Create your first network policy
You can control network-level traffic by filtering requests by selectors such as IP addresses and ports. You can also integrate network policies with an identity provider to apply identity-based filtering.
To create a new network policy:
-
In Zero Trust ↗, go to Gateway > Firewall policies.
-
In the Network tab, select Add a policy.
-
Name the policy.
-
Under Traffic, build a logical expression that defines the traffic you want to allow or block.
-
Choose an Action to take when traffic matches the logical expression. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
Selector Operator Value Logic Action SNI Domain is internalapp.comAnd Block Passed Device Posture Checks not in Device serial numbers -
Select Create policy.
-
Create an API token with the following permissions:
Type Item Permission Account Zero Trust Edit -
(Optional) Configure your API environment variables to include your account ID and API token.
-
Send a
POSTrequest to the Create a Zero Trust Gateway rule endpoint. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:curl API network policy example curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{"name": "Enforce device posture","description": "Ensure only devices in Zero Trust organization can connect to application","precedence": 0,"enabled": true,"action": "block","filters": ["l4"],"traffic": "any(net.sni.domains[*] == \"internalapp.com\")","identity": "","device_posture": "not(any(device_posture.checks.passed[*] in {\"<LIST_UUID>\"}))"}'{"success": true,"errors": [],"messages": []}The API will respond with a summary of the policy and the result of your request.
For more information, refer to network policies.