Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Skip inspection for groups of applications

You can configure Cloudflare Zero Trust to skip inspection for certain groups of applications.

By default, Cloudflare Gateway creates a rule that includes the hostnames used by certain client applications, like Zoom or Apple’s services, that rely on certificate pinning. The TLS inspection performed by a service like Cloudflare Gateway will cause errors when users visit those applications.

This tutorial skips inspection for additional applications beyond those in the list curated by Cloudflare.

This walkthrough covers how to:

  • Build a Do not inspect policy using Cloudflare’s list of certificate pinned resources
  • Configure that policies precedence in your Gateway configuration

Time to complete:

5 minutes

​​ Before you start

Enable HTTP filtering.

​​ Build the policy

  1. Navigate to the HTTP tab of the Policies page in Cloudflare Gateway. Click Add a rule.

  2. Name the policy and, optionally, provide a description.

  3. Under Selector choose Application. Select in in the Operator field. In the Value field, select the applications you wish to include.

  4. Scroll to the bottom of the page and select Do Not Inspect in the Select an action section, then click Create rule.

​​ Change rule precedence

New rules are saved at the bottom of the rule list in Gateway. Gateway evaluates rules from top-to-bottom, except for do-not-inspect rules. Those are always evaluated first.

We do recommend dragging the Do Not Inspect rule to the top of the list to reduce confusion.

Gateway rules displayed in recommended order.