Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Skip inspection for groups of applications

You can configure Cloudflare for Teams to skip inspection for certain groups of applications.

By default, Cloudflare Gateway creates a rule that includes the hostnames used by certain client applications, like Zoom or Apple's services, that rely on certificate pinning. The TLS inspection performed by a service like Cloudflare Gateway will cause errors when users visit those applications.

This tutorial skips inspection for additional applications beyond those in the list curated by Cloudflare.

🗺️ This walkthrough covers how to:

  • Build a Do not inspect policy using Cloudflare's list of certificate pinned resources
  • Configure that policies precedence in your Gateway configuration

⏲️ Time to complete:

5 minutes

Before you start

  1. Connect devices to Cloudflare's edge with the WARP client and install the root certificate
  2. Enable web inspection

Build the policy

Navigate to the HTTP tab of the Policies page in Cloudflare Gateway. Click Add a rule.

Starter List

Name the policy and, optionally, provide a description.

Name Policy

Under Selector choose Application. Select in in the Operator field. This example uses Microsoft 365, categorized as Productivity.

Selctor

Scroll to the bottom of the page and select Do Not Inspect and click Create rule.

Action

Change rule precedence

New rules are saved at the bottom of the rule list in Gateway. Gateway evaluates rules from top-to-bottom, except for do-not-inspect rules. Those are always evaluated first.

Rule Order

We do recommend dragging the Do Not Inspect rule to the top of the list to reduce confusion.

Rule Order