From 42b9f04db5b59243ee42234223a061a592f69770 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 22 Aug 2024 17:19:41 -0500 Subject: [PATCH 1/3] Replace ambiguous single quotes --- .../saas-apps/docusign-access.mdx | 53 ++-- .../saas-apps/generic-saml-saas.mdx | 23 +- .../saas-apps/zendesk-sso-saas.mdx | 13 +- .../applications/scan-apps/index.mdx | 7 +- .../dns/locations/dns-resolver-ips.mdx | 3 +- .../route-traffic/warp-architecture.mdx | 8 +- .../configure-warp/warp-settings/index.mdx | 71 +++--- .../warp/deployment/firewall.mdx | 33 ++- .../warp/deployment/mdm-deployment/index.mdx | 2 +- .../mdm-deployment/partners/kandji.mdx | 9 +- .../tunnel-useful-commands.mdx | 5 +- .../migrate-legacy-tunnels.mdx | 4 +- .../do-more-with-tunnels/trycloudflare.mdx | 4 +- .../get-started/create-local-tunnel.mdx | 2 +- .../get-started/tunnel-useful-terms.mdx | 9 +- .../connections/connect-networks/index.mdx | 3 +- .../private-net/cloudflared/index.mdx | 48 ++-- .../connect-networks/private-net/index.mdx | 9 +- .../private-net/warp-to-warp.mdx | 23 +- .../connect-networks/use-cases/grpc.mdx | 10 +- .../connect-networks/use-cases/ssh.mdx | 2 +- .../faq/cloudflare-tunnels-faq.mdx | 4 +- .../faq/teams-getting-started-faq.mdx | 18 +- .../identity/authorization-cookie/index.mdx | 6 +- .../devices/warp-client-checks/os-version.mdx | 2 +- .../identity/idp-integration/adfs.mdx | 35 ++- .../identity/idp-integration/centrify.mdx | 27 +-- .../identity/idp-integration/generic-oidc.mdx | 33 ++- .../identity/idp-integration/generic-saml.mdx | 15 +- .../identity/idp-integration/okta-saml.mdx | 50 ++-- .../identity/users/seat-management.mdx | 5 +- .../identity/users/session-management.mdx | 15 +- .../insights/logs/audit-logs.mdx | 2 +- .../insights/logs/gateway-logs/index.mdx | 73 +----- .../insights/logs/gateway-logs/manage-pii.mdx | 19 +- .../cloudflare-one/insights/risk-score.mdx | 11 +- .../policies/gateway/domain-categories.mdx | 23 +- .../egress-policies/dedicated-egress-ips.mdx | 51 ++-- .../gateway/http-policies/tenant-control.mdx | 13 +- .../policies/gateway/identity-selectors.mdx | 13 +- .../policies/gateway/initial-setup/dns.mdx | 18 +- .../policies/gateway/initial-setup/http.mdx | 16 +- .../gateway/initial-setup/network.mdx | 7 +- .../gateway/network-policies/index.mdx | 227 +++++++++--------- .../gateway/network-policies/ssh-logging.mdx | 2 +- .../tutorials/azuread-risky-users.mdx | 2 +- .../tutorials/vnc-client-in-browser.mdx | 4 +- 47 files changed, 447 insertions(+), 585 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx index 86cceaed064d86..0b55390926604d 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx @@ -4,16 +4,15 @@ title: DocuSign updated: 2024-06-18 sidebar: order: 10 - --- -This guide covers how to configure [Docusign](https://support.docusign.com/s/document-item?language=en_US\&bundleId=rrf1583359212854\&topicId=ozd1583359139126.html&_LANG=enus) as a SAML application in Cloudflare Zero Trust. +This guide covers how to configure [Docusign](https://support.docusign.com/s/document-item?language=en_US&bundleId=rrf1583359212854&topicId=ozd1583359139126.html&_LANG=enus) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust -* Admin access to a Docusign account that has Single Sign-On available -* A [domain](https://support.docusign.com/s/document-item?language=en_US\&bundleId=rrf1583359212854\&topicId=gso1583359141256.html&_LANG=enus) verified in Docusign +- An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust +- Admin access to a Docusign account that has Single Sign-On available +- A [domain](https://support.docusign.com/s/document-item?language=en_US&bundleId=rrf1583359212854&topicId=gso1583359141256.html&_LANG=enus) verified in Docusign ## 1. Create the Access for SaaS application @@ -25,26 +24,26 @@ This guide covers how to configure [Docusign](https://support.docusign.com/s/doc 4. Use the following configuration: - * Set the **Application** to *DocuSign*. - * Put placeholder values in **EntityID** and **Assertion Consumer Service URL** (e.g. `https://example.com`). We’ll come back and update these. - * Set **Name ID Format** to: *Unique ID*. + - Set the **Application** to _DocuSign_. + - Put placeholder values in **EntityID** and **Assertion Consumer Service URL** (e.g. `https://example.com`). We'll come back and update these. + - Set **Name ID Format** to: _Unique ID_. 5. DocuSign requires SAML attributes to do Just In Time user provisioning. Ensure you are collecting SAML attributes from your IdP: - * Group - * username - * department - * firstName - * lastName - * phone + - Group + - username + - department + - firstName + - lastName + - phone 6. These IdP SAML values can then be mapped to the following DocuSign SAML attributes: - * Email - * Surname - * Givenname + - Email + - Surname + - Givenname -7. Set an Access policy (for example, create a policy based on *Emails ending in @example.com*). +7. Set an Access policy (for example, create a policy based on _Emails ending in @example.com_). 8. Copy and save SSO Endpoint, Entity ID and Public Key. @@ -58,7 +57,7 @@ This guide covers how to configure [Docusign](https://support.docusign.com/s/doc 11. Wrap the value in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. -12. Set the file extension to `.crt` and save. +12. Set the file extension to `.crt` and save. ::: ## 2. Configure your DocuSign SSO instance @@ -69,27 +68,27 @@ This guide covers how to configure [Docusign](https://support.docusign.com/s/doc 3. On the Identity Providers page, select **ADD IDENTITY PROVIDER**. Use the following mappings from the saved Access Application values: - * **Name**: Pick your desired name. - * **Identity Provider Issuer**: Entity ID. - * **Identity Provider Login URL**: Assertion Consumer Service URL. + - **Name**: Pick your desired name. + - **Identity Provider Issuer**: Entity ID. + - **Identity Provider Login URL**: Assertion Consumer Service URL. 4. Save the Identity Provider. -5. Upload your certificate to the *DocuSign Identity Provider* menu. +5. Upload your certificate to the _DocuSign Identity Provider_ menu. 6. Configure your SAML Attribute mappings. The Attribute Names should match the values in **IdP Value** in your Access application. 7. Go back to the Identity Provider's screen and select **Actions** > **Endpoints**. Copy and save the following: - * Service Provider Issuer URL. - * Service Provider Assertion Consumer Service URL. + - Service Provider Issuer URL. + - Service Provider Assertion Consumer Service URL. ## 3. Finalize your Cloudflare configuration 1. Go back to your DocuSign application under **Access** > **Applications**. 2. Select **Edit**. 3. Use the following mappings: - * EntityID->Service Provider Issuer URL. - * Assertion Consumer Service URL -> Service Provider Assertion Consumer Service URL. + - EntityID->Service Provider Issuer URL. + - Assertion Consumer Service URL -> Service Provider Assertion Consumer Service URL. 4. Save the application. When ready, enable the SSO for your DocuSign account and you will be able to login to DocuSign via Cloudflare SSO and your Identity Provider. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 4d8babddba7f83..71bd68b59da52b 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -3,24 +3,23 @@ pcx_content_type: how-to title: Generic SAML application sidebar: order: 1 - --- -import { Render } from "~/components" +import { Render } from "~/components"; This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol. ## Prerequisites -* An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust -* Admin access to the account of the SaaS application +- An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust +- Admin access to the account of the SaaS application ## 1. Get SaaS application URLs Obtain the following URLs from your SaaS application account: -* **Entity ID**: A unique URL issued for your SaaS application, for example `https://.my.salesforce.com`. -* **Assertion Consumer Service URL**: The service provider's endpoint for receiving and parsing SAML assertions. +- **Entity ID**: A unique URL issued for your SaaS application, for example `https://.my.salesforce.com`. +- **Assertion Consumer Service URL**: The service provider's endpoint for receiving and parsing SAML assertions. ## 2. Add your application to Access @@ -38,15 +37,15 @@ Obtain the following URLs from your SaaS application account: 7. Enter the **Entity ID** and **Assertion Consumer Service URL** obtained from your SaaS application account. -8. Select the **Name ID Format** expected by your SaaS application (usually *Email*). +8. Select the **Name ID Format** expected by your SaaS application (usually _Email_). 9. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. -10. If your SaaS application requires additional **SAML attribute statements**, add the mapping of your IdP’s attributes you would like to include in the SAML statement sent to the SaaS application. +10. If your SaaS application requires additional **SAML attribute statements**, add the mapping of your IdP's attributes you would like to include in the SAML statement sent to the SaaS application. :::note[IdP groups] -If you are using Okta, AzureAD, Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. +If you are using Okta, AzureAD, Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. ::: 11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. @@ -67,9 +66,9 @@ If you are using Okta, AzureAD, Google Workspace, or GitHub as your IdP, Access Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party SAML SSO provider. You will need the following values from the Zero Trust dashboard: -* **SSO endpoint** -* **Access Entity ID or Issuer** -* **Public key** +- **SSO endpoint** +- **Access Entity ID or Issuer** +- **Public key** You can either manually enter this data into your SaaS application or upload a metadata XML file. The metadata is available at the URL: `/saml-metadata`. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx index 68b4796ad731ea..24b4a5d019b150 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx @@ -4,15 +4,14 @@ title: Zendesk updated: 2024-04-29 sidebar: order: 29 - --- This guide covers how to configure [Zendesk](https://support.zendesk.com/hc/en-us/articles/4408887505690-Enabling-SAML-single-sign-on#topic_u54_wc3_z2b) as a SAML application in Cloudflare Zero Trust. ## Prerequisites -* An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust -* Admin access to your Zendesk account +- An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust +- Admin access to your Zendesk account ## Configure Zendesk and Cloudflare @@ -20,7 +19,7 @@ This guide covers how to configure [Zendesk](https://support.zendesk.com/hc/en-u 2. In a separate tab or window, open [Zero Trust](https://one.dash.cloudflare.com), select your account, and go to **Access** > **Applications**. -3. Select **Add an application**, then choose *SaaS*. +3. Select **Add an application**, then choose _SaaS_. 4. Input the following values in the Zero Trust application configuration: @@ -28,9 +27,9 @@ This guide covers how to configure [Zendesk](https://support.zendesk.com/hc/en-u | ---------------------------------- | ----------------------------------------------- | | **Entity ID** | `https://.zendesk.com` | | **Assertion Consumer Service URL** | contents of **SAML SSO URL** in Zendesk account | - | **Name ID Format** | *Email* | + | **Name ID Format** | _Email_ | -5. (Optional) Configure these Attribute Statements to include a user’s first and last name: +5. (Optional) Configure these Attribute Statements to include a user's first and last name: | Cloudflare attribute name | IdP attribute value | | ------------------------- | ----------------------------------------------------------------- | @@ -54,7 +53,7 @@ This guide covers how to configure [Zendesk](https://support.zendesk.com/hc/en-u 2. Wrap the value with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. - 3. Set **Algorithm** to *SHA256* and select **Calculate Fingerprint**. + 3. Set **Algorithm** to _SHA256_ and select **Calculate Fingerprint**. 4. Copy the **Formatted FingerPrint** value. diff --git a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx b/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx index 8b4847b7423797..7b207964ed9aa6 100644 --- a/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx +++ b/src/content/docs/cloudflare-one/applications/scan-apps/index.mdx @@ -3,17 +3,16 @@ pcx_content_type: how-to title: Scan SaaS applications sidebar: order: 3 - --- -import { GlossaryTooltip, Render } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; :::note -Only available on Enterprise plans. +Only available on Enterprise plans. ::: -Cloudflare’s API-driven Cloud Access Security Broker (CASB) scans SaaS applications for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. +Cloudflare's API-driven Cloud Access Security Broker (CASB) scans SaaS applications for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. ## Manage CASB integrations diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips.mdx index 07c334a21f8dd0..45b8285cbe1457 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips.mdx @@ -3,7 +3,6 @@ pcx_content_type: concept title: DNS resolver IPs and hostnames sidebar: order: 2 - --- When you create a DNS location, Gateway assigns IPv4/IPv6 addresses and DoT/DoH hostnames to that location. These are the IP addresses and hostnames you send your DNS queries to for Gateway to resolve. @@ -90,4 +89,4 @@ For example, to block security threats for specific networks, you could create t | Security Categories | in | Select all categories that apply | And | Block | | Source IP | in list | The name of the IP list containing your organization's networks | | | -DNS queries made from IP addresses that are not in your IP list will not be filtered or populate your organization’s [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/). +DNS queries made from IP addresses that are not in your IP list will not be filtered or populate your organization's [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx index 155f7b77c061a5..001569637248e8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx @@ -7,13 +7,13 @@ sidebar: import { TabItem, Tabs } from "~/components"; -This guide explains how the Cloudflare WARP client interacts with a device’s operating system to route traffic in [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default) mode. +This guide explains how the Cloudflare WARP client interacts with a device's operating system to route traffic in [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default) mode. In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the IP traffic information does not apply. In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode, the DNS traffic information does not apply. ## Overview -The WARP client allows organizations to have granular control over the applications an end user device can access. The client forwards DNS and network traffic from the device to Cloudflare’s global network, where Zero Trust policies are applied in the cloud. On all operating systems, the WARP daemon maintains three connections between the device and Cloudflare: +The WARP client allows organizations to have granular control over the applications an end user device can access. The client forwards DNS and network traffic from the device to Cloudflare's global network, where Zero Trust policies are applied in the cloud. On all operating systems, the WARP daemon maintains three connections between the device and Cloudflare: | Connection | Protocol | Purpose | | ---------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------- | @@ -174,7 +174,7 @@ S -- No --> U["Virtual interface
