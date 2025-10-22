Common policies
The following policies are commonly used to secure network traffic.
Refer to the network policies page for a comprehensive list of other selectors, operators, and actions.
To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:
|Selector
|Operator
|Value
|Action
|Application
|in
|Artificial Intelligence
|Block
Configure access on a per user or group basis by adding identity-based conditions to your policies.
|Selector
|Operator
|Value
|Logic
|Action
|Application
|in
|Salesforce
|And
|Block
|User Group Names
|in
|Contractors
Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the device posture section.
In the following example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
|Selector
|Operator
|Value
|Logic
|Action
|SNI Domain
|is
internalapp.com
|And
|Block
|Passed Device Posture Checks
|not in
|Device serial numbers
To get the UUIDs of your device posture checks, use the List device posture rules endpoint.
To require users to re-authenticate after a certain amount of time has elapsed, configure WARP sessions.
Restrict user access to only the specific sites or applications configured in your HTTP policies.
|Selector
|Operator
|Value
|Logic
|Action
|Detected Protocol
|is
|TLS
|And
|Allow
|Destination Port
|in
80,
443
|Selector
|Operator
|Value
|Action
|Protocol
|in
|TCP, UDP
|Block
If your organization blocks traffic by default with a network policy and you want to inspect HTTP traffic on all ports, you need to explicitly allow HTTP and TLS traffic to filter it.
|Selector
|Operator
|Value
|Logic
|Action
|Detected Protocol
|is
|TLS
|Or
|Allow
|Detected Protocol
|is
|HTTP
Restrict access to resources which you have connected through Cloudflare Tunnel.
The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.
|Selector
|Operator
|Value
|Logic
|Action
|Destination IP
|in
10.0.0.0/8
|And
|Allow
|User Email
|matches regex
.*@example.com
|Selector
|Operator
|Value
|Action
|Destination IP
|in
10.0.0.0/8
|Block
Override traffic directed toward a specific IP address with a different IP address.
|Selector
|Operator
|Value
|Logic
|Action
|Destination IP
|in
203.0.113.17
|And
|Network Override
|Destination Port
|is
80
|Override IP
|Override Port
1.1.1.1
80
