Skip to content

Changelog

2024-12-19

Digital Experience Monitoring

Remote captures

Admins can now collect packet captures (PCAPs) and WARP diagnostic logs from end user devices. For more information, refer to Remote captures.

2024-12-19

Email Security

Email Security reclassification tab

Customers can now have more transparency about their team and user submissions. The new Reclassification tab in the Zero Trust dashboard will allow customers to have a full understanding of what submissions they have made and what the outcomes of those submissions are.

2024-12-19

Email Security

Email Security expanded folder scanning

Microsoft 365 customers can now choose to scan all folders or just the inbox when deploying via the Graph API.

2024-12-17

Magic Transit

BGP support for Cloudflare Network Interconnect (CNI)

Magic Transit customers can now establish BGP peering over Direct CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic Transit routing table.

2024-12-17

Magic WAN

Magic WAN Connector configurable health checks

Health check rate on Magic WAN Connector IPsec tunnels are now configurable.

2024-12-17

Magic WAN

BGP support for Cloudflare Network Interconnect (CNI)

Magic WAN customers can now establish BGP peering over Direct CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic WAN table.

2024-12-17

Cloudflare Network Interconnect

BGP support for Cloudflare Network Interconnect (CNI)

Magic WAN and Magic Transit customers can now establish BGP peering over Direct CNI circuits. Customers can now dynamically exchange routes and path availability status between their router device and the Magic WAN or Magic Transit routing table.

2024-12-05

Magic Cloud Networking

Download cloud onramp terraform

Customers can now generate customized terraform files for building cloud network on-ramps to Magic WAN. Magic Cloud can scan and discover existing network resources and generate the required terraform files to automate cloud resource deployment using their existing infrastructure-as-code workflows for cloud automation.

2024-12-04

Access

SCIM GA for Okta and Microsoft Entra ID

Cloudflare's SCIM integrations with Okta and Microsoft Entra ID (formerly AzureAD) are now out of beta and generally available (GA) for all customers. These integrations can be used for Access and Gateway policies and Zero Trust user management. Note: This GA release does not include Dashboard SSO SCIM support.

2024-12-04

Zero Trust WARP Client

Custom device posture integration

WARP now supports setting up custom device posture integrations using a third-party API of your choice.

2024-11-25

DLP

Profile confidence levels

DLP profiles now support setting a confidence level to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede context analysis.

2024-11-22

CASB

CASB and DLP with Cloud Data Extraction for AWS cloud environments

You can now use CASB to find security misconfigurations in your AWS cloud environment. You can also connect your AWS compute account to extract and scan your S3 buckets for sensitive data while avoiding egress fees.

2024-11-21

Magic Cloud Networking

Import cloud resources for VMs and LBs

Cloud network discovery now includes cloud native virtual machine (VM) and load-balancer (LB) resources.

2024-11-21

Magic Cloud Networking

Export resource catalog

Customers can export their resource catalog including all discovered resource metadata to a downloadable JSON file, suitable for offline analysis.

2024-11-20

Gateway

Category filtering in the network policy builder

Gateway users can now create network policies with the Content Categories and Security Risks traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management.

2024-11-19

Zero Trust WARP Client

MASQUE GA

MASQUE as a device tunnel protocol option is now generally available (GA). Refer to Device tunnel protocol for configuration details and minimum WARP client requirements.

2024-11-18

Zero Trust WARP Client

WARP client for macOS (version 2024.11.309.0)

A new GA release for the macOS WARP client is now available in the App Center. This release contains minor fixes and improvements.

Changes and improvements:

  • Fixed an issue where SSH sessions and other application connections over TCP or UDP could drop when a device that is using MASQUE changes its primary network interface.
  • Fixed an issue to ensure the Cloudflare root certificate (or custom certificate) is installed in the trust store if not already there.
  • Fixed an issue with the WARP client becoming unresponsive during startup.
  • Extended warp-diag to collect system profiler firewall state as part of diagnostics.
  • Fixed an issue with the WARP client becoming unresponsive while handling LAN inclusion.
  • Fixed an issue where users were unable to connect with an IPC error message displayed in the UI.
  • Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users.