(172.16.0.2)"] --> G[Cloudflare Gateway] #### Virtual interface -Virtual interfaces allow the operating system to logically subdivide a physical interface, such as a network interface controller (NIC), into separate interfaces for the purposes of routing IP traffic. WARP’s virtual interface is what maintains the WireGuard/MASQUE connection between the device and Cloudflare. By default, its IP address is hardcoded as `172.16.0.2`. You can use [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) to assign unique IPs per device. +Virtual interfaces allow the operating system to logically subdivide a physical interface, such as a network interface controller (NIC), into separate interfaces for the purposes of routing IP traffic. WARP's virtual interface is what maintains the WireGuard/MASQUE connection between the device and Cloudflare. By default, its IP address is hardcoded as `172.16.0.2`. You can use [**Override local interface IP**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) to assign unique IPs per device. To view a list of all network interfaces on the operating system: @@ -360,6 +360,6 @@ WARP modifies the operating system firewall to enforce your Split Tunnel rules. ## iOS, Android, and ChromeOS -On iOS and Android/ChromeOS, the Cloudflare One Agent installs itself as a VPN client to capture and route all traffic. The app is built on the official VPN framework for iOS and Android. For more information, refer to Apple’s [NetworkExtension documentation](https://developer.apple.com/documentation/networkextension) and Google’s [Android developer documentation](https://developer.android.com/guide/topics/connectivity/vpn). +On iOS and Android/ChromeOS, the Cloudflare One Agent installs itself as a VPN client to capture and route all traffic. The app is built on the official VPN framework for iOS and Android. For more information, refer to Apple's [NetworkExtension documentation](https://developer.apple.com/documentation/networkextension) and Google's [Android developer documentation](https://developer.android.com/guide/topics/connectivity/vpn). Note that ChromeOS runs the Android app in a virtual machine, rather than running a native Chrome app. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx index 4f606bf8f7961d..20fe27df64bfce 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx @@ -3,15 +3,14 @@ pcx_content_type: reference title: WARP settings sidebar: order: 2 - --- -import { Details, GlossaryTooltip, InlineBadge, Render } from "~/components" +import { Details, GlossaryTooltip, InlineBadge, Render } from "~/components"; WARP settings define the WARP client modes and permissions available to end users. -* [Global settings](#global-settings) apply to all devices enrolled in your Zero Trust organization. -* [Device settings](#device-settings) may vary across devices depending on which [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) is applied. +- [Global settings](#global-settings) apply to all devices enrolled in your Zero Trust organization. +- [Device settings](#device-settings) may vary across devices depending on which [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) is applied. ## Global settings @@ -54,14 +53,12 @@ The client will automatically reconnect after the [Auto connect period](#auto-co ### Install CA to system certificate store -
| Operating Systems | [WARP mode required](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | | --------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | | Windows, macOS, Linux | Gateway with WARP, Proxy mode | All plans | -
When `Enabled`, the WARP client will [automatically install](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) your organization's root certificate on the device. @@ -74,7 +71,6 @@ When `Enabled`, the WARP client will [automatically install](/cloudflare-one/con | --------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | | Windows, macOS, Linux | Gateway with WARP, Secure Web Gateway without DNS Filtering | All plans | - Overrides the default IP address of WARP's [virtual network interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic) such that each device has its own unique local interface IP. @@ -83,9 +79,9 @@ This setting is primarily used in conjunction with the [WARP Connector](/cloudfl **Value:** -* `Disabled`: (default) Sets the local interface IP to `172.16.0.2` on all devices. +- `Disabled`: (default) Sets the local interface IP to `172.16.0.2` on all devices. -* `Enabled`: Sets the local interface IP on each device to its CGNAT IP. The change takes effect within 24 hours. +- `Enabled`: Sets the local interface IP on each device to its CGNAT IP. The change takes effect within 24 hours. The CGNAT IP assigned to a WARP device is permanent until the device unregisters from your Zero Trust organization. Disconnects and reconnects do not change the IP address assignment. @@ -101,21 +97,18 @@ Since captive portal implementations vary, WARP may not detect all captive porta ### Mode switch -
| Operating Systems | [WARP mode required](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | | All systems | Any mode | All plans | -
When `Enabled`, users have the option to switch between [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default) mode and [Gateway with DoH mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh). This feature does not support switching between any other modes. ### Device tunnel protocol -
| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | @@ -124,43 +117,40 @@ When `Enabled`, users have the option to switch between [Gateway with WARP](/clo | System | Availability | Minimum WARP version | | -------- | ------------ | -------------------- | -| Windows | ✅ | 2024.6.415.0 | -| macOS | ✅ | 2024.6.416.0 | +| Windows | ✅ | 2024.6.415.0 | +| macOS | ✅ | 2024.6.416.0 | | Linux | Coming soon | | | iOS | Coming soon | | | Android | Coming soon | | | ChromeOS | Coming soon | | -
Configures the protocol used to route IP traffic from the device to Cloudflare Gateway. It may take up to 24 hours for all devices to switch to the new protocol. To check the active protocol on a device, open a terminal and run `warp-cli settings | grep protocol`. **Value**: -* **WireGuard**: (default) Establishes a [WireGuard](https://www.wireguard.com/) connection to Cloudflare. The WARP client will encrypt traffic using a non-FIPs compliant cipher suite, `TLS_CHACHA20_POLY1305_SHA256`. When switching from MASQUE to WireGuard, users may lose Internet connectivity if their Wi-Fi network blocks the [ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) required for WireGuard to function. -* **MASQUE** : Establishes an HTTP/3 connection to Cloudflare. To use MASQUE, [Override local interface IP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) must be `Enabled`. The WARP client will encrypt traffic using TLS 1.3 and a [FIPS 140-2](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) compliant cipher suite, `TLS_AES_256_GCM_SHA384`. +- **WireGuard**: (default) Establishes a [WireGuard](https://www.wireguard.com/) connection to Cloudflare. The WARP client will encrypt traffic using a non-FIPs compliant cipher suite, `TLS_CHACHA20_POLY1305_SHA256`. When switching from MASQUE to WireGuard, users may lose Internet connectivity if their Wi-Fi network blocks the [ports and IPs](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) required for WireGuard to function. +- **MASQUE** : Establishes an HTTP/3 connection to Cloudflare. To use MASQUE, [Override local interface IP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#override-local-interface-ip) must be `Enabled`. The WARP client will encrypt traffic using TLS 1.3 and a [FIPS 140-2](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) compliant cipher suite, `TLS_AES_256_GCM_SHA384`. For more details on WireGuard versus MASQUE, refer to our [blog post](https://blog.cloudflare.com/zero-trust-warp-with-a-masque). ### Lock WARP switch -
| Operating Systems | [WARP mode required](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | | All systems | Any mode | All plans | -
Allows the user to turn off the WARP switch and disconnect the client. **Value:** -* `Disabled`: (default) The user is able to turn the switch on or off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks. -* `Enabled`: The user is prevented from turning off the switch. The WARP client will always start in the connected state. +- `Disabled`: (default) The user is able to turn the switch on or off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks. +- `Enabled`: The user is prevented from turning off the switch. The WARP client will always start in the connected state. On MDM deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them. @@ -172,14 +162,12 @@ When `Enabled`, users can log out from your Zero Trust organization by selecting ### Allow updates -
| Operating Systems | [WARP mode required](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | | --------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | | macOS, Windows, Linux | Any mode | All plans | -
When `Enabled`, users will receive update notifications when a new version of the client is available. Only turn this on if your users are local administrators with the ability to add or remove software from their device. @@ -194,8 +182,8 @@ We recommend keeping this set to a very low value — usually just enough time f **Value:** -* `0`: Allow the switch to stay in the off position indefinitely until the user turns it back on. -* `1` to `1440`: Turn switch back on automatically after the specified number of minutes. +- `0`: Allow the switch to stay in the off position indefinitely until the user turns it back on. +- `1` to `1440`: Turn switch back on automatically after the specified number of minutes. ### Support URL @@ -203,8 +191,8 @@ We recommend keeping this set to a very low value — usually just enough time f When `Enabled`, the **Send Feedback** button in the WARP client appears and will launch the URL specified. Example **Support URL** values are: -* `https://support.example.com`: Use an https\:// link to open your companies internal help site. -* `mailto:yoursupport@example.com`: Use a `mailto:` link to open your default mail client. +- `https://support.example.com`: Use an https\:// link to open your companies internal help site. +- `mailto:yoursupport@example.com`: Use a `mailto:` link to open your default mail client. ### Service mode @@ -214,14 +202,12 @@ Allows you to choose the operational mode of the client. Refer to [WARP Modes](/ ### Local Domain Fallback -
| Operating Systems | [WARP mode required](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | | ----------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | | All systems | Gateway with WARP, Gateway with DoH | All plans | -
Configures the WARP client to redirect DNS requests to a private DNS resolver. For more information, refer to our [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) documentation. @@ -240,7 +226,6 @@ Creates [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configur ### Allow users to enable local network exclusion -
| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | @@ -249,32 +234,30 @@ Creates [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configur | System | Availability | Minimum WARP version | | -------- | ------------ | -------------------- | -| Windows | ✅ | 2024.1.159.0 | -| macOS | ✅ | 2024.1.160.0 | -| Linux | ✅ | 2024.2.62.0 | -| iOS | ❌ | | -| Android | ✅ | 1.4 | -| ChromeOS | ✅ | 1.4 | - +| Windows | ✅ | 2024.1.159.0 | +| macOS | ✅ | 2024.1.160.0 | +| Linux | ✅ | 2024.2.62.0 | +| iOS | ❌ | | +| Android | ✅ | 1.4 | +| ChromeOS | ✅ | 1.4 |
This setting is intended as a workaround for users whose home network uses the same set of IP addresses as your corporate private network. To use this setting, **Split Tunnels** must be set to **Exclude IPs and domains**. -When `Enabled`, users have the option to access local network resources (such as printers and storage devices) while connected to WARP. When the user enables **Access local network** in the WARP GUI, WARP will detect the local IP range advertised by the user’s home network (for example, `10.0.0.0/24`) and temporarily exclude this range from the WARP tunnel. The user will need to re-request access after the **Timeout** expires. Setting **Timeout** to `0 minutes` will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. +When `Enabled`, users have the option to access local network resources (such as printers and storage devices) while connected to WARP. When the user enables **Access local network** in the WARP GUI, WARP will detect the local IP range advertised by the user's home network (for example, `10.0.0.0/24`) and temporarily exclude this range from the WARP tunnel. The user will need to re-request access after the **Timeout** expires. Setting **Timeout** to `0 minutes` will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. :::caution[Warning] Enabling this setting comes with two major consequences: -* **Device is exposed to security threats.** The user may be unaware that traffic to what used to be their company's private network is now actually being routed to their local network. This leaves the device vulnerable to [on-path attackers](https://www.cloudflare.com/learning/security/threats/on-path-attack/) and other security vulnerabilities. For example, imagine that a user's typical workflow involves logging into a remote desktop on the corporate network at `10.0.0.30`. A bad actor could set up a fake server on the local network at `10.0.0.30`. If the user goes to `10.0.0.30` while **Access local network** is enabled, the attacker can now steal their credentials. -* **User loses access to corporate resources.** — While accessing their local network, the user will be unable to connect to corporate resources that fall within the same IP/CIDR range. - +- **Device is exposed to security threats.** The user may be unaware that traffic to what used to be their company's private network is now actually being routed to their local network. This leaves the device vulnerable to [on-path attackers](https://www.cloudflare.com/learning/security/threats/on-path-attack/) and other security vulnerabilities. For example, imagine that a user's typical workflow involves logging into a remote desktop on the corporate network at `10.0.0.30`. A bad actor could set up a fake server on the local network at `10.0.0.30`. If the user goes to `10.0.0.30` while **Access local network** is enabled, the attacker can now steal their credentials. +- **User loses access to corporate resources.** — While accessing their local network, the user will be unable to connect to corporate resources that fall within the same IP/CIDR range. ::: #### Limitations -* WARP will only exclude local networks in the [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) address space. Other IP addresses such as CGNAT are not supported. -* The maximum excluded subnet size is `/24`. -* If a Windows device has multiple network interfaces with distinct local IP ranges, WARP will only exclude one of those networks. To access a specific local network, disable the other interfaces and disconnect/reconnect WARP. +- WARP will only exclude local networks in the [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) address space. Other IP addresses such as CGNAT are not supported. +- The maximum excluded subnet size is `/24`. +- If a Windows device has multiple network interfaces with distinct local IP ranges, WARP will only exclude one of those networks. To access a specific local network, disable the other interfaces and disconnect/reconnect WARP. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx index 94b4aeffc1bc67..51f788f55d325c 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx @@ -3,10 +3,9 @@ pcx_content_type: reference title: WARP with firewall sidebar: order: 9 - --- -import { Render } from "~/components" +import { Render } from "~/components"; If your organization uses a firewall or other policies to restrict or intercept Internet traffic, you may need to exempt the following IP addresses and domains to allow the WARP client to connect. @@ -30,8 +29,8 @@ If you are deploying the Cloudflare One Agent on Android/ChromeOS, you must also When you [log in to your Zero Trust organization](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/), you will have to complete the authentication steps required by your organization in the browser window that opens. To perform these operations, you must allow the following domains: -* The IdP used to authenticate to Cloudflare Zero Trust -* `.cloudflareaccess.com` +- The IdP used to authenticate to Cloudflare Zero Trust +- `.cloudflareaccess.com` ## WARP ingress IP @@ -57,24 +56,24 @@ WARP connects to the following IP addresses, depending on which [tunnel protocol :::note -Before you [log in to your Zero Trust organization](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/), you may see the IPv4 range `162.159.192.0/24`. This IP is used for consumer WARP services ([1.1.1.1 w/ WARP](/warp-client/)) and is not required for Zero Trust deployments. +Before you [log in to your Zero Trust organization](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/), you may see the IPv4 range `162.159.192.0/24`. This IP is used for consumer WARP services ([1.1.1.1 w/ WARP](/warp-client/)) and is not required for Zero Trust deployments. ::: ## Captive portal The following domains are used as part of our captive portal check: -* `cloudflareportal.com` -* `cloudflareok.com` -* `cloudflarecp.com` +- `cloudflareportal.com` +- `cloudflareok.com` +- `cloudflarecp.com` ## Connectivity check As part of establishing the WARP connection, the client will check the following HTTPS URLs to validate a successful connection: -* `engage.cloudflareclient.com` verifies general Internet connectivity outside of the WARP tunnel. These requests are always sent directly to an IP in the [WARP ingress IPv4 or IPv6 range](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) (or to your [`override_warp_endpoint`](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#override_warp_endpoint) if set). Requests will not use a proxy server, even if one is configured for the system. +- `engage.cloudflareclient.com` verifies general Internet connectivity outside of the WARP tunnel. These requests are always sent directly to an IP in the [WARP ingress IPv4 or IPv6 range](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) (or to your [`override_warp_endpoint`](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#override_warp_endpoint) if set). Requests will not use a proxy server, even if one is configured for the system. -* `connectivity.cloudflareclient.com` verifies connectivity inside of the WARP tunnel. Because this check happens inside of the tunnel, you do not need to add `connectivity.cloudflareclient.com` to your firewall allowlist. +- `connectivity.cloudflareclient.com` verifies connectivity inside of the WARP tunnel. Because this check happens inside of the tunnel, you do not need to add `connectivity.cloudflareclient.com` to your firewall allowlist. ## NEL reporting (optional) @@ -86,7 +85,7 @@ The WARP client generates ICMP traffic to the [WARP ingress IPs](/cloudflare-one ## Time synchronization (optional) -The WARP client attempts to synchronize the exact time by NTP (`UDP 123`) to [Cloudflare’s Time Service](/time-services/ntp/usage/) via `time.cloudflare.com`. This is not technically required to operate but will result in errors in our logs if not excluded properly. +The WARP client attempts to synchronize the exact time by NTP (`UDP 123`) to [Cloudflare's Time Service](/time-services/ntp/usage/) via `time.cloudflare.com`. This is not technically required to operate but will result in errors in our logs if not excluded properly. ## Scope of firewall rules @@ -94,8 +93,8 @@ The WARP client attempts to synchronize the exact time by NTP (`UDP 123`) to [Cl If your organization does not currently allow inbound/outbound communication over the IP addresses, ports, and domains described above, you must manually add an exception. The rule at a minimum needs to be scoped to the following process based on your platform: -* Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe` -* macOS: `/Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP` +- Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe` +- macOS: `/Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP` ### Optional scopes @@ -103,12 +102,12 @@ If your organization does not currently allow inbound/outbound communication ove To run [Digital Experience Monitoring tests](/cloudflare-one/insights/dex/tests/), you will need to allow the `warp-dex` process to generate network traffic to your target destinations: -* Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe` -* macOS: `/Applications/Cloudflare WARP.app/Contents/Resources/warp-dex` +- Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe` +- macOS: `/Applications/Cloudflare WARP.app/Contents/Resources/warp-dex` #### WARP network statistics To use the network connectivity tests built into the WARP GUI, you will need to allow the GUI application to generate network traffic: -* Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe` -* macOS: `/Applications/Cloudflare WARP.app` +- Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe` +- macOS: `/Applications/Cloudflare WARP.app` diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/index.mdx index b29e2afd056afb..11a1133ec5ae4a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/index.mdx @@ -72,7 +72,7 @@ Changes to this file are processed immediately by the WARP client. ### Authenticate in embedded browser -By default WARP will use the user’s default browser to perform registration. You can override the default setting to instead authenticate users in an embedded browser. The embedded browser will work around any protocol handler issues that may prevent the default browser from launching. +By default WARP will use the user's default browser to perform registration. You can override the default setting to instead authenticate users in an embedded browser. The embedded browser will work around any protocol handler issues that may prevent the default browser from launching. To use an embedded browser: diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/kandji.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/kandji.mdx index 71c7d1a4c5dc8d..e7c48e4618d0c5 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/kandji.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/kandji.mdx @@ -3,14 +3,13 @@ pcx_content_type: how-to title: Kandji sidebar: order: 2 - --- Kandji deploys Cloudflare WARP as a custom app. For an overview of how Kandji deploys custom apps, refer to their [knowledge base article](https://support.kandji.io/custom-apps-overview). ## macOS -For the simplest deployment, Kandji has created a downloadable configuration profile that enables Cloudflare WARP’s user notifications and configures its Privacy Preference Policy Control ([PPPC](https://support.kandji.io/create-a-privacy-preferences-policy-control-profile)) to have Full Disk Access. +For the simplest deployment, Kandji has created a downloadable configuration profile that enables Cloudflare WARP's user notifications and configures its Privacy Preference Policy Control ([PPPC](https://support.kandji.io/create-a-privacy-preferences-policy-control-profile)) to have Full Disk Access. 1. Download the [custom profile](https://github.com/kandji-inc/support/blob/master/Configuration%20Profiles/cloudflare_warp.mobileconfig). @@ -23,7 +22,7 @@ For the simplest deployment, Kandji has created a downloadable configuration pro 1. Enter a **Name** for the custom configuration profile. 2. Assign your custom profile to a test Blueprint. - 3. Set **Device Families** to *Mac*. + 3. Set **Device Families** to _Mac_. 4. Upload the `cloudflare_warp.mobileconfig` file you previously downloaded. 5. Save the custom profile. @@ -44,9 +43,9 @@ For the simplest deployment, Kandji has created a downloadable configuration pro 4. Copy the **Audit and Enforce Script** [below](#audit-and-enforce-script) and paste it into the **Audit Script** text field. - 5. To enforce a minimum app version, update the **ENFORCED\_VERSION** variable in the audit script with the version number the audit script should enforce (for example, `1.5.207.0`). + 5. To enforce a minimum app version, update the **ENFORCED_VERSION** variable in the audit script with the version number the audit script should enforce (for example, `1.5.207.0`). - If **ENFORCED\_VERSION** is left blank (`""`), the audit script will not check for a version and will only check for the presence of the Cloudflare WARP app in the Applications folder or a subfolder within **Applications**. Refer to the script comments for more details. + If **ENFORCED_VERSION** is left blank (`""`), the audit script will not check for a version and will only check for the presence of the Cloudflare WARP app in the Applications folder or a subfolder within **Applications**. Refer to the script comments for more details. 6. In the **Install Details** section, select **Installer Package**. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands.mdx index 3ddec902f5b603..e3e4bbbe6d0307 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-useful-commands.mdx @@ -3,7 +3,6 @@ pcx_content_type: reference title: Useful commands sidebar: order: 6 - --- This page lists the most commonly used commands for managing local tunnels. @@ -19,8 +18,8 @@ To view all CLI commands, refer to the CLI help text in your terminal. For examp | `cloudflared tunnel create ` | Creates a tunnel, registers it with the Cloudflare edge and generates a credential file to run this tunnel. | | `cloudflared tunnel route` | Routes traffic through a tunnel. | | `cloudflared tunnel route lb ` | Creates a Load Balancer with a pool that points to the tunnel. | -| `cloudflared tunnel route ip add ` | Adds any network route space (represented as a CIDR) to your routing table. That network space becomes reachable for requests egressing from a user’s machine as long as it is using Cloudflare WARP and is enrolled in the same account that is running the tunnel chosen here. Further, those requests will be proxied to the specified tunnel, and reach an IP in the given CIDR, as long as that IP is reachable from the tunnel. To assign the IP route to a specific [Virtual Network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/), use the `--vnet` option. | -| `cloudflared tunnel route ip show` (or `list`) | Shows your organization’s private routing table. You can use additional flags to filter the results. | +| `cloudflared tunnel route ip add ` | Adds any network route space (represented as a CIDR) to your routing table. That network space becomes reachable for requests egressing from a user's machine as long as it is using Cloudflare WARP and is enrolled in the same account that is running the tunnel chosen here. Further, those requests will be proxied to the specified tunnel, and reach an IP in the given CIDR, as long as that IP is reachable from the tunnel. To assign the IP route to a specific [Virtual Network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/), use the `--vnet` option. | +| `cloudflared tunnel route ip show` (or `list`) | Shows your organization's private routing table. You can use additional flags to filter the results. | | `cloudflared tunnel route ip delete` | Deletes the row for a given CIDR from your routing table. That portion of your network will no longer be reachable by the WARP client. | | `cloudflared tunnel route ip get ` | Checks which row of the routing table will be used to proxy a given IP. This helps check and validate your configuration. | | `cloudflared tunnel route dns` | Creates a DNS CNAME record hostname that points to the tunnel. | diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx index 0932d4740757e6..cc3bd1491a58f6 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels.mdx @@ -8,9 +8,9 @@ head: content: Migrate legacy tunnels to named tunnels --- -Originally, a Cloudflare Tunnel connection corresponded to a DNS record in your account. Requests to that hostname hit Cloudflare’s network first and our edge sends those requests over the tunnel to your origin. However, fitting an outbound-only connection into a reverse proxy creates some ergonomic and stability hurdles. The original Cloudflare Tunnel architecture attempted to both manage DNS records and create connections. When connections became disrupted, Tunnel would recreate the entire deployment. Additionally, Argo Tunnel connections could not be treated like regular origin servers in Cloudflare’s control plane and had to be managed directly from the server-side software. +Originally, a Cloudflare Tunnel connection corresponded to a DNS record in your account. Requests to that hostname hit Cloudflare's network first and our edge sends those requests over the tunnel to your origin. However, fitting an outbound-only connection into a reverse proxy creates some ergonomic and stability hurdles. The original Cloudflare Tunnel architecture attempted to both manage DNS records and create connections. When connections became disrupted, Tunnel would recreate the entire deployment. Additionally, Argo Tunnel connections could not be treated like regular origin servers in Cloudflare's control plane and had to be managed directly from the server-side software. -Today, Cloudflare Tunnel’s architecture distinguishes between the persistent objects (DNS records, `cloudflared`) and the ephemeral objects (the connections). To do that, it assigns permanent names and UUIDs to tunnels, which makes them more stable and easier to use. Since the name and UUID for a tunnel do not change, your DNS record never needs to be cleaned up or recreated when Cloudflare Tunnel restarts. In the event of a restart, the enrolled instance of `cloudflared` connects back to that UUID address. +Today, Cloudflare Tunnel's architecture distinguishes between the persistent objects (DNS records, `cloudflared`) and the ephemeral objects (the connections). To do that, it assigns permanent names and UUIDs to tunnels, which makes them more stable and easier to use. Since the name and UUID for a tunnel do not change, your DNS record never needs to be cleaned up or recreated when Cloudflare Tunnel restarts. In the event of a restart, the enrolled instance of `cloudflared` connects back to that UUID address. ## Check for legacy tunnels diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare.mdx index a0a278ac592cca..9a77d57d9f24ca 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare.mdx @@ -35,8 +35,8 @@ TryCloudflare quick tunnels are currently not supported if a `config.yaml` confi ### Why does Cloudflare provide this service for free? - We want more users to experience the speed and security improvements of Cloudflare Tunnel (and Argo Smart Routing). We hope you test it with TryCloudflare and decide to add it to your production sites. -- Cloudflare’s features historically require you to own a domain, set that domain’s DNS to Cloudflare’s nameservers, and configure its DNS records before you can begin to use any services. We hope to make more and more of our products available to trial without that burden. -- We don’t guarantee any SLA or uptime of TryCloudflare - we plan to test new Cloudflare Tunnel features and improvements on these free tunnels. This provides us with a group of connections to test before we deploy to production customers. Free tunnels are meant to be used for testing and development, not for deploying a production website. +- Cloudflare's features historically require you to own a domain, set that domain's DNS to Cloudflare's nameservers, and configure its DNS records before you can begin to use any services. We hope to make more and more of our products available to trial without that burden. +- We don't guarantee any SLA or uptime of TryCloudflare - we plan to test new Cloudflare Tunnel features and improvements on these free tunnels. This provides us with a group of connections to test before we deploy to production customers. Free tunnels are meant to be used for testing and development, not for deploying a production website. ### Limits diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel.mdx index 980df151eaa990..19acedaea2f201 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel.mdx @@ -119,7 +119,7 @@ Running this command will: - Generate a [tunnel credentials file](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#credentials-file) in the [default `cloudflared` directory](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#default-cloudflared-directory). - Create a subdomain of `.cfargotunnel.com`. -From the output of the command, take note of the tunnel’s UUID and the path to your tunnel’s credentials file. +From the output of the command, take note of the tunnel's UUID and the path to your tunnel's credentials file. Confirm that the tunnel has been successfully created by running: diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms.mdx index d9ce8f8b2724f1..a652509d343581 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms.mdx @@ -3,7 +3,6 @@ pcx_content_type: reference title: Useful terms sidebar: order: 4 - --- Review terminology for Cloudflare Tunnels. @@ -22,7 +21,7 @@ A tunnel name is a unique, user-friendly identifier that you choose for a tunnel ## Connector -The connector, referred to as `cloudflared`, establishes connectivity from your origin server to the Cloudflare global network. Our connector offers high availability by creating four long-lived connections to two distinct data centers within Cloudflare’s global network. This built-in redundancy means that if an individual connection, server, or data center goes down, your origin remains available. +The connector, referred to as `cloudflared`, establishes connectivity from your origin server to the Cloudflare global network. Our connector offers high availability by creating four long-lived connections to two distinct data centers within Cloudflare's global network. This built-in redundancy means that if an individual connection, server, or data center goes down, your origin remains available. ## Replica @@ -57,7 +56,7 @@ The `cert.pem` origin certificate is valid for at least 10 years, and the servic ### Credentials file -This file is created when you run `cloudflared tunnel create `. It stores your tunnel’s credentials in JSON format, and is unique to each tunnel. This file functions as a token authenticating the tunnel it is associated with. Refer to the [Tunnel permissions page](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions/) for more details on when this file is needed. +This file is created when you run `cloudflared tunnel create `. It stores your tunnel's credentials in JSON format, and is unique to each tunnel. This file functions as a token authenticating the tunnel it is associated with. Refer to the [Tunnel permissions page](/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions/) for more details on when this file is needed. ### Ingress rule @@ -65,8 +64,8 @@ Ingress rules let you specify which local services traffic should be proxied to. ## Quick tunnels -Quick tunnels, when run, will generate a URL that consists of a random subdomain of the website `trycloudflare.com`, and point traffic to localhost on port `8080`. If you have a web service running at that address, users who visit the generated subdomain will be able to visit your web service through Cloudflare’s network. Refer to [TryCloudflare](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/) for more information on how to run quick tunnels. +Quick tunnels, when run, will generate a URL that consists of a random subdomain of the website `trycloudflare.com`, and point traffic to localhost on port `8080`. If you have a web service running at that address, users who visit the generated subdomain will be able to visit your web service through Cloudflare's network. Refer to [TryCloudflare](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/) for more information on how to run quick tunnels. ## Virtual networks -A [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) is a software abstraction that allows you to logically segregate resources on your private network. Virtual networks are especially useful for exposing resources which have overlapping IP routes. To connect to a resource, end users would select a virtual network in their WARP client settings before entering the destination IP. +A [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) is a software abstraction that allows you to logically segregate resources on your private network. Virtual networks are especially useful for exposing resources which have overlapping IP routes. To connect to a resource, end users would select a virtual network in their WARP client settings before entering the destination IP. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/index.mdx index 7c29b955ebd853..1e66ac3c1dc7cb 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/index.mdx @@ -3,10 +3,9 @@ pcx_content_type: concept title: Cloudflare Tunnel sidebar: order: 1 - --- -Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (`cloudflared`) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnel can connect HTTP web servers, [SSH servers](/cloudflare-one/connections/connect-networks/use-cases/ssh/), [remote desktops](/cloudflare-one/connections/connect-networks/use-cases/rdp/), and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare. +Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (`cloudflared`) creates outbound-only connections to Cloudflare's global network. Cloudflare Tunnel can connect HTTP web servers, [SSH servers](/cloudflare-one/connections/connect-networks/use-cases/ssh/), [remote desktops](/cloudflare-one/connections/connect-networks/use-cases/rdp/), and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare. Refer to our [reference architecture](/reference-architecture/architectures/sase/) for details on how to implement Cloudflare Tunnel into your existing infrastructure. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx index aee45340e932b8..b70c0267922214 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx @@ -3,14 +3,13 @@ pcx_content_type: how-to title: Connect private networks sidebar: order: 1 - --- -import { Render } from "~/components" +import { Render } from "~/components"; A private network has two primary components: the server and the client. The server's infrastructure (whether that is a single application, multiple applications, or a network segment) is connected to Cloudflare's global network by Cloudflare Tunnel. This is done by running the `cloudflared` daemon on the server. -On the client side, end users connect to Cloudflare's global network using the Cloudflare WARP client. The WARP client can be rolled out to your entire organization in just a few minutes using your in-house MDM tooling. When users connect to an IP made available through Cloudflare Tunnel, WARP sends their connection through Cloudflare’s network to the corresponding tunnel. +On the client side, end users connect to Cloudflare's global network using the Cloudflare WARP client. The WARP client can be rolled out to your entire organization in just a few minutes using your in-house MDM tooling. When users connect to an IP made available through Cloudflare Tunnel, WARP sends their connection through Cloudflare's network to the corresponding tunnel. ![Diagram displaying connections between a device, Cloudflare, and a public cloud.](~/assets/images/cloudflare-one/connections/private-ips-diagram.png) @@ -28,10 +27,9 @@ To connect your infrastructure with Cloudflare Tunnel: Cloudflare Tunnel only supports routes in the [private IP address space](https://www.rfc-editor.org/rfc/rfc1918.html#section-3): -* `10.0.0.0` - `10.255.255.255` -* `172.16.0.0` - `172.31.255.255` -* `192.168.0.0` - `192.168.255.255` - +- `10.0.0.0` - `10.255.255.255` +- `172.16.0.0` - `172.31.255.255` +- `192.168.0.0` - `192.168.255.255` ::: @@ -61,13 +59,13 @@ You can create Zero Trust policies to manage access to specific applications on 3. Name your application. -4. For **Application type**, select *Destination IP*. +4. For **Application type**, select _Destination IP_. -5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`). - :::note +5. For **Value**, enter the IP address for your application (for example, `10.128.0.7`). + :::note - If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/policies/gateway/network-policies/) using the **Destination IP** selector. - ::: + If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/policies/gateway/network-policies/) using the **Destination IP** selector. + ::: 6. Configure your [App Launcher](/cloudflare-one/applications/app-launcher/) visibility and logo. @@ -75,16 +73,16 @@ You can create Zero Trust policies to manage access to specific applications on 8. Modify the policies to include additional identity-based conditions. For example: - * **Policy 1** - | Selector | Operator | Value | Logic | Action | + - **Policy 1** + | Selector | Operator | Value | Logic | Action | | -------------- | ------------- | ---------------- | ----- | ------ | - | Destination IP | in | `10.128.0.7` | And | Allow | - | User Email | matches regex | `.*@example.com` | | | + | Destination IP | in | `10.128.0.7` | And | Allow | + | User Email | matches regex | `.*@example.com` | | | - * **Policy 2** - | Selector | Operator | Value | Action | + - **Policy 2** + | Selector | Operator | Value | Action | | -------------- | -------- | ------------ | ------ | - | Destination IP | in | `10.128.0.7` | Block | + | Destination IP | in | `10.128.0.7` | Block | Policies are evaluated in [numerical order](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), so a user with an email ending in @example.com will be able to access `10.128.0.7` while all others will be blocked. For more information on building network policies, refer to our [dedicated documentation](/cloudflare-one/policies/gateway/network-policies/). @@ -102,9 +100,9 @@ End users can now reach HTTP or TCP-based services on your network by visiting a To check that their device is properly configured, the user can visit `https://help.teams.cloudflare.com/` to ensure that: -* The page returns **Your network is fully protected**. -* In **HTTP filtering**, both **WARP** and **Gateway Proxy** are enabled. -* The **Team name** matches the Zero Trust organization from which you created the tunnel. +- The page returns **Your network is fully protected**. +- In **HTTP filtering**, both **WARP** and **Gateway Proxy** are enabled. +- The **Team name** matches the Zero Trust organization from which you created the tunnel. #### Router configuration @@ -112,8 +110,8 @@ Check the local IP address of the device and ensure that it does not fall within To resolve the IP conflict, you can either: -* Reconfigure the user's router to use a non-overlapping IP range. Compatible routers typically use `192.168.1.0/24`, `192.168.0.0/24` or `172.16.0.0/24`. +- Reconfigure the user's router to use a non-overlapping IP range. Compatible routers typically use `192.168.1.0/24`, `192.168.0.0/24` or `172.16.0.0/24`. -* Tighten the IP range in your Split Tunnel configuration to exclude the `10.0.0.0/24` range. This will only work if your private network does not have any hosts within `10.0.0.0/24`. +- Tighten the IP range in your Split Tunnel configuration to exclude the `10.0.0.0/24` range. This will only work if your private network does not have any hosts within `10.0.0.0/24`. -* Change the IP/CIDR of your private network so that it does not overlap with a range commonly used by home networks. +- Change the IP/CIDR of your private network so that it does not overlap with a range commonly used by home networks. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx index e629042e2218ad..855988c47597b9 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/index.mdx @@ -3,7 +3,6 @@ pcx_content_type: concept title: Private networks sidebar: order: 5 - --- With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare's global network. This involves installing a [connector](#connectors) on the private network, and then [setting up routes](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#3-connect-a-network) which define the IP addresses available in that environment. Unlike [public hostname routes](/cloudflare-one/connections/connect-networks/routing-to-tunnel/), private network routes can expose both HTTP and non-HTTP resources. @@ -16,7 +15,7 @@ Administrators can optionally set [Gateway network policies](/cloudflare-one/pol Here are the different ways you can connect your private network to Cloudflare: -* [**cloudflared**](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) installs on a server in your private network to create a secure, outbound tunnel to Cloudflare. Cloudflare Tunnel using `cloudflared` only proxies traffic initiated from a user to a server. Any service or application running behind the tunnel will use the server’s default routing table for server-initiated connectivity. -* [**WARP-to-WARP**](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/) uses the [Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/) to establish peer-to-peer connectivity between two or more devices. Each device running WARP can access services on any other device running WARP via an assigned virtual IP address. -* [**WARP Connector**](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) installs on a Linux server in your private network to establish site-to-site, bidirectional, and mesh networking connectivity. The WARP Connector acts as a subnet router to relay client-initiated and server-initiated traffic between all devices on a private network and Cloudflare. -* [**Magic WAN**](/magic-wan/) relies on configuring legacy networking equipment to establish anycast GRE or IPsec tunnels between an entire network location and Cloudflare. +- [**cloudflared**](/cloudflare-one/connections/connect-networks/private-net/cloudflared/) installs on a server in your private network to create a secure, outbound tunnel to Cloudflare. Cloudflare Tunnel using `cloudflared` only proxies traffic initiated from a user to a server. Any service or application running behind the tunnel will use the server's default routing table for server-initiated connectivity. +- [**WARP-to-WARP**](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/) uses the [Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/) to establish peer-to-peer connectivity between two or more devices. Each device running WARP can access services on any other device running WARP via an assigned virtual IP address. +- [**WARP Connector**](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) installs on a Linux server in your private network to establish site-to-site, bidirectional, and mesh networking connectivity. The WARP Connector acts as a subnet router to relay client-initiated and server-initiated traffic between all devices on a private network and Cloudflare. +- [**Magic WAN**](/magic-wan/) relies on configuring legacy networking equipment to establish anycast GRE or IPsec tunnels between an entire network location and Cloudflare. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-to-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-to-warp.mdx index 3dd6d1eba4ef05..15b2580a0f9582 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-to-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-to-warp.mdx @@ -6,27 +6,26 @@ sidebar: head: - tag: title content: Create private networks with WARP-to-WARP - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; -With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare’s network. +With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare's network. Users in your organization can reach these services by enrolling into your organization's Zero Trust account. Once enrolled, each device is assigned a virtual IP address in the `100.96.0.0/12` range which will allow users or systems to address these devices directly. Administrators will then be able to build Zero Trust policies to determine who within your organization can reach those virtual IPs. This guide covers how to: -* Enable WARP-to-WARP connectivity to establish a private network between your devices. -* Manage Split Tunnel preferences for the WARP client to determine what traffic should be routed to the Cloudflare global network. -* Create Zero Trust security policies to restrict access. -* Connect to virtual IP spaces from WARP devices without any client-side configuration changes. +- Enable WARP-to-WARP connectivity to establish a private network between your devices. +- Manage Split Tunnel preferences for the WARP client to determine what traffic should be routed to the Cloudflare global network. +- Create Zero Trust security policies to restrict access. +- Connect to virtual IP spaces from WARP devices without any client-side configuration changes. ## Prerequisites -* [Install the Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices. -* [Define device enrollment permissions](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/). -* [Enroll your devices](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization.​​ +- [Install the Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices. +- [Define device enrollment permissions](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/). +- [Enroll your devices](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization.​​ ## Enable WARP-to-WARP @@ -35,8 +34,8 @@ This guide covers how to: 3. Enable **Warp-to-Warp**. This allows Cloudflare to route traffic to the CGNAT IP space. 4. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/), ensure that traffic to `100.96.0.0/12` is going through WARP: -* If using **Exclude** mode, remove `100.96.0.0/12` from your list. -* If using **Include** mode, add `100.96.0.0/12` to your list. +- If using **Exclude** mode, remove `100.96.0.0/12` from your list. +- If using **Include** mode, add `100.96.0.0/12` to your list. This will instruct WARP to begin proxying any traffic destined for a `100.96.0.0/12` IP address to Cloudflare for routing and policy enforcement. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx index b46564f8c108a0..560254c9df8692 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx @@ -3,15 +3,17 @@ pcx_content_type: how-to title: gRPC sidebar: order: 9 - --- -import { GlossaryTooltip, Render } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; gRPC is a Remote Procedure Call (RPC) framework that allows client applications to call methods on a remote server as if they were running on the same local machine. You can connect gRPC servers and clients to Cloudflare's global network, making it easier to build applications that use services across different data centers and environments.

