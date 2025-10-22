 Skip to content
Global policies

Cloudflare Zero Trust applies a set of global policies to all accounts.

Zero Trust logs prepend an identifier to global policy names. For example, matches for the global policy Allow Zero Trust Services will appear in your logs with the name Global Policy - Allow Zero Trust Services.

The following policies are sorted by order of precedence within each policy type.

DNS resolution policies

Gateway enforces global DNS and resolver policies before any other policies. This ensures the traffic is not blocked by user policies and gets resolved with Cloudflare's public DNS resolver, 1.1.1.1. Each global DNS policy evaluates traffic based on the domain in the query.

NameIDValueAction
Allow DNS queries for cloudflareclient.com domain00000001-e139-4a1b-90d5-698d8fa371e0cloudflareclient.comallow
Resolve cloudflareclient.com through 1.1.1.100000001-e738-4554-823b-0b2c75af2c66cloudflareclient.comresolve
Allow DNS queries for content.browser.run domain00000001-9bff-4d83-a9e4-e5ed321fe0b9content.browser.runallow
Resolve content.browser.run through 1.1.1.100000001-0df5-472b-80c0-02888e7167eecontent.browser.runresolve
Allow DNS queries for edge.browser.run and cloudflarebrowser.com domains00000001-e2f1-4e99-bab3-91df88879587edge.browser.run and cloudflarebrowser.comallow
Resolve edge.browser.run and cloudflarebrowser.com through 1.1.1.100000001-b103-44c6-a114-7a784cdf3fb7edge.browser.run and cloudflarebrowser.comresolve
Allow DNS queries for help.teams.cloudflare.com and help.one.cloudflare.com domains00000001-b2fc-46db-b0f1-69ef3553bd7ahelp.teams.cloudflare.com and help.one.cloudflare.comallow
Resolve help.teams.cloudflare.com and help.one.cloudflare.com through 1.1.1.100000001-ce13-486a-b006-ba0435ccb013help.teams.cloudflare.com and help.one.cloudflare.comresolve
Allow DNS queries for cloudflare-gateway.com domain00000001-e83d-492b-995e-351970cd5e8ecloudflare-gateway.comallow
Resolve cloudflare-gateway.com through 1.1.1.100000001-d9bc-4913-a2f5-905dbb3ecf9acloudflare-gateway.comresolve
Allow DNS queries for cloudflarestatus.com domain00000001-78da-4f8a-b9ee-76563f1ec46bcloudflarestatus.comallow
Resolve cloudflarestatus.com through 1.1.1.100000001-4d1d-43a3-9015-c49fc3a6da31cloudflarestatus.comresolve
Allow DNS queries for nel.cloudflare.com domain00000001-af28-4afa-8987-eadc21187e14nel.cloudflare.comallow
Resolve nel.cloudflare.com through 1.1.1.100000001-0034-45a0-8333-f339451fba46nel.cloudflare.comresolve
Allow DNS queries for api.cloudflare.com domain00000001-5eea-4932-8dd5-8e1ec9770396api.cloudflare.comallow
Resolve api.cloudflare.com through 1.1.1.100000001-4f0c-4f86-9b96-5d26123a194bapi.cloudflare.comresolve
Allow DNS queries for dash.teams.cloudflare.com domain00000001-0f75-48a9-b3e1-925a974d2b65dash.teams.cloudflare.comallow
Resolve dash.teams.cloudflare.com through 1.1.1.100000001-3d84-41a6-bc84-3014685c0d81dash.teams.cloudflare.comresolve
Allow DNS queries for one.dash.cloudflare.com domain00000001-a9fd-40de-a662-51d3a3ae0ad8one.dash.cloudflare.com and one.dash.fed.cloudflare.comallow
Resolve one.dash.cloudflare.com through 1.1.1.100000001-70f2-4eea-b711-201bca434ed4one.dash.cloudflare.com and one.dash.fed.cloudflare.comresolve
Allow DNS queries for dash.cloudflare.com domain00000001-0c2a-4b31-8606-3e5a1d87c1bfdash.cloudflare.com and dash.fed.cloudflare.comallow
Resolve dash.cloudflare.com through 1.1.1.100000001-c47f-41f3-b234-d66c82b8d422dash.cloudflare.com and dash.fed.cloudflare.comresolve
Allow DNS queries for cloudflareportal.com, cloudflareok.com and cloudflarecp.com domains00000001-1c6c-4793-b48f-799eee6e0e31cloudflareportal.com, cloudflareok.com, and cloudflarecp.comallow
Resolve cloudflareportal.com, cloudflareok.com and cloudflarecp.com through 1.1.1.100000001-8c35-4d7d-9dbb-cb7350375b7bcloudflareportal.com, cloudflareok.com, and cloudflarecp.comresolve
Allow DNS queries for cloudflareaccess.com domain00000001-d738-4dad-bac4-1a50201d9503cloudflareaccess.comallow
Resolve cloudflareaccess.com through 1.1.1.100000001-4404-4572-80f6-f7b098909460cloudflareaccess.comresolve
Allow DNS queries for blocked.teams.cloudflare.com domain00000001-76f4-4438-b8ab-a9da53f4a2f1blocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.comallow
Resolve blocked.teams.cloudflare.com through 1.1.1.100000001-af3c-458f-aeb2-b3bb5d3fe1d5blocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.comresolve
Allow DNS queries for developers.cloudflare.com domain00000001-4263-4808-8457-4d4329c91f66developers.cloudflare.comallow
Resolve developers.cloudflare.com through 1.1.1.100000001-9f91-4462-9270-78beca5b4dbcdevelopers.cloudflare.comresolve
Allow DNS queries for speed.cloudflare.com domain00000001-4fc0-4286-b783-6c442adda171speed.cloudflare.comallow
Resolve speed.cloudflare.com through 1.1.1.100000001-ec51-4471-9e78-bd47d46a3002speed.cloudflare.comresolve
Allow DNS requests to browser-rendered Access Apps00000001-1232-4a9f-a165-1e8ed59483c4*.zero-trust-apps.cfdata.org, *.zero-trust-apps-staging.cfdata.org, *.zero-trust-apps.fed.cfdata.org, or *.zero-trust-apps-staging.fed.cfdata.orgallow
Resolve browser-rendered Access Apps domains through 1.1.1.100000001-9461-43c7-ba63-d0fdf9376bd4*.zero-trust-apps.cfdata.org, *.zero-trust-apps-staging.cfdata.org, *.zero-trust-apps.fed.cfdata.org, or *.zero-trust-apps-staging.fed.cfdata.orgresolve

Network proxy policies

NameIDCriteriaValueActionDescription
Allow CF Network Error Logging L400000001-e4af-4b82-8f8c-c79c1d5d212eHostname*.nel.cloudflare.comallowAllows SNI domains for WARP registration.
Allow CF Client00000001-8c3d-4e27-a01b-af8418000077Hostname*.cloudflareclient.com and *.fed.cloudflareclient.comallowAllows Zero Trust client.
Allow Gateway Proxy PAC00000001-776e-438d-9856-987d7053762bHostname*.cloudflare-gateway.com and *.fed.cloudflare-gateway.comallowAllows Gateway proxy with PAC files.
Allow Zero Trust Services00000001-e1e8-421b-a0fe-895397489f28Hostnamedash.teams.cloudflare.com, help.teams.cloudflare.com, blocked.teams.cloudflare.com, blocked.teams.fed.cloudflare.com, api.cloudflare.com, api.fed.cloudflare.com, cloudflarestatus.com, www.cloudflarestatus.com, one.dash.cloudflare.com, one.dash.fed.cloudflare.com, help.one.cloudflare.com, dash.cloudflare.com, dash.fed.cloudflare.com, and developers.cloudflare.comallowAllows Cloudflare Zero Trust services.
Allow Access Apps L400000001-daa2-41e2-8a88-698af4066951Hostname*.cloudflareaccess.com and *.fed.cloudflareaccess.comallowAllows Cloudflare Access applications.
Allow HTTP requests to browser-rendered Access Apps00000001-1f93-4476-8f92-9aa4407d1c5fHostname*.zero-trust-apps.cfdata.org, *.zero-trust-apps-staging.cfdata.org, *.zero-trust-apps.fed.cfdata.org, or *.zero-trust-apps-staging.fed.cfdata.orgallowAllows Cloudflare Access terminal applications rendered in a browser.

HTTP inspection policies

NameIDCriteriaValueActionDescription
Prevent Account Change Block00000001-d1f2-461a-8253-501c8d882a15Hostname*.cloudflareclient.com and *.fed.cloudflareclient.com; not notifications.cloudflareclient.com or notifications.fed.cloudflareclient.combypassEnsures users cannot accidentally block themselves from making account changes.
Bypass RBI Assets00000001-df61-4068-aa6c-0f684c3cd4e6Hostname*.content.browser.runbypassRequired for Browser Isolation.
Inspect RBI Urls00000001-3faa-4f59-98d4-0f6d6af4b6d0Hostname*.edge.browser.run and *.cloudflarebrowser.combypassRequired for Browser Isolation.
Allow Gateway Help Page00000001-8e9a-4429-b3c2-d267d0ce6114Hostnamehelp.teams.cloudflare.com and help.one.cloudflare.comallowUsed by the WARP client to check if Gateway is on by inspecting the certificate and checking if it is properly installed on the client device.
Bypass Gateway DNS00000001-d9c0-46b0-8704-2ea5b9d7bdfcHostname*.cloudflare-gateway.com and *.fed.cloudflare-gateway.combypassEnsures requests to the cloudflare-gateway.com DNS endpoint will not be inspected.
Bypass CF Status00000001-5399-4b71-a9fc-d4d90ccf0758Hostname*.cloudflarestatus.combypassBypasses cloudflarestatus.com so users can reach the status page in case of a Gateway outage.
Bypass CF Network Error Logging00000001-dfe0-4737-8d1e-8191e8f637dfHostname*.nel.cloudflare.combypassBypasses *.nel.cloudflarestatus.com for Cloudflare's network error logging feature.
Bypass CF API00000001-a424-43fb-b1f1-d3eb35ed7dddHostnameapi.cloudflare.com and api.fed.cloudflare.combypassBypasses Cloudflare's API endpoint.
Prevent ZT Dashboard Lockout00000001-d38e-42db-96fe-60613b6b308fHostnamedash.teams.cloudflare.com, one.dash.cloudflare.com, and one.dash.fed.cloudflare.combypassPrevents users from being locked out of the Zero Trust dashboard.
Bypass CF Dashboard00000001-d343-4ded-908e-b3fe43c5e61eHostname*.dash.cloudflare.com and *.dash.fed.cloudflare.combypassBypasses the Cloudflare dashboard and subdomains.
Bypass Zero Trust Captive Portal Sites00000001-8b62-4367-919e-5c160a06ddf7Hostnamecloudflareportal.com, cloudflareok.com, and cloudflarecp.combypassBypasses the Zero Trust captive portal detection sites.
Bypass OCSP00000001-34ce-47c7-ad0f-199f46eba194ApplicationOnline Certificate Status ProtocolbypassEnables OCSP stapling.
Allow Access Apps L700000001-8d6b-4951-8a18-3bbc9010976cHostname*.cloudflareaccess.com and *.fed.cloudflareaccess.comallowAllows Cloudflare Access applications.
Prevent Block Page Loop00000001-48b1-4ade-93c1-f0f3759dc19cHostnameblocked.teams.cloudflare.com and blocked.teams.fed.cloudflare.combypassPrevents an infinite loop on the Gateway block page.
Always Blocked Categories00000001-bed5-462e-b0f1-2e2c3555e9f7Content CategoryChild Abuse categoryblockBlocks child abuse materials (CSAM).
Don't Isolate RBI Help Pages00000001-1a18-431f-9c9d-bce431f1002aHostnamedevelopers.cloudflare.com and help.cloudflarebrowser.comnoisolatePrevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues.
Don't AV Scan CF Speed00000001-c194-408f-87dd-9a366ce76e12Hostnamespeed.cloudflare.comnoscanAllows files transferred by the Cloudflare speed test.