Known issues:

  • macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.1 or later.

2024-11-18

Zero Trust WARP Client

WARP client for Windows (version 2024.11.309.0)

A new GA release for the Windows WARP client is now available in the App Center. This release contains minor fixes and improvements.

Changes and improvements:

  • Fixed an issue where SSH sessions and other application connections over TCP or UDP could drop when a device that is using MASQUE changes its primary network interface.
  • Fixed an issue to ensure the Cloudflare root certificate (or custom certificate) is installed in the trust store if not already there.
  • Fixed an issue with the WARP client becoming unresponsive during startup.
  • Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.
  • Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users.

Known issues:

  • DNS resolution may be broken when all of the following conditions are true:

    • WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    • A custom DNS server address is configured on the primary network adapter.
    • The custom DNS server address on the primary network adapter is changed while WARP is connected.

    To work around the DNS issue, reconnect the WARP client by toggling off and back on.

2024-11-18

Zero Trust WARP Client

WARP client for Linux (version 2024.11.309.0)

A new GA release for the Linux WARP client is now available in the package repository. This release contains reliability improvements and general bug fixes.

Changes and improvements:

  • Fixed an issue where SSH sessions and other connections ould drop when a device that is using MASQUE changes its primary network interface.
  • Device posture client certificate checks now support PKCS#1.
  • Fixed an issue to ensure the Cloudflare root certificate (or custom certificate) is installed in the trust store if not already there.
  • Reduced unnecessary log messages when resolv.conf has no owner.
  • Fixed an issue with warp-diag printing benign TLS certificate errors.
  • Fixed an issue with the WARP client becoming unresponsive during startup.
  • Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.
  • Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users.

2024-11-01

DLP

Send entire HTTP requests to a Logpush destination

In addition to logging the payload from HTTP requests that matched a DLP policy in Cloudflare Logs, Enterprise users can now configure a Logpush job to send the entire HTTP request that triggered a DLP match to a storage destination. This allows long-term storage of full requests for use in forensic investigation.

2024-10-23

Zero Trust WARP Client

WARP client for macOS (version 2024.10.279.1)

A new beta release for the macOS WARP client is now available in the App Center. This release contains minor fixes and improvements.

Changes and improvements:

  • Fixed an issue where SSH sessions and other application connections over TCP or UDP could drop when a device that is using MASQUE changes its primary network interface.
  • Fixed an issue to ensure the Cloudflare root certificate (or custom certificate) is installed in the trust store if not already there.

Known issues:

  • Cloudflare is investigating temporary networking issues on macOS 15 (Sequoia) that affect some users and may occur on any version of the WARP client.

2024-10-23

Zero Trust WARP Client

WARP client for Windows (version 2024.10.279.1)

A new beta release for the Windows WARP client is now available in the App Center. This release contains minor fixes and improvements.

Changes and improvements:

  • Fixed an issue where SSH sessions and other application connections over TCP or UDP could drop when a device that is using MASQUE changes its primary network interface.
  • Fixed an issue to ensure the Cloudflare root certificate (or custom certificate) is installed in the trust store if not already there.

Known issues:

  • DNS resolution may be broken when all of the following conditions are true:

    • WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    • A custom DNS server address is configured on the primary network adapter.
    • The custom DNS server address on the primary network adapter is changed while WARP is connected.

    To work around the DNS issue, reconnect the WARP client by toggling off and back on.

2024-10-17

Gateway

Per-account Cloudflare root certificate

Gateway users can now generate unique root CAs for their Zero Trust account. Both generated certificate and custom certificate users must activate a root certificate to use it for inspection. Per-account certificates replace the default Cloudflare certificate, which is set to expire on 2025-02-02.

2024-10-17

Cloudflare Tunnel

Simplifed WARP Connector deployment

You can now deploy WARP Connector using a simplified, guided workflow similar to cloudflared connectors. For detailed instructions, refer to the WARP Connector documentation.

2024-10-10

Gateway

Time-based policy duration

Gateway now offers time-based DNS policy duration. With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off.