-In this example, we will connect a gRPC server to Cloudflare using the `cloudflared` daemon, secure the server with Gateway policies, and open a gRPC channel to the server using the Cloudflare WARP client. +In this example, we will connect a gRPC server to Cloudflare using the +`cloudflared` daemon, secure +the server with Gateway policies, and open a gRPC channel to the server using +the Cloudflare WARP client. ## 1. Set up a gRPC server @@ -61,7 +63,7 @@ For more details on setting up the Gateway proxy, refer to [Filter network traff ## 5. Set up the client -gRPC clients can connect to the server by installing Cloudflare WARP on the device and enrolling in your Zero Trust organization. When the client makes a request to a private IP exposed through Cloudflare Tunnel, WARP routes the connection through Cloudflare’s network to the corresponding tunnel. +gRPC clients can connect to the server by installing Cloudflare WARP on the device and enrolling in your Zero Trust organization. When the client makes a request to a private IP exposed through Cloudflare Tunnel, WARP routes the connection through Cloudflare's network to the corresponding tunnel. To set up the gRPC client: diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh.mdx index a5f0327611c2a1..541e10b3a7c152 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh.mdx @@ -136,6 +136,6 @@ Users can connect from their device by [authenticating through `cloudflared`](#n #### Browser-rendered terminal -End users can connect to the SSH server without any configuration by using Cloudflare’s browser-based terminal. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. +End users can connect to the SSH server without any configuration by using Cloudflare's browser-based terminal. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. To enable, refer to [Enable browser rendering](/cloudflare-one/applications/non-http/#enable-browser-rendering). diff --git a/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx b/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx index c838553fec5cc8..52427ebbc007bc 100644 --- a/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/cloudflare-tunnels-faq.mdx @@ -37,8 +37,8 @@ You can still use Tunnel with Partial Setup. You will need to create a new DNS r Tunnel can expose web applications to the Internet that sit behind a NAT or firewall. Thus, you can keep your web server otherwise completely locked down. To double check that your origin web server is not responding to requests outside Cloudflare while Tunnel is running you can run netcat in the command line: ```sh -netcat -zv [your-server’s-ip-address] 80 -netcat -zv [your-server’s-ip-address] 443 +netcat -zv [your-server's-ip-address] 80 +netcat -zv [your-server's-ip-address] 443 ``` If your server is still responding on those ports, you will see: diff --git a/src/content/docs/cloudflare-one/faq/teams-getting-started-faq.mdx b/src/content/docs/cloudflare-one/faq/teams-getting-started-faq.mdx index 023b10182d5383..d5aa0ed421f458 100644 --- a/src/content/docs/cloudflare-one/faq/teams-getting-started-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/teams-getting-started-faq.mdx @@ -6,7 +6,6 @@ sidebar: order: 2 head: [] description: Review FAQs about getting started with Cloudflare Zero Trust. - --- [❮ Back to FAQ](/cloudflare-one/faq/) @@ -27,42 +26,35 @@ You can change your team name at any time, unless you have the Cloudflare dashbo :::caution[Warning] -If you change your team name, you need to update your organization’s identity providers (IdPs) and the WARP client to reflect the new team name in order to avoid any mismatch errors. +If you change your team name, you need to update your organization's identity providers (IdPs) and the WARP client to reflect the new team name in order to avoid any mismatch errors. ::: ## How do I change my subscription plan? To make changes to your subscription, visit the Billing section under Account in [Zero Trust](https://one.dash.cloudflare.com/). You can change or cancel your subscription at any time. Just remember - if you downgrade your plan during a billing cycle, your downgraded pricing will apply in the next billing cycle. If you upgrade during a billing cycle, you will be billed for the upgraded plan at the moment you select it. - ## How are active seats measured? - Cloudflare Zero Trust subscriptions consist of seats that users in your account consume. When users authenticate to an application or enroll their agent into WARP, they count against one of your active seats. Seats can be added, removed, or revoked at **Settings** > **Account** > **Plan**. If all seats are currently consumed, you must first remove users before decreasing your purchased seat count. ### Removing users User seats can be removed for Access and Gateway at **My Team** > **Users**. Removing a user will have consequences both on Access and on Gateway: -* **Access**: All active sessions for that user will be invalidated. A user will be able to log back into an application unless you create an [Access policy](/cloudflare-one/policies/access/) to block future logins from that user. +- **Access**: All active sessions for that user will be invalidated. A user will be able to log back into an application unless you create an [Access policy](/cloudflare-one/policies/access/) to block future logins from that user. -* **Gateway**: All active devices for that user will be logged out of your Zero Trust organization, which stops all filtering and routing via the WARP client. A user will be able to re-enroll their device unless you create a [device enrollment policy](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to block them. +- **Gateway**: All active devices for that user will be logged out of your Zero Trust organization, which stops all filtering and routing via the WARP client. A user will be able to re-enroll their device unless you create a [device enrollment policy](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to block them. :::caution - -The Remove action will remove a user’s seat, but it will not permanently revoke their ability to authenticate. To permanently disable a user’s ability to authenticate, you must modify the policies that allow them to reach a given application or enroll a device in WARP. - +The Remove action will remove a user's seat, but it will not permanently revoke their ability to authenticate. To permanently disable a user's ability to authenticate, you must modify the policies that allow them to reach a given application or enroll a device in WARP. ::: ### Revoking users -The Revoke action will terminate active sessions and log out active devices, but will not remove the user’s consumption of an active seat. - +The Revoke action will terminate active sessions and log out active devices, but will not remove the user's consumption of an active seat. ## How do I know if my network is protected behind Cloudflare Zero Trust? You can visit the [Zero Trust help page](https://help.teams.cloudflare.com). This page will give you an overview of your network details, as well as an overview of the categories that are being blocked and/or allowed. - - diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx index 2d7d249f0d61b8..e12efd88a1aacf 100644 --- a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx +++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx @@ -51,7 +51,7 @@ To enable these settings: ### SameSite Attribute -The [SameSite](https://web.dev/samesite-cookies-explained/) Attribute selector restricts the cookie to only being sent if the cookie’s defined site matches the site being requested in the browser. This adds protection against [cross-site request forgery (CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery). +The [SameSite](https://web.dev/samesite-cookies-explained/) Attribute selector restricts the cookie to only being sent if the cookie's defined site matches the site being requested in the browser. This adds protection against [cross-site request forgery (CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery). The selector options are: @@ -63,7 +63,7 @@ Refer to the [Mozilla documentation](https://developer.mozilla.org/en-US/docs/We #### When not to use SameSite -Do not enable SameSite restrictions if you have additional sites or applications that rely on a specific application’s authorization cookie. +Do not enable SameSite restrictions if you have additional sites or applications that rely on a specific application's authorization cookie. ### HttpOnly @@ -74,7 +74,7 @@ The HttpOnly flag is a cookie attribute that prevents the cookie from being acce Do not enable HttpOnly if: * You are using the Access application for non-browser based tools (such as SSH or RDP). -* You have software that relies on being able to access a user’s cookie generated by Access. +* You have software that relies on being able to access a user's cookie generated by Access. ### Binding Cookie diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/os-version.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/os-version.mdx index 0fc9fd5777713a..e7e17f5a1ae1e4 100644 --- a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/os-version.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/os-version.mdx @@ -7,7 +7,7 @@ sidebar: import { Render, TabItem, Tabs } from "~/components"; -The OS Version device posture attribute checks whether the version of a device’s operating system matches, is greater than or lesser than the configured value. +The OS Version device posture attribute checks whether the version of a device's operating system matches, is greater than or lesser than the configured value. ## Prerequisites diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx index 1035735364e0c3..7cdeb74c4c7b1a 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: Active Directory® (SAML) sidebar: order: 3 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory integrates with Cloudflare Access using Security Assertion Markup Language (SAML). @@ -14,12 +13,12 @@ Active Directory is a directory service developed by Microsoft for Windows domai To get started, you need: -* An Active Directory Domain Controller where all users have an email attribute -* Generic SAML enabled for your Access Identity Provider (IdP) -* A Microsoft server running with Active Directory Federation Services (ADFS) installed. All screenshots in these instructions are for Server 2012R2. Similar steps will work for newer versions. -* A browser safe certificate for Active Directory Federation Services (ADFS) +- An Active Directory Domain Controller where all users have an email attribute +- Generic SAML enabled for your Access Identity Provider (IdP) +- A Microsoft server running with Active Directory Federation Services (ADFS) installed. All screenshots in these instructions are for Server 2012R2. Similar steps will work for newer versions. +- A browser safe certificate for Active Directory Federation Services (ADFS) -Once you fulfill the requirements above, you are ready to begin. Installation and basic configuration of Active Directory Federation Services (ADFS) is outside the scope of this guide. A detailed guide can be found in a [Microsoft KB](https://docs.microsoft.com/en-us/previous-versions/dynamicscrm-2016/deployment-administrators-guide/gg188612\(v=crm.8\)). +Once you fulfill the requirements above, you are ready to begin. Installation and basic configuration of Active Directory Federation Services (ADFS) is outside the scope of this guide. A detailed guide can be found in a [Microsoft KB](). Then to begin the connection between Cloudflare Access and ADFS create a Relying Party Trust in ADFS. @@ -125,7 +124,7 @@ Both Claim Rules are now available to export to your Cloudflare Access account. ## Export the certificate -Now you’ll configure Cloudflare to recognize ADFS by extracting the *token-signing certificate* from ADFS. +Now you'll configure Cloudflare to recognize ADFS by extracting the _token-signing certificate_ from ADFS. To export the certificate: @@ -217,15 +216,15 @@ To get your Cloudflare metadata file: ```json { - "config": { - "issuer_url": "https://.cloudflareaccess.com/", - "sso_target_url": "https://adfs.example.com/adfs/ls/", - "attributes": ["email"], - "email_attribute_name": "", - "sign_request": false, - "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - }, - "type": "saml", - "name": "adfs saml example" + "config": { + "issuer_url": "https://.cloudflareaccess.com/", + "sso_target_url": "https://adfs.example.com/adfs/ls/", + "attributes": ["email"], + "email_attribute_name": "", + "sign_request": false, + "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + }, + "type": "saml", + "name": "adfs saml example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx index 19a35c1106145f..58a92d54d6ce67 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx @@ -3,7 +3,6 @@ pcx_content_type: how-to title: Centrify sidebar: order: 7 - --- Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse. @@ -30,7 +29,7 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter 9. Enter a strong application secret on the **Trust** section. -10. Under **Service Provider Configuration** enter your application’s authentication domain as the resource application URL. +10. Under **Service Provider Configuration** enter your application's authentication domain as the resource application URL. 11. Under **Authorized Redirect URIs**, select **Add**. @@ -48,10 +47,10 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter 14. Copy the following values: -* **Client ID** -* **Client Secret** -* **OpenID Connect Issuer URL** -* **Application ID** from the **Settings** tab +- **Client ID** +- **Client Secret** +- **OpenID Connect Issuer URL** +- **Application ID** from the **Settings** tab 15. Go to the **User Access** tab. @@ -73,13 +72,13 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "client_id": "", - "client_secret": "", - "centrify_account": "https://abc123.my.centrify.com/", - "centrify_app_id": "exampleapp" - }, - "type": "centrify", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "centrify_account": "https://abc123.my.centrify.com/", + "centrify_app_id": "exampleapp" + }, + "type": "centrify", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx index 17ce29a2c3ee36..1be89605eee454 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx @@ -3,7 +3,6 @@ pcx_content_type: how-to title: Generic OIDC sidebar: order: 1 - --- Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access. @@ -22,13 +21,13 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte 3. Copy the content of these fields: - * Client ID - * Client secret - * Auth URL: The `authorization_endpoint` URL of your IdP - * Token URL: The `token_endpoint` URL of your IdP - * Certificate URL: The `jwks_uri` endpoint of your IdP to allow the IdP keys to sign the tokens + - Client ID + - Client secret + - Auth URL: The `authorization_endpoint` URL of your IdP + - Token URL: The `token_endpoint` URL of your IdP + - Certificate URL: The `jwks_uri` endpoint of your IdP to allow the IdP keys to sign the tokens - You can find these values on your identity provider’s **OIDC discovery endpoint**. Some providers call this the “well-known URL”. + You can find these values on your identity provider's **OIDC discovery endpoint**. Some providers call this the “well-known URL”. 4. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. @@ -66,15 +65,15 @@ Cloudflare Access does not support partial OIDC claim value references or OIDC s ```json { - "config": { - "client_id": "", - "client_secret": "", - "auth_url": "https://accounts.google.com/o/oauth2/auth", - "token_url": "https://accounts.google.com/o/oauth2/token", - "certs_url": "https://www.googleapis.com/oauth2/v3/certs", - "scopes": ["openid", "email", "profile"] - }, - "type": "oidc", - "name": "Generic Google" + "config": { + "client_id": "", + "client_secret": "", + "auth_url": "https://accounts.google.com/o/oauth2/auth", + "token_url": "https://accounts.google.com/o/oauth2/token", + "certs_url": "https://www.googleapis.com/oauth2/v3/certs", + "scopes": ["openid", "email", "profile"] + }, + "type": "oidc", + "name": "Generic Google" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 8a19dd50ee03f6..9df8e7db1a6f65 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -3,7 +3,6 @@ pcx_content_type: how-to title: Generic SAML 2.0 sidebar: order: 2 - --- Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list. @@ -12,9 +11,9 @@ Cloudflare Zero Trust integrates with any identity provider that supports SAML 2 Minimum requirements for identity providers: -* The IdP must conform to SAML 2.0. -* The IdP must provide a **Single sign-on URL**, an **Entity ID or Issuer URL**, and a **Signing certificate**. -* The IdP must include the signing public key in the SAML response. +- The IdP must conform to SAML 2.0. +- The IdP must provide a **Single sign-on URL**, an **Entity ID or Issuer URL**, and a **Signing certificate**. +- The IdP must include the signing public key in the SAML response. ## 1. Create an application in your identity provider @@ -29,14 +28,14 @@ The typical setup requirements are: ``` You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 3. Set the **Name ID/Email format** to `emailAddress`. -4. (Optional) Set the signature policy to *Always Sign*. +4. (Optional) Set the signature policy to _Always Sign_. ### (Optional) Upload SAML metadata If your identity provider supports metadata file configuration, you can use the default or identity provider specific metadata endpoint: -* **Default:** `https://.cloudflareaccess.com/cdn-cgi/access/saml-metadata` -* **Identity provider specific:** `https://.cloudflareaccess.com/cdn-cgi/access//saml-metadata`, where `` is the `id` value obtained from [List Access identity providers](/api/operations/access-identity-providers-list-access-identity-providers). Use this endpoint if your IdP requires a configuration not defined in the default metadata file. +- **Default:** `https://.cloudflareaccess.com/cdn-cgi/access/saml-metadata` +- **Identity provider specific:** `https://.cloudflareaccess.com/cdn-cgi/access//saml-metadata`, where `` is the `id` value obtained from [List Access identity providers](/api/operations/access-identity-providers-list-access-identity-providers). Use this endpoint if your IdP requires a configuration not defined in the default metadata file. To download the SAML metadata file, copy-paste the metadata endpoint into a web browser and save the page as an `.xml` file. Upload this XML file to the identity provider. @@ -63,7 +62,7 @@ This optional configuration signs the [Access JWT](/cloudflare-one/identity/auth ### Email attribute name -Many [Access policies](/cloudflare-one/policies/access/) depend on a user’s email address. Some identity providers have a different naming for the email address attribute (for example, `Email`, `e-mail`, `emailAddress`). This can typically be checked in the identity provider's SAML test option. +Many [Access policies](/cloudflare-one/policies/access/) depend on a user's email address. Some identity providers have a different naming for the email address attribute (for example, `Email`, `e-mail`, `emailAddress`). This can typically be checked in the identity provider's SAML test option. Example in Okta: diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx index 36055e16b50415..88143ea206fc7c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx @@ -3,7 +3,6 @@ pcx_content_type: how-to title: Okta (SAML) sidebar: order: 18 - --- Cloudflare Zero Trust can integrate SAML with Okta as an identity provider. @@ -32,18 +31,18 @@ To set up SAML with Okta as your identity provider: 6. In the **Attribute Statements** section, enter the following information: - * **Name**: Enter `email`. - * **Value**: Enter `user.email`. + - **Name**: Enter `email`. + - **Value**: Enter `user.email`. 7. (Optional) If you are using Okta groups, create a **Group Attribute Statement** with the following information: - * **Name**: Enter `groups`. - * **Filter**: Select *Matches regex* and enter `.*`. + - **Name**: Enter `groups`. + - **Filter**: Select _Matches regex_ and enter `.*`. ![Configuring attribute statements in Okta](~/assets/images/cloudflare-one/identity/okta-saml/okta-saml-2.png) 8. Select **Next**. -9. Select **I’m an Okta customer adding an internal app** and check **This is an internal app that we have created**. +9. Select **I'm an Okta customer adding an internal app** and check **This is an internal app that we have created**. ![Configuring feedback options in Okta](~/assets/images/cloudflare-one/identity/okta-saml/okta-saml-3.png) @@ -61,14 +60,14 @@ To set up SAML with Okta as your identity provider: 13. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. -14. Select **Add new** under **Login Methods**, and select *SAML*. +14. Select **Add new** under **Login Methods**, and select _SAML_. 15. Fill in the following information: - * **Name**: Name your identity provider. - * **Single Sign On URL**: Enter the Identity Provider Single-Sign-On URL from Okta. - * **Issuer ID**: Enter the Identity Provider Issuer from Okta, for example `http://www.okta.com/`. - * **Signing Certificate**: Copy-paste the X.509 Certificate from Okta. + - **Name**: Name your identity provider. + - **Single Sign On URL**: Enter the Identity Provider Single-Sign-On URL from Okta. + - **Issuer ID**: Enter the Identity Provider Issuer from Okta, for example `http://www.okta.com/`. + - **Signing Certificate**: Copy-paste the X.509 Certificate from Okta. 16. (Recommended) Enable **Sign SAML authentication request**. @@ -82,30 +81,25 @@ To test that your connection is working, go to **Settings** > **Authentication** :::caution - SAML attributes are only refreshed during authentications with the Okta identity provider. This means the Okta group membership is not updated unless a user logs in and out of the WARP client, or logs in to an Access application. - ::: ## Example API configuration ```json { - "config": { - "issuer_url": "http://www.okta.com/exkbhqj29iGxT7GwT0h7", - "sso_target_url": "https://dev-abc123.oktapreview.com/app/myapp/exkbhqj29iGxT7GwT0h7/sso/saml", - "attributes": [ - "email", - "group", - ], - "email_attribute_name": "", - "sign_request": false, - "idp_public_certs": [ - "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - ] - }, - "type": "saml", - "name": "okta saml example" + "config": { + "issuer_url": "http://www.okta.com/exkbhqj29iGxT7GwT0h7", + "sso_target_url": "https://dev-abc123.oktapreview.com/app/myapp/exkbhqj29iGxT7GwT0h7/sso/saml", + "attributes": ["email", "group"], + "email_attribute_name": "", + "sign_request": false, + "idp_public_certs": [ + "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + ] + }, + "type": "saml", + "name": "okta saml example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/users/seat-management.mdx b/src/content/docs/cloudflare-one/identity/users/seat-management.mdx index dfc11270e290bf..799aeaa2ce9b08 100644 --- a/src/content/docs/cloudflare-one/identity/users/seat-management.mdx +++ b/src/content/docs/cloudflare-one/identity/users/seat-management.mdx @@ -3,7 +3,6 @@ pcx_content_type: how-to title: Seat management sidebar: order: 4 - --- Cloudflare Zero Trust subscriptions consist of seats that active users in your account consume. Active users are added to Zero Trust through any authentication event. @@ -14,7 +13,7 @@ The amount of user seats available in your Zero Trust account depends on the amo For Access, this is any Cloudflare Access authentication event, like a login to the [App Launcher](/cloudflare-one/applications/app-launcher/) or an application. For Gateway, this means any Cloudflare WARP authentication event, like enrolling a device to your ZT organization. -If either one of these events occurs, that user’s identity is added as an Active user to Zero Trust and consumes one seat. +If either one of these events occurs, that user's identity is added as an Active user to Zero Trust and consumes one seat. The user then continues to occupy and consume a single seat regardless of the number of applications accessed or login events. Once the total amount of seats in the subscription has been consumed, additional users who attempt to log in are blocked. @@ -22,7 +21,7 @@ A user who authenticates will hold their seat until you [remove the user](#remov ## Revoke vs remove a user -When you revoke a user, this action will terminate active sessions, but will not remove the user’s consumption of an active seat. On the other hand, removing a user will end their active session and free up one seat from your account. +When you revoke a user, this action will terminate active sessions, but will not remove the user's consumption of an active seat. On the other hand, removing a user will end their active session and free up one seat from your account. ## Check number of Active Users diff --git a/src/content/docs/cloudflare-one/identity/users/session-management.mdx b/src/content/docs/cloudflare-one/identity/users/session-management.mdx index f0b00bb806c24c..90e08914fe9000 100644 --- a/src/content/docs/cloudflare-one/identity/users/session-management.mdx +++ b/src/content/docs/cloudflare-one/identity/users/session-management.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: Session management sidebar: order: 3 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; A user session determines how long a user can access an Access application without re-authenticating. @@ -14,15 +13,13 @@ A user session determines how long a user can access an Access application witho When a user logs in to an application protected by Access, Access validates their identity against your Access policies and generates two signed JSON Web Tokens (JWTs): - - | Token | Description | Expiration | Storage | | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#set-global-session-duration) | Your Cloudflare team domain | | [Application token](/cloudflare-one/identity/authorization-cookie/application-token/) | Allows the user to access a specific Access application. | [Policy session duration](#set-policy-session-duration) (if set), otherwise the [application session duration](#set-application-session-duration) | The hostname protected by the Access application | | | | | | -The user can access the application for the entire duration of the application token’s lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP. +The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP. The global token expiration is usually set to equal or exceed the application token expiration. Setting a longer global token provides a more secure way to allow for longer user sessions, since the global token cannot be used to directly access an application. @@ -79,7 +76,7 @@ Unless there are changes to rules in the policy, users can start a new session i ### Per-User -Access can immediately revoke a single user session across all applications in your account. However, if the user’s identity profile is still active, they can generate a new session. +Access can immediately revoke a single user session across all applications in your account. However, if the user's identity profile is still active, they can generate a new session. If you want to permanently revoke a user's access: @@ -101,8 +98,8 @@ When administrators revoke a user's Cloudflare Access token, that user will not To log out of Access, the end user can visit either of the following URLs: -* `/cdn-cgi/access/logout` -* `.cloudflareaccess.com/cdn-cgi/access/logout` +- `/cdn-cgi/access/logout` +- `.cloudflareaccess.com/cdn-cgi/access/logout` This action [revokes the user's session](#per-user) across all applications. Access will immediately clear the authorization cookie from the user's browser, and all previously issued tokens will stop being accepted in 20-30 seconds. The only difference between these two URLs is which domain the authorization cookie is deleted from. For example, going to `/cdn-cgi/access/logout` will remove the application cookie and make the logout action feel more instantaneous. @@ -110,7 +107,7 @@ You can use these URLs to create custom logout buttons or links directly within :::note -At this time, end users cannot log themselves out on a per-application basis. +At this time, end users cannot log themselves out on a per-application basis. ::: ## AJAX diff --git a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx index 08f8a8ec4baec6..9bd50617f4aa6d 100644 --- a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx @@ -86,7 +86,7 @@ Identity-based authentication logs contain the following fields: | **allowed** | The result of the authentication event. | | **created_at** | The event timestamp. | | **connection** | The IdP used to authenticate. | -| **country** | The country associated with the user’s IP address. | +| **country** | The country associated with the user's IP address. | | **ray_id** | A unique identifier for every request through Cloudflare. | | **app_type** | The type specifies if the app is self-hosted or SaaS. | diff --git a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx index e8640ed39d8403..90b524d33a5cac 100644 --- a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx @@ -3,17 +3,14 @@ pcx_content_type: reference title: Gateway activity logs sidebar: order: 3 - --- -import { Render } from "~/components" +import { Render } from "~/components"; :::note - Gateway logs will only show the public Source IP address. Private IP addresses are NAT-ed behind a public IP address. - ::: Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/policies/gateway/network-policies/ssh-logging/) for sessions proxied by Gateway. @@ -34,8 +31,6 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is #### Basic information - - | Field | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **DNS** | Name of the domain that was queried. | @@ -44,24 +39,16 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is | **Time** | Date and time of the DNS query. | | **Resolver Decision** | The reason why Gateway applied a particular **Action** to the request. Refer to the [list of resolver decisions](#resolver-decisions). | - - #### Matched policies - - | Field | Description | | ---------------------- | ---------------------------------------------------- | | **Policy Name** | Name of the matched policy (if there is one). | | **Policy ID** | ID of the matched policy (if there is one). | | **Policy Description** | Description of the matched policy (if there is one). | - - #### Custom resolver - - | Field | Description | | -------------------------- | ----------------------------------------------------------- | | **Address** | Address of your custom resolver. | @@ -69,12 +56,8 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is | **Response** | Status of the custom resolver response. | | **Time (in milliseconds)** | Duration of time it took for the custom resolver to respond | - - #### Identities - - | Field | Description | | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Email** | Email address of the user who registered the WARP client where traffic originated from. | @@ -83,12 +66,8 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is | **Device ID** | UUID of the device connected with the WARP client. Each unique device in your organization will have a UUID associated with it each time the device is registered for a particular email. The same physical device may have multiple UUIDs associated with it. | | **Last authenticated** | Date and time the user last authenticated their Zero Trust session. | - - #### DNS query details - - | Field | Description | | ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | | **Query Type** | Type of [DNS query](https://en.wikipedia.org/wiki/List_of_DNS_record_types). | @@ -106,12 +85,8 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is | **DNS Location** | [User-configured location](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) from where the DNS query was made. | | **Location ID** | ID of the DNS location where the query originated. | - - ### Resolver decisions - - | Name | Value | Description | | ------------------------ | ----- | ----------------------------------------------------------- | | `blockedByCategory` | `3` | Domain or hostname matched a category in a Block policy. | @@ -123,51 +98,37 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is | `blockedRule` | `9` | IP address in the response matched a Block policy. | | `allowedRule` | `10` | IP address in the response matched an Allow policy. | - - ## Network logs :::caution[Failed connection logs] - Gateway will only log failed connections in [network session logs](/logs/reference/log-fields/account/zero_trust_network_sessions/). These logs are available for Enterprise users via [Logpush](/cloudflare-one/insights/logs/logpush/) or [GraphQL](/cloudflare-one/insights/analytics/gateway/#graphql-queries). - ::: ### Explanation of the fields #### Basic information - - | Field | Description | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | **Source IP** | IP address of the user sending the packet. | | **Source Internal IP** | Private IP address assigned by the user's local network. | -| **Destination IP** | IP address of the packet’s target. | +| **Destination IP** | IP address of the packet's target. | | **Action** | The Gateway [Action](/cloudflare-one/policies/gateway/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). | | **Session ID** | ID of the unique session. | | **Time** | Date and time of the session. | - - #### Matched policies - - | Field | Description | | ---------------------- | ----------------------------------------------------- | | **Policy Name** | Name of the matched policy (if there is one). | | **Policy ID** | ID of the policy enforcing the decision Gateway made. | | **Policy Description** | Description of the matched policy (if there is one). | - - #### Identities - - | Field | Description | | ---------------------- | ----------------------------------------------------------------------------------- | | **Email** | Email address of the user sending the packet. This is generated by the WARP client. | @@ -176,18 +137,14 @@ Gateway will only log failed connections in [network session logs](/logs/referen | **Device ID** | ID of the device that sent the packet. This is generated by the WARP client. | | **Last Authenticated** | Date and time the user last authenticated with Zero Trust. | - - #### Network query details - - | Field | Description | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | **Source IP** | IP address of the user sending the packet. | | **Source Port** | Source port number for the packet. | | **Source Country** | Country code for the packet source. | -| **Destination IP** | IP address of the packet’s target. | +| **Destination IP** | IP address of the packet's target. | | **Destination Port** | Destination port number for the packet. | | **Destination Country** | Destination port number for the packet. | | **Protocol** | Protocol over which the packet was sent. | @@ -197,24 +154,18 @@ Gateway will only log failed connections in [network session logs](/logs/referen | **Category details** | Category or categories associated with the packet. | | **Proxy PAC Endpoint** | [PAC file proxy endpoint](/cloudflare-one/connections/connect-devices/agentless/pac-files/) Gateway forwarded traffic to, if applicable. | - - ## HTTP logs :::note - When an HTTP request results in an error, Gateway logs the first 512 bytes of the request for 30 days for internal troubleshooting. Otherwise, Gateway does not log HTTP bodies. - ::: ### Explanation of the fields #### Basic information - - | Field | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | **Host** | Hostname in the HTTP header for the HTTP request. | @@ -229,24 +180,16 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th | **DLP profile entries** | Name of the matched entry within the DLP profile (if there is one). | | **Uploaded/downloaded file** | | - - #### Matched policies - - | Field | Description | | ---------------------- | ---------------------------------------------------- | | **Policy Name** | Name of the matched policy (if there is one). | | **Policy ID** | ID of the matched policy (if there is one). | | **Policy Description** | Description of the matched policy (if there is one). | - - #### Identities - - | Field | Description | | ---------------------- | -------------------------------------------------------------------------------------------------------------------- | | **Email** | Email address of the user who made the HTTP request. This is generated by the WARP client. | @@ -255,12 +198,8 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th | **Device ID** | ID of the device that made the request. This is generated by the WARP client on the device that created the request. | | **Last Authenticated** | Date and time the user last authenticated with Zero Trust. | - - #### HTTP query details - - | Field | Description | | -------------------------- | ----------------------------------------------------------------------------------------------------------- | | **HTTP Version** | HTTP version of the origin that Gateway connected to on behalf of the user. | @@ -277,12 +216,8 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th | **Blocked file reason** | Reason why the file was blocked if a file transfer occurred or was attempted. | | **Category details** | Category the blocked file belongs to. | - - #### File detection details - - | Field | Description | | ---------------- | -------------------------------------------------- | | **Name** | Name of the detected file. | @@ -293,8 +228,6 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th | **Direction** | Upload or download direction of the detected file. | | **Action** | The Action Gateway applied to the request. | - - ### Enhanced file detection Enhanced file detection is an optional feature to extract more file information from HTTP traffic. When turned on, Gateway will read file information from the HTTP body rather than the HTTP headers to provide greater accuracy and reliability. This feature may have a minor impact on performance for file-heavy organizations. diff --git a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx index a3c617a50de0d5..1c7f40858dd56c 100644 --- a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/manage-pii.mdx @@ -3,22 +3,21 @@ pcx_content_type: concept title: Manage PII sidebar: order: 3 - --- -Cloudflare Gateway gives you multiple ways to safely handle your employees’ personally identifiable information (PII). You can choose to exclude PII from activity logging, or you can choose to redact PII from everyone except for designated administrators. +Cloudflare Gateway gives you multiple ways to safely handle your employees' personally identifiable information (PII). You can choose to exclude PII from activity logging, or you can choose to redact PII from everyone except for designated administrators. ## Types of PII Cloudflare Gateway can log the following types of PII: -* Source IP -* User email -* User ID -* Device ID -* URL -* Referer -* User agent +- Source IP +- User email +- User ID +- Device ID +- URL +- Referer +- User agent ## Exclude PII @@ -30,7 +29,7 @@ To enable or disable this setting, log in to [Zero Trust](https://one.dash.cloud :::note -This feature is only available on Enterprise plans. +This feature is only available on Enterprise plans. ::: PII is by default redacted from Gateway Activity logs for all permission roles except the Super Admin and users with the [Cloudflare Zero Trust PII role](/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) assigned to them. Only the Super Admin can assign roles and determine who has permission to view PII. Redacting PII does not affect the way PII is captured in logs — the data is simply hidden and no information is lost. diff --git a/src/content/docs/cloudflare-one/insights/risk-score.mdx b/src/content/docs/cloudflare-one/insights/risk-score.mdx index deaa5447dad8be..4a27f384121fdc 100644 --- a/src/content/docs/cloudflare-one/insights/risk-score.mdx +++ b/src/content/docs/cloudflare-one/insights/risk-score.mdx @@ -6,19 +6,18 @@ sidebar: head: - tag: title content: User risk score - --- :::note -Only available on Enterprise plans. +Only available on Enterprise plans. ::: -Zero Trust risk scoring detects user activity and behaviors that could introduce risk to your organization’s systems and data. Risk scores add user and entity behavior analytics (UEBA) to the Zero Trust platform. +Zero Trust risk scoring detects user activity and behaviors that could introduce risk to your organization's systems and data. Risk scores add user and entity behavior analytics (UEBA) to the Zero Trust platform. ## User risk scoring -Cloudflare Zero Trust assigns a risk score of Low, Medium, or High based on detections of users’ activities, posture, and settings. A user’s score is equal to the highest-level risk behavior they trigger. +Cloudflare Zero Trust assigns a risk score of Low, Medium, or High based on detections of users' activities, posture, and settings. A user's score is equal to the highest-level risk behavior they trigger. ### View a user's risk score @@ -26,7 +25,7 @@ To view a user's risk score in [Zero Trust](https://one.dash.cloudflare.com/), g Users that have had their risk score [cleared](#clear-a-users-risk-score) will not appear in the table unless they trigger another risk behavior. -### Clear a user’s risk score +### Clear a user's risk score If required, you can reset risk scores for specific users. Once reset, users will not appear in the associated risk table until they trigger another risk behavior. @@ -52,7 +51,7 @@ Next, configure Okta to receive your risk scores. 1. On your Okta admin dashboard, go to **Security** > **Device Integrations**. 2. Go to **Receive shared signals**, then select **Create stream**. -3. Name your integration. In **Set up integration with**, choose *Well-known URL*. +3. Name your integration. In **Set up integration with**, choose _Well-known URL_. 4. In **Well-known URL**, enter the well-known URL value provided by Zero Trust. 5. Select **Create**. diff --git a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx b/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx index 729f22d05866ae..789ac595bc5ca6 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx @@ -3,10 +3,9 @@ pcx_content_type: reference title: Domain categories sidebar: order: 9 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by [Cloudflare Radar](/radar/glossary/#content-categories). @@ -18,13 +17,11 @@ To request changes to a domain's categorization, refer to [Change categorization :::note[Subdomain category] -Subdomains that have not been assigned a category will inherit the category of their parent domain. When Gateway categorizes a subdomain, the subdomain will carry only its own category. Categorized subdomains will not inherit their parent domain's categories. +Subdomains that have not been assigned a category will inherit the category of their parent domain. When Gateway categorizes a subdomain, the subdomain will carry only its own category. Categorized subdomains will not inherit their parent domain's categories. ::: ## Security categories - - | Category | Definition | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | Anonymizer | Sites that allow users to surf the Internet anonymously. | @@ -37,9 +34,7 @@ Subdomains that have not been assigned a category will inherit the category of t | Phishing | Domains that are known for stealing personal information. | | Private IP Address | Domains that resolve to private IP Addresses. | | Spam | Sites that are known for targeting users with unwanted sweepstakes, surveys, and advertisements. | -| Spyware | Sites that are known to distribute or contain code that displays unwanted advertisements or that gathers user information without the user’s knowledge. | - - +| Spyware | Sites that are known to distribute or contain code that displays unwanted advertisements or that gathers user information without the user's knowledge. | ## Content categories @@ -74,8 +69,6 @@ Subdomains that have not been assigned a category will inherit the category of t ### Miscellaneous subcategories - - | Category | Definition | | ------------- | ---------------------------------------------------------------------------- | | Login Screens | Sites hosting login screens that might also be included in other categories. | @@ -84,24 +77,16 @@ Subdomains that have not been assigned a category will inherit the category of t | Redirect | Domains that redirect to other sites. | | Unreachable | Domains that resolve to unreachable IP addresses. | - - ### Security risk subcategories - - | Category | Definition | | ------------------------- | ---------------------------------------------------------------------- | | New Domains | Domains registered within the past 30 days. | | Newly Seen Domains | Domains that were resolved for the first time within the past 30 days. | | Parked & For Sale Domains | Domains that are not connected to a hosting service. | - - ### Category and subcategory IDs - - | Category ID | Category Name | Subcategory ID | Subcategory Name | | ----------- | ---------------------- | -------------- | ------------------------------------------ | | 2 | Adult Themes | 67 | Adult Themes | @@ -219,8 +204,6 @@ Subdomains that have not been assigned a category will inherit the category of t | 32 | Security Risks | 177 | Newly Seen Domains | | 34 | CIPA | 182 | CIPA Filter | - - ## Filtering options ### Filter traffic by resolved IP category diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx index ad6c35bb334385..c0143831486fd8 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips.mdx @@ -3,17 +3,16 @@ pcx_content_type: concept title: Dedicated egress IPs sidebar: order: 1 - --- -import { Details } from "~/components" +import { Details } from "~/components"; :::note -Only available as an add-on to Zero Trust Enterprise plans. +Only available as an add-on to Zero Trust Enterprise plans. ::: -Dedicated egress IPs are static IP addresses that can be used to allowlist traffic from your organization. These IPs are unique to your account and are not used by any other customers routing traffic through Cloudflare’s network. Each dedicated egress IP consists of an IPv4 address and an IPv6 range that are assigned to a specific Cloudflare data center. At minimum, Cloudflare will provision your account with two dedicated egress IPs corresponding to data centers in two different cities. +Dedicated egress IPs are static IP addresses that can be used to allowlist traffic from your organization. These IPs are unique to your account and are not used by any other customers routing traffic through Cloudflare's network. Each dedicated egress IP consists of an IPv4 address and an IPv6 range that are assigned to a specific Cloudflare data center. At minimum, Cloudflare will provision your account with two dedicated egress IPs corresponding to data centers in two different cities. An account can have any number of additional dedicated egress IPs. To request additional dedicated egress IPs, contact your account team to schedule a service window. @@ -49,10 +48,10 @@ Each dedicated egress IP assigned to your organization supports 40,000 concurren Dedicated egress IPs do not apply to: -* DNS queries resolved through Gateway -* Private networks connected to Zero Trust via Cloudflare Tunnel -* Traffic destined for private networks connected to Zero Trust via [Magic WAN](/magic-wan/) -* ICMP traffic (such as `ping`) +- DNS queries resolved through Gateway +- Private networks connected to Zero Trust via Cloudflare Tunnel +- Traffic destined for private networks connected to Zero Trust via [Magic WAN](/magic-wan/) +- ICMP traffic (such as `ping`) These origins will see the default shared IPs instead of the dedicated egress IPs. This is because Cloudflare can filter traffic to these origins by identifiers other than source IP. @@ -60,13 +59,13 @@ These origins will see the default shared IPs instead of the dedicated egress IP To improve traffic resilience, assign your dedicated egress IPs to different Cloudflare data center locations. If you have multiple IPs in the same city, choose different data centers within that city. For more information, contact your account team. -When creating egress policies with dedicated egress IPs, set your secondary IPv4 address to either *Default Cloudflare egress* or a Cloudflare location different from your primary IPv4 address. If the physical location of your primary IPv4 address is not available, traffic will be routed to either the location closest to the user (*Default Cloudflare egress* option) or another location of your choice. +When creating egress policies with dedicated egress IPs, set your secondary IPv4 address to either _Default Cloudflare egress_ or a Cloudflare location different from your primary IPv4 address. If the physical location of your primary IPv4 address is not available, traffic will be routed to either the location closest to the user (_Default Cloudflare egress_ option) or another location of your choice. ### IP geolocation :::note -IP geolocation will take at least six weeks to update across databases. +IP geolocation will take at least six weeks to update across databases. ::: Your egress traffic will geolocate to the city selected in your [egress policies](/cloudflare-one/policies/gateway/egress-policies/). If the traffic does not match an egress policy, IP geolocation defaults to the closest dedicated egress location to the user. We recommend you create a [catch-all egress policy](/cloudflare-one/policies/gateway/egress-policies/#catch-all-policy) before dedicated egress IPs are assigned to your account. This will prevent incorrect geolocation for your users' traffic while geolocation databases update. @@ -75,25 +74,23 @@ When you turn on dedicated egress IPs, Gateway will update third-party IP geoloc To verify that the IP geolocation has updated, check your dedicated egress IP in one of the supported databases: -
