Network filtering
Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access.
1. Connect to Gateway
Connect devices
To filter network traffic from a device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization’s Zero Trust instance.
- (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .
- Enable the Gateway proxy for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic.
Connect private networks
To filter traffic from private networks, refer to the Cloudflare Tunnel guide.
2. Verify device connectivity
- In Zero Trust ↗, go to Settings > Network.
- Under Gateway logging, enable activity logging for all Network logs.
- On your WARP-enabled device, open a browser and visit any website.
- Determine the Source IP for your device:
- Open the WARP client settings.
- Go to Preferences > General.
- Note the Public IP.
- In Zero Trust, go to Logs > Gateway > Network. Before building Network policies, make sure you see Network logs from the Source IP assigned to your device.
3. Add policies
To create a new network policy, go to Gateway > Firewall policies > Network in Zero Trust. Refer to our list of common network policies for policies you may want to create.