2024-10-10

Cloudflare Tunnel

Bugfix for --grace-period

The new cloudflared build 2024.10.0 has a bugfix related to the --grace-period tunnel run parameter. cloudflared connectors will now abide by the specified waiting period before forcefully closing connections to Cloudflare's network.

2024-10-04

Gateway

Expanded Gateway log fields

Gateway now offers new fields in activity logs for DNS, network, and HTTP policies to provide greater insight into your users' traffic routed through Gateway.

2024-10-03

Zero Trust WARP Client

WARP client for Linux (version 2024.9.346.0)

A new GA release for the Linux WARP client is now available in the package repository. This release contains minor fixes and minor improvements.

Notable updates:

  • Added target list to the warp-cli to enhance the user experience with the Access for Infrastructure SSH solution.
  • Added the ability to customize PCAP options in the warp-cli.
  • Added a list of installed applications in warp-diag.
  • Added a tunnel reset mtu subcommand to the warp-cli.
  • Added the ability for warp-cli to use the team name provided in the MDM file for initial registration.
  • Added a JSON output option to the warp-cli.
  • Added the ability to execute a PCAP on multiple interfaces with warp-cli.
  • Added MASQUE tunnel protocol support for the consumer version of WARP (1.1.1.1 w/ WARP).
  • Improved the performance of firewall operations when enforcing split tunnel configuration.
  • Fixed an issue where device posture certificate checks were unexpectedly failing.
  • Fixed an issue where the Linux GUI fails to open the browser login window when registering a new Zero Trust organization.
  • Fixed an issue where clients using service tokens failed to retry after a network change.
  • Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.
  • Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.
  • Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, update to the new commands where necessary.

Known issues:

  • Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services is enabled.

2024-10-03

Zero Trust WARP Client

WARP client for Windows (version 2024.9.346.0)

A new GA release for the Windows WARP client is now available in the App Center. This release contains minor fixes and improvements.

Notable updates:

  • Added target list to the warp-cli to enhance the user experience with the Access for Infrastructure SSH solution.
  • Added pre-login configuration details to the warp-diag output.
  • Added a tunnel reset mtu subcommand to the warp-cli.
  • Added a JSON output option to the warp-cli.
  • Added the ability for warp-cli to use the team name provided in the MDM file for initial registration.
  • Added the ability to execute a PCAP on multiple interfaces with warp-cli and warp-dex.
  • Improved warp-dex default interface selection for PCAPs and changed warp-dex CLI output to JSON.
  • Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.
  • Added MASQUE tunnel protocol support for the consumer version of WARP (1.1.1.1 w/ WARP).

Known issues:

  • Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services is enabled.

2024-10-03

Zero Trust WARP Client

WARP client for macOS (version 2024.9.346.0)

A new GA release for the macOS WARP client is now available in the App Center. This release contains minor fixes and improvements.

All customers running macOS Ventura 13.0 and above (including Sequoia) are advised to upgrade to this release. This release fixes an incompatibility with the firewall found on macOS Sonoma 14.4 and above that could result in the firewall being disabled.

Notable updates:

  • Added target list to the warp-cli to enhance the user experience with the Access for Infrastructure SSH solution.
  • Added a tunnel reset mtu subcommand to the warp-cli.
  • Added the ability for warp-cli to use the team name provided in the MDM file for initial registration.
  • Added a JSON output option to the warp-cli.
  • Added the ability to execute a PCAP on multiple interfaces with warp-cli and warp-dex.
  • Improved warp-dex default interface selection for PCAPs and changed warp-dex CLI output to JSON.
  • Improved application posture check compatibility with symbolically linked files.
  • Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.
  • Added MASQUE tunnel protocol support for the consumer version of WARP (1.1.1.1 w/ WARP).

Known issues:

  • Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services is enabled.

2024-10-02

Magic Firewall

New UI improvements

The dashboard now allows you to search custom rules using the rule name and/or ID. Additionally, the rule ID URL link has been added to Network Analytics. Go to Analytics & Logs > Network Analytics > Magic Firewall > Packet sample log > Search for Rule ID.

