depends on how quickly the TLS endpoint responds.
If the TLS endpoint times out after 5 seconds, the WARP client will determine that the device is not on a managed network and will apply the default device profile. The WARP client only retries detection if a non-timeout error occurs. A timeout triggers fallback to the default device profile without further retries.
A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against the SHA-256 fingerprint (if specified) or against the local certificate store to check that it is signed by a public certificate authority.
The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer.
If you do not already have a TLS endpoint on your network, you can set one up as follows:
-
Generate a TLS certificate:
The command will output a certificate in PEM format and its private key. Store these files in a secure place.
-
Configure an HTTPS server on your network to use this certificate and key. The example below demonstrates how to serve the TLS certificate from an nginx container in Docker:
a. Create an nginx configuration file called
nginx.conf:
If needed, replace
/certs/example.pemand
/certs/example.keywith the locations of your certificate and key.
b. Add the nginx image to your Docker compose file:
If needed, replace
./nginx.confand
./certswith the locations of your nginx configuration file and certificate.
c. Start the server:
-
To test that the TLS server is working, run a curl command from the end user's device:
You need to pass the
--insecureoption because we are using a self-signed certificate. If the device is connected to the network, the request should return a
200status code.
Windows IIS
To create a TLS endpoint using Windows Internet Information Services (IIS) Manager:
-
Run Powershell as administrator.
-
Generate a self-signed certificate:
-
Extract the certificate's SHA-256 fingerprint:
You will need the SHA-256 fingerprint to configure the managed network in Zero Trust. Do not use the default SHA-1 thumbprint generated by the
New-SelfSignedCertificatecommand.
-
Open IIS Manager.
-
In the Connections pane, right-click the Sites node and select Add Website.
-
In Site name, enter any name for the TLS server (for example,
Managed Network Server).
-
In Physical path, enter any directory that contains a
.htmor
htmlfile, such as
C:\inetpub\wwwroot. Cloudflare does not validate the content within the directory.
-
Under Binding, configure the following fields:
- Type: https
- IP address: All Unassigned
- Port:
443
- Host name: Enter the certificate's Common Name (CN). The CN of our example certificate is
office-name.example.internal.
- Require Server Name Indication: Enabled
- SSL certificate: Select the name of your TLS certificate. Our example certificate is called
Cloudflare Managed Network Certificate.
-
To test that the TLS server is working, run a curl command from the end user's device:
You need to pass the
--insecureoption because we are using a self-signed certificate. The
--resolveoption allows you to connect to the server's private IP but also pass the hostname to the server for SNI and certificate validation. If the device is connected to the network, the request should return your directory's default homepage (
C:\inetpub\wwwroot\iisstart.htm).
The WARP client establishes a TLS connection using Rustls ↗. Make sure your TLS endpoint accepts one of the cipher suites supported by Rustls ↗.
The SHA-256 fingerprint is only required if your TLS endpoint uses a self-signed certificate.
To obtain the SHA-256 fingerprint of a local certificate:
The output will look something like:
To test connectivity and obtain the SHA-256 fingerprint of a remote server:
The output will look something like:
-
In Zero Trust ↗, go to Settings > WARP Client.
-
Scroll down to Network locations and select Add new.
-
Name your network location.
-
In Host and Port, enter the private IP address and port number of your TLS endpoint (for example,
192.168.185.198:3333).
-
(Optional) In TLS Cert SHA-256, enter the SHA-256 fingerprint of the TLS certificate. This field is only needed for self-signed certificates. If a TLS fingerprint is not supplied, WARP validates the certificate against the local certificate store and checks that it is signed by a public certificate authority.
-
Add the following permission to your
cloudflare_api_token↗:
Zero Trust Write
-
-
Add a managed network using the
cloudflare_zero_trust_device_managed_network↗ resource:
WARP will automatically exclude the TLS endpoint from all device profiles if it is specified as a private IP address. This exclusion prevents remote users from accessing the endpoint through the WARP tunnel on any port. If the TLS endpoint is specified as a hostname instead of a private IP, WARP will not automatically exclude it.
If a device profile uses Split Tunnels in Include mode, ensure that the Split Tunnel entries do not contain the TLS endpoint IP address; otherwise, the entire IP range will be excluded from the WARP tunnel.
-
In Zero Trust ↗, go to Settings > WARP Client.
-
Under Profile settings, create a new settings profile or edit an existing profile.
-
To apply this profile whenever a device connects to your network, add the following rule:
Selector Operator Value Managed network is
<NETWORK-NAME>
-
Save the profile.
In
cloudflare_zero_trust_device_custom_profile ↗, configure a
match expression using the
network selector. For example, the following device profile will match all devices connected a specific managed network:
Managed networks are now enabled. Every time a device in your organization connects to a network (for example, when waking up the device or changing Wi-Fi networks), the WARP client will determine its network location and apply the corresponding settings profile.
To check if the WARP client detects the network location:
- Turn on WARP.
- Disconnect and reconnect to the network.
- Open a terminal and run
warp-cli debug alternate-network.
- Device profiles - How to create and manage the device profiles you apply via managed networks.
- WARP settings - Defines how WARP behaves and what users can do.
- WARP troubleshooting guide - Troubleshoot common WARP issues.
