To ensure holistic security precautions, we recommend securing each distinct private application with at least two policies:
A Gateway DNS policy with the appropriate identity and device posture values, targeting the domain list that defines your application. Policy enforcement happens at the request resolution event, before the user’s device makes a connection request to the application itself; if denied here, no traffic will reach your private network.
A Gateway network policy with the same identity and device posture values as the DNS policy, targeting the IP list that defines your application. You can optionally include the domain list by matching the SNI header. Then, you can include any combinations of ports or protocols that are relevant for application access. Network policy enforcement happens after the user passes the DNS policy, when the user's device attempts to connect to the target application.
Create a Gateway policy
To create a new policy, open Zero Trust ↗ and go to Gateway > Firewall policies.
We recommend adding a catch-all policy to the bottom of your network policy list. An effective Zero Trust model should prioritize default-deny actions to avoid any overly permissive policy building. For example,
Network policies are evaluated in top-down order, so if a user does not match an explicitly defined policy for an application, they will be blocked.
To learn how multiple policies interact, refer to Order of enforcement.
Was this helpful?
What did you like?
What went wrong?
Thank you for helping improve Cloudflare's documentation!