2024-10-01

Magic Cloud Networking

Cost visibility for managed cloud configuration

Customers can now see the cloud provider list price of discovered network resources and will be informed of total cost and delta cost when deploying managed configuration.

2024-10-01

Magic Transit

Early access testing for BGP on CNI 2.0 circuits

Customers can exchange routes dynamically with their Magic virtual network overlay via Direct CNI or Cloud CNI based connectivity.

2024-10-01

Magic WAN

Early access testing for BGP on CNI 2.0 circuits

Customers can exchange routes dynamically with their Magic virtual network overlay via Direct CNI or Cloud CNI based connectivity.

2024-10-01

Cloudflare Network Interconnect

Early access testing for BGP on Direct CNI circuits

Customers can exchange routes dynamically with their Magic virtual network overlay via Direct CNI or Cloud CNI based connectivity.

2024-09-30

Gateway

File sandboxing

Gateway users on Enterprise plans can create HTTP policies with file sandboxing to quarantine previously unseen files downloaded by your users and scan them for malware.

2024-09-27

Magic WAN

Magic WAN Connector sends WARP client traffic to Internet

All Magic WAN Connectors now route WARP client traffic directly to the Internet, bypassing IPsec tunneling, to prevent double encapsulation of WARP traffic.

2024-09-26

Zero Trust WARP Client

WARP client for macOS (version 2024.8.457.0)

A new GA release for the macOS WARP client is now available in the App Center. This release contains minor fixes and improvements.

Notable updates:

  • Added the ability to customize PCAP options in warp-cli.
  • Added a list of installed applications in warp-diag.
  • Added a summary of warp-dex traceroute results in its JSON output.
  • Improved the performance of firewall operations when enforcing Split Tunnels configuration.
  • Fixed an issue where the DNS logs were not being cleared when the user switched configurations.
  • Fixed an issue where clients using service tokens failed to retry after a network change.
  • Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.
  • Fixed an issue which prevented the use of private IP ranges that overlapped with end users' home networks.
  • Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, update to the new commands where necessary.

Known issues:

  • Cloudflare is investigating temporary networking issues on macOS 15 (Sequoia) that seem to affect some users.
  • Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services is enabled.

2024-09-26

Zero Trust WARP Client

WARP client for Windows (version 2024.8.458.0)

A new GA release for the Windows WARP client is now available in the App Center. This release contains minor fixes and improvements.

Notable updates:

  • Added the ability to customize PCAP options in warp-cli.
  • Added a list of installed applications in warp-diag.
  • Added a summary of warp-dex traceroute results in its JSON output.
  • Improved the performance of firewall operations when enforcing Split Tunnels configuration.
  • Reduced the time it takes for a WARP client update to complete.
  • Fixed an issue where clients using service tokens failed to retry the initial connection when there is no network connectivity on startup.
  • Fixed issues where incorrect DNS server addresses were being applied following reboots and network changes. Any incorrect static entries set by previous WARP versions must be manually reverted.
  • Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.
  • Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, update to the new commands where necessary.

Known issues:

  • Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services enabled.

  • DNS resolution may be broken when all of the following conditions are true:

    • WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    • A custom DNS server address is configured on the primary network adapter.
    • The custom DNS server address on the primary network adapter is changed while WARP is connected.

    To work around the DNS issue, reconnect the WARP client by toggling off and back on.

2024-09-24

Magic Network Monitoring

Magic Network Monitoring free version available to all customers

The free version of Magic Network Monitoring (MNM) is now available to everyone with a Cloudflare account by default.

2024-09-12

Magic Firewall

New UI improvements

The dashboard now displays the order number of custom rules, and improved drag and drop functionality. You can also preview rules on a side panel without leaving the current page.

2024-09-03

DLP

Exact Data Match multi-entry upload support

You can now upload files with multiple columns of data as Exact Data Match datasets. DLP can use each column as a separate existing detection entry.

2024-09-02

Cloudflare Network Interconnect

Interconnect portal displays all available locations in a list

Customers can now see all available Direct CNI locations when searching for a Cloudflare site in the Interconnects interface.

2024-08-26

Access

Reduce automatic seat deprovisioning minimum to 1 month, down from 2 months.

Admins can now configure Zero Trust seats to automatically expire after 1 month of user inactivity. The previous minimum was 2 months.

2024-08-26

Zero Trust WARP Client

WARP client for macOS (version 2024.8.309.1)

A new beta release for the macOS WARP client is now available in the App Center. This release contains minor fixes and improvements.

Notable updates:

  • Added the ability to customize PCAP options in warp-cli.
  • Added a list of installed applications in warp-diag.
  • Added a summary of warp-dex traceroute results in its JSON output.
  • Improved the performance of firewall operations when enforcing Split Tunnels configuration.
  • Fixed an issue where the DNS logs were not being cleared when the user switched configurations.
  • Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.
  • Fixed an issue which prevented the use of private IP ranges that overlapped with end users' home networks.
  • Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, update to the new commands where necessary.

Known issues:

  • Using MASQUE as the tunnel protocol may be incompatible if your organization has either of the following conditions:
    • Magic WAN is enabled but does not have the latest packet flow path for WARP traffic. To check the migration status, contact your account team.
    • Regional Services is enabled.

2024-08-26

Zero Trust WARP Client

WARP client for Windows (version 2024.8.308.1)

A new beta release for the Windows WARP client is now available in the App Center. This release contains minor fixes and improvements.

Notable updates:

  • Added the ability to customize PCAP options in warp-cli.
  • Added a list of installed applications in warp-diag.
  • Added a summary of warp-dex traceroute results in its JSON output.
  • Improved the performance of firewall operations when enforcing Split Tunnels configuration.
  • Reduced the time it takes for a WARP client update to complete.
  • Fixed issues where incorrect DNS server addresses were being applied following reboots and network changes. Any incorrect static entries set by previous WARP versions must be manually reverted.
  • Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.
  • Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, update to the new commands where necessary.

Known issues:

  • Using MASQUE as the tunnel protocol may be incompatible if your organization has either of the following conditions:

    • Magic WAN is enabled but does not have the latest packet flow path for WARP traffic. To check the migration status, contact your account team.
    • Regional Services is enabled.
  • DNS resolution may be broken when all of the following conditions are true:

    • WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    • A custom DNS server address is configured on the primary network adapter.
    • The custom DNS server address on the primary network adapter is changed while WARP is connected.

    To work around the DNS issue, reconnect the WARP client by toggling off and back on.

2024-08-16

Magic Firewall

Magic Firewall Analytics Rule Log Enhancement

Customers who create a rule in a disabled mode will see the rule as Log (rule disabled).

2024-08-15

Zero Trust WARP Client

WARP client for Linux (version 2024.6.497.0)

A new GA release for the Linux WARP client is now available in the package repository. This release includes some exciting new features. It also includes additional fixes and minor improvements.

New features:

  • The WARP client now supports operation on Ubuntu 24.04.
  • Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, refer to Device tunnel protocol. This feature will be rolled out to customers in stages over approximately the next month.
  • The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany, where 123456 is the device serial number).
  • TCP MSS clamping is now used where necessary to meet the MTU requirements of the tunnel interface. This will be especially helpful in Docker use cases.

Warning:

  • Ubuntu 16.04 and 18.04 are not supported by this version of the client.
  • This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of warp-cli -h.

Known issues:

  • There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if:
    • A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. To check the migration status, contact your account team.
    • Your account has Regional Services enabled.
  • The Linux client GUI does not yet support all GUI features found in the Windows and macOS clients. Future releases of the Linux client will be adding these GUI features.
  • The Zero Trust team name is not visible in the GUI if you upgraded from the previous GA release using an MDM tool.
  • Sometimes the WARP icon will remain gray (disconnected state) while in dark mode.

2024-08-14

Magic Cloud Networking

GCP on-ramps

Magic Cloud Networking supports Google Cloud Platform.

2024-08-06

Email Security

Email Security is live

Email Security is now live under Zero Trust.

2024-08-06

Email Security

Microsoft Graph API deployment.

Customers using Microsoft Office 365 can set up Email Security via Microsoft Graph API.

2024-08-06

Cloudflare Tunnel

cloudflared builds available in GitHub for Apple silicon

macOS users can now download cloudflared-arm64.pkg directly from GitHub, in addition to being available via Homebrew.

2024-07-30

Gateway

UK NCSC indicator feed publicly available in Gateway

Gateway users on any plan can now use the PDNS threat intelligence feed provided by the UK National Cyber Security Centre (NCSC) in DNS policies.

2024-07-30

Zero Trust WARP Client

WARP client for macOS (version 2024.6.474.0)

A new GA release for the macOS WARP client is now available in the App Center. This release contains fixes to improve the client; no new features are included.

Notable updates:

  • Fixed an issue which caused alternate network detection to fail if the beacon host was using TLS 1.2 without TLS Extended Master Secret (EMS) enabled.
  • Improved the stability of device profile switching based on alternate network detection.

Known issues:

  • If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.
  • There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if:
    • A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. Please check migration status with your account team.
    • Your account has Regional Services enabled.

2024-07-30

Zero Trust WARP Client

WARP client for Windows (version 2024.6.473.0)

A new GA release for the Windows WARP client is now available in the App Center. This release contains fixes to improve the client; no new features are included.

Notable updates:

  • Fixed an issue which caused alternate network detection to fail if the beacon host was using TLS 1.2 without TLS Extended Master Secret (EMS) enabled.
  • Improved the stability of device profile switching based on alternate network detection.

Known issues:

  • If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.
  • There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if:
    • A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. Please check migration status with your account team.
    • Your account has Regional Services enabled.

2024-07-17

Magic WAN

Updates to High Availability on the Magic WAN Connector

The High Availability feature on Magic WAN Connector now supports additional failover conditions, DHCP lease syncing, and staggered upgrades.

2024-07-14

Gateway

Gateway DNS filter non-authenticated queries

Gateway users can now select which endpoints to use for a given DNS location. Available endpoints include IPv4, IPv6, DNS over HTTPS (DoH), and DNS over TLS (DoT). Users can protect each configured endpoint by specifying allowed source networks. Additionally, for the DoH endpoint, users can filter traffic based on source networks and/or authenticate user identity tokens.

2024-07-01

Magic Cloud Networking

Closed beta launch

The Magic Cloud Networking closed beta release is available, with the managed cloud on-ramps feature.

2024-06-28

Zero Trust WARP Client

WARP client for macOS (version 2024.6.416.0)

A new GA release for the macOS WARP client is now available in the App Center. This release includes some exciting new features. It also includes additional fixes and minor improvements.

New features:

  • Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, refer to Device tunnel protocol. This feature will be rolled out to customers in stages over approximately the next month.
  • The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany, where 123456 is the device serial number).

Additional changes and improvements:

  • Fixed a known issue where the certificate was not always properly left behind in /Library/Application Support/Cloudflare/installed_cert.pem.
  • Fixed an issue where re-auth notifications were not cleared from the UI when the user switched configurations.
  • Fixed a macOS firewall rule that allowed all UDP traffic to go outside the tunnel. Relates to TunnelVision (CVE-2024-3661).
  • Fixed an issue that could cause the Cloudflare WARP menu bar application to disappear when switching configurations.

Warning:

  • This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of warp-cli -h.

Known issues:

  • If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.
  • There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if:
    • A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. Please check migration status with your account team.
    • Your account has Regional Services enabled.

2024-06-28

Zero Trust WARP Client

WARP client for Windows (version 2024.6.415.0)

A new GA release for the Windows WARP client is now available in the App Center. This release includes some exciting new features. It also includes additional fixes and minor improvements.

New features:

  • Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, refer to Device tunnel protocol. This feature will be rolled out to customers in stages over approximately the next month.
  • The ZT WARP client on Windows devices can now connect before the user completes their Windows login. This Windows pre-login capability allows for connecting to on-premise Active Directory and/or similar resources necessary to complete the Windows login.
  • The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany, where 123456 is the device serial number).

