Get started

This section covers best practices for setting up the following Gateway policy types:

• DNS filtering
• Network filtering
• HTTP filtering

For each type of policy, we recommend the following workflow:

1. Connect the devices and/or networks that you want to apply policies to.
2. Verify that Gateway is successfully proxying traffic from your devices.
3. Set up basic security and compatibility policies (recommended for most use cases).
4. Customize your configuration to the unique needs of your organization.

Recommended deployment phases

Most organizations roll out Gateway in phases, starting with the lowest-effort, highest-impact policy type and adding deeper inspection over time.

Phase 1: DNS filtering

DNS filtering requires the least deployment effort and provides immediate protection.

• Point your network DNS to Gateway's resolver addresses, or deploy the Cloudflare One Client in DNS-only mode.
• Block all security threat categories (malware, phishing, command and control).
• Block content categories that violate your acceptable use policy.
• Review DNS logs to gain visibility into Internet usage across your organization.

For setup instructions, refer to Set up DNS filtering.

Phase 2: Network policies

After DNS filtering is in place, add network-level controls for non-HTTP traffic.

• Deploy the Cloudflare One Client and enable the Gateway proxy for TCP.
• Block traffic to high-risk IP ranges or restrict which ports and protocols users can access.
• Use protocol detection to identify applications by traffic pattern rather than port number.
• Enable network session logging for audit trails.

For setup instructions, refer to Set up network filtering.

Phase 3: HTTP inspection

HTTP inspection provides the deepest visibility and the most granular controls, but it requires additional setup.

• Install the Cloudflare root certificate on user devices.
• Enable TLS decryption to inspect HTTPS traffic.
• Create Do Not Inspect policies for applications that use certificate pinning.
• Block risky file types, enable anti-virus scanning, and configure DLP profiles to detect sensitive data.
• Use Browser Isolation to render high-risk sites in a remote browser.

For setup instructions, refer to Set up HTTP filtering.

Phase 4: Egress control and full integration

With all policy layers active, extend Gateway to cover your full network and integrate with other Cloudflare One services.

• Connect branch offices and data centers with network tunnels (IPsec/GRE via Magic WAN).
• Configure dedicated egress IPs so third-party services can identify your organization's traffic.
• Set up resolver policies to route internal DNS queries to your private DNS servers.
• Monitor SaaS application usage with CASB.

Note

You do not need to complete every phase. Choose the phases that match your organization's security requirements and deployment timeline.