Common policies

The following policies are commonly used to secure network traffic.

Refer to the network policies page for a comprehensive list of other selectors, operators, and actions.

Block unauthorized applications

Note

After seven days, view your shadow IT analytics and block additional applications based on what your users are accessing.

To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:

Dashboard

Selector	Operator	Value	Action
Application	in	Artificial Intelligence	Block

API

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Block unauthorized applications",
  "description": "Block access to unauthorized AI applications",
  "enabled": true,
  "action": "block",
  "filters": [
    "l4"
  ],
  "traffic": "any(app.type.ids[*] in {25})",
  "identity": "",
  "device_posture": ""
}'

Check user identity

Configure access on a per user or group basis by adding identity-based conditions to your policies.

Dashboard

Selector	Operator	Value	Logic	Action
Application	in	Salesforce	And	Block
User Group Names	in	Contractors

API

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Check user identity",
  "description": "Block access to Salesforce by temporary employees and contractors",
  "enabled": true,
  "action": "block",
  "filters": [
    "l4"
  ],
  "traffic": "any(app.ids[*] in {606})",
  "identity": "any(identity.groups.name[*] in {\"Contractors\"})",
  "device_posture": ""
}'

Enforce device posture

Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the device posture section. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:

Dashboard

Selector	Operator	Value	Logic	Action
SNI Domain	is	example.com	And	Block
Passed Device Posture Checks	not in	Device serial numbers

API

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Enforce device posture",
  "description": "Limit access to an internal application to approved organization devices",
  "enabled": true,
  "action": "block",
  "filters": [
    "l4"
  ],
  "traffic": "any(net.sni.domains[*] == \"example.com\")",
  "identity": "",
  "device_posture": "not(any(device_posture.checks.passed[*] in {\"<POSTURE_CHECK_UUID>\"}))"
}'

To get the UUIDs of your device posture checks, use the List device posture rules endpoint.

Enforce session duration

To require users to re-authenticate after a certain amount of time has elapsed, configure WARP sessions.

Allow only approved traffic

Restrict user access to only the specific sites or applications configured in your HTTP policies.

1. Allow HTTP and HTTPS traffic

Dashboard

Selector	Operator	Value	Logic	Action
Detected Protocol	is	TLS	And	Allow
Destination Port	in	80, 443

API

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Allow HTTP and HTTPS traffic",
  "description": "Restrict traffic to HTTP and HTTPS traffic",
  "enabled": true,
  "action": "allow",
  "filters": [
    "l4"
  ],
  "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}",
  "identity": "",
  "device_posture": ""
}'

2. Block all other traffic

Dashboard

Selector	Operator	Value	Action
Protocol	in	TCP, UDP	Block

API

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Block all other traffic",
  "description": "Block all other traffic that is not HTTP or HTTPS",
  "enabled": true,
  "action": "block",
  "filters": [
    "l4"
  ],
  "traffic": "net.protocol in {\"tcp\" \"udp\"}",
  "identity": "",
  "device_posture": ""
}'

Restrict access to private networks

Restrict access to resources which you have connected through Cloudflare Tunnel.

The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.

1. Allow company employees

Dashboard

Selector	Operator	Value	Logic	Action
Destination IP	in	10.0.0.0/8	And	Allow
User Email	matches regex	.*@example.com

API

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Allow company employees",
  "description": "Allow any users with an organization email to reach the application",
  "enabled": true,
  "action": "allow",
  "filters": [
    "l4"
  ],
  "traffic": "net.dst.ip in {10.0.0.0/8}",
  "identity": "identity.email matches \".*@example.com\"",
  "device_posture": ""
}'

2. Block everyone else

Dashboard

Selector	Operator	Value	Action
Destination IP	in	10.0.0.0/8	Block

API

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Block everyone else",
  "description": "Block any other users from accessing the application",
  "enabled": true,
  "action": "block",
  "filters": [
    "l4"
  ],
  "traffic": "net.dst.ip in {10.0.0.0/8}",
  "identity": "",
  "device_posture": ""
}'

Override IP address

Override traffic directed toward a specific IP address with a different IP address.

Dashboard

Selector	Operator	Value	Logic	Action
Destination IP	in	203.0.113.17	And	Network Override
Destination Port	is	80

Override IP	Override Port
1.1.1.1	80

API

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
  "name": "Override example.com with 1.1.1.1",
  "description": "Override a site'\''s IP address with another IP",
  "enabled": true,
  "action": "l4_override",
  "filters": [
    "l4"
  ],
  "traffic": "net.dst.ip in {203.0.113.17} and net.dst.port == 80",
  "identity": "",
  "device_posture": "",
  "rule_settings": {
    "l4override": {
      "ip": "1.1.1.1",
      "port": 80
    },
    "override_host": "",
    "override_ips": null
  }
}'

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!