Additional changes and improvements:

  • Added a new Unable to Connect message to the UI to help in troubleshooting.
  • The upgrade window now uses international date formats.
  • Made a change to ensure DEX tests are not running when the tunnel is not up due to the device going to or waking from sleep. This is specific to devices using the S3 power model.
  • Fixed a known issue where the certificate was not always properly left behind in %ProgramData%\Cloudflare\installed_cert.pem.
  • Fixed an issue where ICMPv6 Neighbor Solicitation messages were being incorrectly sent on the WARP tunnel.
  • Fixed an issue where a silent upgrade was causing certain files to be deleted if the target upgrade version is the same as the current version.

Warning:

  • This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of warp-cli -h.

Known issues:

  • If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.
  • There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if:
    • A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. Please check migration status with your account team.
    • Your account has Regional Services enabled.

2024-06-27

Zero Trust WARP Client

Cloudflare One Agent for iOS (version 1.4)

A new GA release for the iOS Cloudflare One Agent is now available in the iOS App Store.

Notable updates:

  • Fixed an issue with endpoint IP settings in MDM files
  • Cleaned up some erroneous links
  • Updated the Terms of Service

2024-06-25

Gateway

Gateway DNS policy setting to ignore CNAME category matches

Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the Ignore CNAME domain categories setting in the policy builder and the ignore_cname_category_matches setting in the API.

2024-06-23

Magic WAN

ICMP support for traffic sourced from private IPs

Magic WAN will now support ICMP traffic sourced from private IPs going to the Internet via Gateway.

2024-06-17

Risk score

Okta risk exchange

You can now exchange user risk scores with Okta to inform SSO-level policies.

2024-06-14

Risk score

SentinelOne signal ingestion

You can now configure a predefined risk behavior to evaluate user risk score using device posture attributes from the SentinelOne integration.

2024-06-06

Access

Scalability improvements to the App Launcher

Applications now load more quickly for customers with a large number of applications or complex policies.

2024-06-05

Magic WAN

Application based prioritization

The Magic WAN Connector can now prioritize traffic on a per-application basis.

2024-06-03

CASB

Atlassian Bitbucket integration

You can now scan your Bitbucket Cloud workspaces for a variety of contextualized security issues such as source code exposure, admin misconfigurations, and more.

2024-05-31

Magic WAN

WARP virtual IP addresses

Customers using Gateway to filter traffic to Magic WAN destinations will now see traffic from Cloudflare egressing with WARP virtual IP addresses (CGNAT range), rather than public Cloudflare IP addresses. This simplifies configuration and improves visibility for customers.

2024-05-23

CASB

Data-at-rest DLP for Box and Dropbox

You can now scan your Box and Dropbox files for DLP matches.

2024-05-23

DLP

Data-at-rest DLP for Box and Dropbox

You can now scan your Box and Dropbox files for DLP matches.

2024-05-22

Zero Trust WARP Client

WARP client for Windows (version 2024.5.310.1)

A new beta release for the Windows WARP client is now available in the App Center.

Notable updates:

  • Added a new Unable to Connect message to the UI to help in troubleshooting.
  • In the upgrade window, a change was made to use international date formats to resolve an issue with localization.
  • Made a change to ensure DEX tests are not running when the tunnel is not up due to the device going to or waking from sleep. This is specific to devices using the S3 power model.
  • Fixed a known issue where the certificate was not always properly left behind in %ProgramData%\Cloudflare\installed_cert.pem.
  • Fixed an issue where ICMPv6 Neighbor Solicitation messages were being incorrectly sent on the WARP tunnel.

Known issues:

  • If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.

2024-05-21

Zero Trust WARP Client

WARP client for macOS (version 2024.5.287.1)

A new beta release for the macOS WARP client is now available in the App Center

Notable updates:

  • Fixed a known issue where the certificate was not always properly left behind in /Library/Application Support/Cloudflare/installed_cert.pem.
  • Fixed an issue so that the reauth notification is cleared from the UI when the user switches configurations.
  • Fixed an issue by correcting the WARP client setting of macOS firewall rules. This relates to TunnelVision (CVE-2024-3661).
  • Fixed an issue that could cause the Cloudflare WARP menu bar application to disappear when switching configurations.

