Network filtering

Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access.

1. Connect to Gateway

Connect devices

To filter network traffic from a device such as a laptop or phone:

Install the WARP client on your device.
In the WARP client Settings, log in to your organization's Zero Trust instance.
(Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .
Enable the Gateway proxy for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic.

Connect private networks

To filter traffic from private networks, refer to the Cloudflare Tunnel guide.

2. Verify device connectivity

To verify your device is connected to Zero Trust:

In Zero Trust ↗, go to Settings > Network.
Under Gateway logging, enable activity logging for all Network logs.
On your WARP-enabled device, open a browser and visit any website.
Determine the Source IP for your device:
1. Open the WARP client settings.
2. Go to Preferences > General.
3. Note the Public IP.
In Zero Trust, go to Logs > Gateway > Network. Before building Network policies, make sure you see Network logs from the Source IP assigned to your device.

3. Create your first network policy

To create a new network policy:

Dashboard
API

In Zero Trust ↗, go to Gateway > Firewall policies.
In the Network tab, select Add a policy.
Name the policy.
Under Traffic, build a logical expression that defines the traffic you want to allow or block.
Choose an Action to take when traffic matches the logical expression.
For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:

Selector Operator Value Logic Action
SNI Domain is internalapp.com And Block
Passed Device Posture Checks not in Device serial numbers
Select Create policy.

Selector	Operator	Value	Logic	Action
SNI Domain	is	`internalapp.com`	And	Block
Passed Device Posture Checks	not in	Device serial numbers

Create an API token with the following permissions:

Type Item Permission
Account Zero Trust Edit
(Optional) Configure your API environment variables to include your account ID and API token.
Send a POST request to the Create a Zero Trust Gateway rule endpoint. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
curl API network policy example
```
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Enforce device posture",
  "description": "Ensure only devices in Zero Trust organization can connect to application",
  "precedence": 0,
  "enabled": true,
  "action": "block",
  "filters": [
     "l4"
  ],
  "traffic": "any(net.sni.domains[*] == \"internalapp.com\")",
  "identity": "",
  "device_posture": "not(any(device_posture.checks.passed[*] in {\"<LIST_UUID>\"}))"
}'
```
```
{
   "success": true,
   "errors": [],
   "messages": []
}
```
The API will respond with a summary of the policy and the result of your request.

Type	Item	Permission
Account	Zero Trust	Edit

For more information, refer to network policies.

4. Add optional policies

Refer to our list of common network policies for policies you may want to create.

Was this helpful?

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings