Gateway policy expressions
Gateway policies use a wirefilter-based expression language to match traffic against selectors (criteria). This syntax is similar to, but distinct from, the Rules language used by WAF, Rules, and other Cloudflare products. Refer to Gateway versus Ruleset Engine for details on the differences.
Gateway expressions follow this pattern:
<field> <operator> <value>For example:
dns.fqdn == "example.com"http.request.host == "api.example.com"identity.email == "user@company.com"Gateway supports the following operators:
| Operator | Name | Example |
|---|---|---|
== | Equals | dns.fqdn == "example.com" |
!= | Does not equal | http.request.host != "blocked.com" |
in | Value is in set | net.dst.port in {80 443} |
matches | Matches regular expression | http.request.host matches ".*\\.example\\.com" |
> | Greater than | http.upload.file.size > 10 |
>= | Greater than or equal to | http.download.file.size >= 100 |
< | Less than | http.upload.file.size < 50 |
<= | Less than or equal to | http.download.file.size <= 200 |
Combine multiple conditions using logical operators:
| Operator | Name | Example |
|---|---|---|
and | Logical AND | dns.fqdn == "example.com" and identity.email == "admin@company.com" |
or | Logical OR | net.dst.port == 80 or net.dst.port == 443 |
not | Logical NOT | not(identity.email == "guest@company.com") |
Some Gateway fields return arrays (multiple values). Use the any() function to match if any element in the array meets the condition:
any(http.request.uri.content_category[*] in {17 85 102})any(identity.groups[*].name in {"Engineering" "Security"})any(http.request.domains[*] == "example.com")The [*] notation indicates that the function should evaluate all elements in the array.
You can reference lists in your expressions using the list UUID:
http.request.host in $<LIST_UUID>any(http.request.domains[*] in $<LIST_UUID>)To find a list's UUID, go to My Team > Lists in Zero Trust and select the list. The UUID appears in the browser URL.
Each Gateway policy type has its own set of available fields. The following table shows the field prefixes used by each policy type:
| Policy type | Field prefix | Example fields |
|---|---|---|
| DNS | dns. | dns.fqdn, dns.content_category, dns.src_ip |
| HTTP | http. | http.request.host, http.request.uri, http.request.domains |
| Network | net. | net.dst.ip, net.dst.port, net.src.ip |
| Identity | identity. | identity.email, identity.groups, identity.name |
| Device posture | device_posture. | device_posture.checks.passed |
For a complete list of available fields for each policy type, refer to the selectors documentation linked at the top of this page.
dns.fqdn == "example.com"any(http.request.uri.content_category[*] in {17 85 102})any(identity.groups[*].name in {"Engineering"})net.dst.ip in {10.0.0.0/8}http.request.host == "internal.example.com" and identity.email matches ".*@company.com"The following table summarizes the key differences between the Rules language](/ruleset-engine/rules-language/) (supported by the Ruleset Engine) and Gateway policy expressions:
| Ruleset Engine | Gateway | |
|---|---|---|
| Products | WAF, Transform Rules, Cache Rules, Configuration Rules | DNS, HTTP, Network, Egress, Resolver policies |
| Field examples | http.request.uri.path, cf.bot_management.score, ip.src | dns.fqdn, http.request.host, identity.email |
| Identity fields | Not available | Available (for example, identity.email, identity.groups) |
| DNS fields | Not available | Available (for example, dns.fqdn, dns.content_category) |
| Documentation | Rules language | Traffic policies |