Known issues:

  • If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.

2024-05-20

Digital Experience Monitoring

Last seen ISP

Admins can view the last ISP seen for a device by going to My Team > Devices. Requires setting up a traceroute test.

2024-05-13

Digital Experience Monitoring

DEX alerts

Admins can now set DEX alerts using Cloudflare Notifications. Three new DEX alert types:

  • Device connectivity anomaly
  • Test latency
  • Test low availability

2024-05-10

Zero Trust WARP Client

Cloudflare One Agent for Android (version 1.7)

A new GA release for the Android Cloudflare One Agent is now available in the Google Play Store. This release fixes an issue where the user was not prompted to select the client certificate in the browser during Access registration.

2024-05-09

Zero Trust WARP Client

Crowdstrike posture checks for online status

Two new Crowdstrike attributes, Last Seen and State, are now available to be used as selectors in the Crowdstrike service provider integration.

2024-05-08

Zero Trust WARP Client

WARP client for macOS (version 2024.3.444.0)

A new GA release for the macOS WARP client is now available in the App Center. This releases fixes an issue with how the WARP client sets macOS firewall rules and addresses the TunnelVision (CVE-2024-3661) vulnerability.

2024-04-28

Access

Add option to bypass CORS to origin server

Access admins can defer all CORS enforcement to their origin server for specific Access applications.

2024-04-16

CASB

Export CASB findings to CSV

You can now export all top-level CASB findings or every instance of your findings to CSV.

2024-04-16

DLP

Optical character recognition

DLP can now detect sensitive data in jpeg, jpg, and png files. This helps companies prevent the leak of sensitive data in images, such as screenshots.

2024-04-15

Access

Zero Trust User identity audit logs

All user identity changes via SCIM or Authentication events are logged against a user's registry identity.

2024-04-05

Gateway

Gateway file type control improvements

Gateway now offers a more extensive, categorized list of files to control uploads and downloads.

2024-03-21

Browser Isolation

Removed third-party cookie dependencies

Removed dependency on third-party cookies in the isolated browser, fixing an issue that previously caused intermittent disruptions for users maintaining multi-site, cross-tab sessions in the isolated browser.

2024-02-22

Access

Access for SaaS OIDC Support

Access for SaaS applications can be setup with OIDC as an authentication method. OIDC and SAML 2.0 are now both fully supported.

2024-02-22

Access

WARP as an identity source for Access

Allow users to log in to Access applications with their WARP session identity. Users need to reauthenticate based on default session durations. WARP authentication identity must be turned on in your device enrollment permissions and can be enabled on a per application basis.

2024-01-23

Magic WAN

Network segmentation

You can define policies in your Connector to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features.

2023-12-20

Access

Unique Entity IDs in Access for SaaS

All new Access for SaaS applications have unique Entity IDs. This allows for multiple integrations with the same SaaS provider if required. The unique Entity ID has the application audience tag appended. Existing apps are unchanged.

2023-12-15

Access

Default relay state support in Access for SaaS

Allows Access admins to set a default relay state on Access for SaaS apps.

2023-09-15

Access

App launcher supports tags and filters

Access admins can now tag applications and allow users to filter by those tags in the App Launcher.

2023-09-15

Access

App launcher customization

Allow Access admins to configure the App Launcher page within Zero Trust.

2023-09-15

Access

View active Access user identities in the dashboard and API

Access admins can now view the full contents of a user's identity and device information for all active application sessions.

2023-09-08

Access

Custom OIDC claims for named IdPs

Access admins can now add custom claims to the existing named IdP providers. Previously this was locked to the generic OIDC provider.

2023-08-02

Access

Azure AD authentication contexts

Support Azure AD authentication contexts directly in Access policies.

2023-06-23

Access

Custom block pages for Access applications

Allow Access admins to customize the block pages presented by Access to end users.