-* [Google](https://developers.google.com/maps/documentation/geolocation/overview) -* [MaxMind GeoIP](https://www.maxmind.com/en/geoip-databases) -* [TransUnion Neustar TruValidate IP Intelligence](https://www.transunion.com/solution/truvalidate/digital-insights/ip-intelligence) -* [Abstract IP Geolocation API](https://www.abstractapi.com/ip-geolocation-api) -* [DB-IP](https://db-ip.com/) -* [Digital Element](https://www.digitalelement.com/) -* [Geo Targetly](https://geotargetly.com/) -* [IP-API.com](https://ip-api.com/) -* [IP2Location](https://lite.ip2location.com/) -* [IPinfo.io](https://ipinfo.io/) -* [ip2c.org](https://ip2c.org/) -* [ipapi](https://ipapi.com/) -* [ipgeolocation.io](https://ipgeolocation.io/) -* [ipify](https://www.ipify.org/) -* [Ipstack](https://ipstack.com/) - +- [Google](https://developers.google.com/maps/documentation/geolocation/overview) +- [MaxMind GeoIP](https://www.maxmind.com/en/geoip-databases) +- [TransUnion Neustar TruValidate IP Intelligence](https://www.transunion.com/solution/truvalidate/digital-insights/ip-intelligence) +- [Abstract IP Geolocation API](https://www.abstractapi.com/ip-geolocation-api) +- [DB-IP](https://db-ip.com/) +- [Digital Element](https://www.digitalelement.com/) +- [Geo Targetly](https://geotargetly.com/) +- [IP-API.com](https://ip-api.com/) +- [IP2Location](https://lite.ip2location.com/) +- [IPinfo.io](https://ipinfo.io/) +- [ip2c.org](https://ip2c.org/) +- [ipapi](https://ipapi.com/) +- [ipgeolocation.io](https://ipgeolocation.io/) +- [ipify](https://www.ipify.org/) +- [Ipstack](https://ipstack.com/)
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx index 824c4477680bdd..6f88903d70ed18 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx @@ -3,12 +3,11 @@ pcx_content_type: how-to title: Tenant control sidebar: order: 7 - --- With Gateway tenant control, you can allow your users access to corporate SaaS applications while blocking access to personal applications. This helps prevent the loss of sensitive or confidential data from a corporate network. -When creating an HTTP policy with an Allow action, you will have the option to configure custom headers. Gateway can use custom headers to control SaaS application access. If a user’s HTTP request is headed to your organization’s account for the SaaS application, Gateway will approve the request. If the request does not match the information in the header, Gateway will block the request. +When creating an HTTP policy with an Allow action, you will have the option to configure custom headers. Gateway can use custom headers to control SaaS application access. If a user's HTTP request is headed to your organization's account for the SaaS application, Gateway will approve the request. If the request does not match the information in the header, Gateway will block the request. ## Add custom headers for a SaaS application @@ -17,7 +16,7 @@ To create an HTTP policy with custom headers: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall Policies**. Select **HTTP**. 2. Select **Add a policy**. 3. Build an expression to match the SaaS traffic you want to control. -4. In **Action**, select *Allow*. In **Untrusted certificate action**, select *Block*. +4. In **Action**, select _Allow_. In **Untrusted certificate action**, select _Block_. 5. Under **Add headers to matched requests**, select **Add a header**. 6. Add any custom header names and values corresponding to your [SaaS application](#common-policy-configurations). 7. Select **Create policy**. @@ -42,7 +41,7 @@ Microsoft 365 tenant control requires two policies. When you order your policies | Precedence | Selector | Operator | Value | Action | Untrusted certificate action | | ---------- | ----------- | -------- | --------------------- | ------ | ---------------------------- | -| 2 | Application | in | *Microsoft Office365* | Allow | Block | +| 2 | Application | in | _Microsoft Office365_ | Allow | Block | | Custom header name | Custom header value | | ------------------------------------------------------- | -------------------------- | @@ -54,7 +53,7 @@ For more information, refer to the [Microsoft Entra ID documentation](https://le | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | ------------------ | ------ | ---------------------------- | -| Application | in | *Google Workspace* | Allow | Block | +| Application | in | _Google Workspace_ | Allow | Block | | Custom header name | Custom header value | | ---------------------------- | -------------------------- | @@ -66,7 +65,7 @@ For more information, refer to the [Google Workspace documentation](https://supp | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | ------- | ------ | ---------------------------- | -| Application | in | *Slack* | Allow | Block | +| Application | in | _Slack_ | Allow | Block | | Custom header name | Custom header value | | -------------------------------------------------------------------- | ----------------------------- | @@ -78,7 +77,7 @@ For more information, refer to the [Slack documentation](https://slack.com/help/ | Selector | Operator | Value | Action | Untrusted certificate action | | ----------- | -------- | --------- | ------ | ---------------------------- | -| Application | in | *Dropbox* | Allow | Block | +| Application | in | _Dropbox_ | Allow | Block | | Custom header name | Custom header value | | ---------------------------- | ---------------------- | diff --git a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx index aced7267e4cfa0..b508b7f000ef66 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx @@ -3,10 +3,9 @@ pcx_content_type: reference title: Identity-based policies sidebar: order: 10 - --- -import { Render } from "~/components" +import { Render } from "~/components"; With Cloudflare Zero Trust, you can create Secure Web Gateway policies that filter outbound traffic down to the user identity level. To do that, you can build DNS, HTTP or Network policies using a set of [identity-based selectors](#identity-based-selectors). These selectors require you to deploy the Zero Trust WARP client in [Gateway with WARP mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/). @@ -18,8 +17,8 @@ Gateway checks identity when a user logs in or re-authenticates. To check your u Unless you use an [IdP that supports SCIM provisioning](#automatic-scim-idp-updates), Gateway will not detect when you add or remove a user from a group in your IdP until the user re-authenticates to your Zero Trust instance. There are two ways a user can re-authenticate: -* Log out from an Access-protected application and log back in. -* In their WARP client settings, select **Preferences** > **Account** > **Re-Authenticate Session**. This will open a browser window and prompt the user to log in. +- Log out from an Access-protected application and log back in. +- In their WARP client settings, select **Preferences** > **Account** > **Re-Authenticate Session**. This will open a browser window and prompt the user to log in. To view the identity that Gateway will use when evaluating policies, check the [user registry](/cloudflare-one/insights/logs/users/). @@ -47,7 +46,7 @@ Specify a value from the SAML Attribute Assertion. ### User Email -Use this selector to create identity-based Gateway rules based on a user’s email. +Use this selector to create identity-based Gateway rules based on a user's email. | UI name | API example value | | ---------- | ------------------------------------------- | @@ -87,10 +86,8 @@ Use this selector to create identity-based Gateway rules based on an IdP usernam :::note[Gateway groups vs. Access groups] - In Gateway, a **User Group** refers to a group in your IdP (for example, an Okta group). Gateway does not currently support applying DNS, HTTP, and Network policies to [Access groups](/cloudflare-one/identity/users/groups/). This is because Access groups may include criteria not available through the IdP, such as device location or IP address. - ::: ## IdP groups in Gateway @@ -107,7 +104,7 @@ Because IdPs expose user groups in different formats, reference the list below t **Value** is the [Object Id](/cloudflare-one/identity/idp-integration/azuread/#azure-groups-in-zero-trust-policies) for an Azure group. -If you enabled user and group synchronization with [SCIM](/cloudflare-one/identity/idp-integration/azuread/#synchronize-users-and-groups), the synchronized groups will appear under *User Group Names*: +If you enabled user and group synchronization with [SCIM](/cloudflare-one/identity/idp-integration/azuread/#synchronize-users-and-groups), the synchronized groups will appear under _User Group Names_: | Selector | Value | | ---------------- | ------------ | diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx index be57bc3610e3de..8367251b531117 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx @@ -6,16 +6,15 @@ sidebar: head: - tag: title content: Set up DNS filtering - --- -import { GlossaryTooltip, Render } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit. :::note -For a more detailed guide to filtering DNS queries and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. +For a more detailed guide to filtering DNS queries and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. ::: ## 1. Connect to Gateway @@ -25,7 +24,7 @@ For a more detailed guide to filtering DNS queries and other traffic for your or To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your device. -2. In the WARP client Settings, log in to your organization’s Zero Trust instance. +2. In the WARP client Settings, log in to your organization's Zero Trust instance. 3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/configuring-block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device. ### Connect DNS locations @@ -39,13 +38,16 @@ To filter DNS requests from a location such as an office or data center: Gateway identifies locations differently depending on the DNS query protocol: -* **IPv4 queries** match to the source IP address. Under **Gateway** > **DNS Locations**, ensure that the **Source IPv4 Address** parameter is correct for the location you want to apply policies to. -* **IPv6, DOT, or DOH queries** match to the unique DNS forwarding address assigned to the DNS location. Ensure that your DNS resolver is configured for the location you want to apply policies to. +- **IPv4 queries** match to the source IP address. Under **Gateway** > **DNS Locations**, ensure that the **Source IPv4 Address** parameter is correct for the location you want to apply policies to. +- **IPv6, DOT, or DOH queries** match to the unique DNS forwarding address assigned to the DNS location. Ensure that your DNS resolver is configured for the location you want to apply policies to. ::: ## 2. Verify device connectivity - + ## 3. Add recommended policies @@ -53,7 +55,7 @@ To create a new DNS policy, go to **Gateway** > **Firewall Policies** > **DNS** ### Block all security categories -Block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence. +Block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx index 88c16e5409dfef..9b61226b5943d4 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx @@ -6,16 +6,15 @@ sidebar: head: - tag: title content: Set up HTTP filtering - --- -import { GlossaryTooltip, Render } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit. :::note -For a more detailed guide to filtering HTTP requests and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. +For a more detailed guide to filtering HTTP requests and other traffic for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. ::: ## 1. Connect to Gateway @@ -24,14 +23,17 @@ To filter HTTP requests from a device: 1. [Install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device. 2. [Install the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your device. -3. In the WARP client Settings, log in to your organization’s Zero Trust instance. +3. In the WARP client Settings, log in to your organization's Zero Trust instance. 4. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#enable-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. 5. To inspect HTTPS traffic, [enable TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#enable-tls-decryption). 6. (Optional) To scan file uploads and downloads for malware, [enable anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/). ## 2. Verify device connectivity - + ## 3. Add recommended policies @@ -40,13 +42,13 @@ We recommend adding the following policies: ### Bypass inspection for incompatible applications -Bypass HTTP inspection for applications which use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). This will help avoid any incompatibilities that may arise from an initial rollout. By the *Do Not Inspect* app type, Gateway will filter any new applications when they are added to the group. +Bypass HTTP inspection for applications which use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). This will help avoid any incompatibilities that may arise from an initial rollout. By the _Do Not Inspect_ app type, Gateway will filter any new applications when they are added to the group. ### Block all security categories -Block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence. +Block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx index 3b0633eacfa4bc..d47f39d6d0f94f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/network.mdx @@ -3,16 +3,15 @@ title: Network filtering pcx_content_type: how-to sidebar: order: 2 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access. :::note -For a more detailed guide to filtering network traffic and more for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. +For a more detailed guide to filtering network traffic and more for your organization, refer to the [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/) implementation guide. ::: ## 1. Connect to Gateway @@ -22,7 +21,7 @@ For a more detailed guide to filtering network traffic and more for your organiz To filter network traffic from a device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your device. -2. In the WARP client Settings, log in to your organization’s Zero Trust instance. +2. In the WARP client Settings, log in to your organization's Zero Trust instance. 3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/configuring-block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device . 4. [Enable the Gateway proxy](/cloudflare-one/policies/gateway/proxy/#enable-the-gateway-proxy) for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic. diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx index 7f2b4106998c3a..cfe383c0033bc9 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx @@ -3,30 +3,30 @@ pcx_content_type: configuration title: Network policies sidebar: order: 3 - --- -import { Details, InlineBadge, Render } from "~/components" +import { Details, InlineBadge, Render } from "~/components"; :::note - To enable this feature, download and deploy the [WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices. - ::: With Cloudflare Zero Trust, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare Zero Trust [integrates with your identity provider](/cloudflare-one/identity/idp-integration/), it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they access that resource from. A network policy consists of an **Action** as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a **Selector** and an **Operator**, and enter a value or range of values in the **Value** field. You can use **And** and **Or** logical operators to evaluate multiple conditions. -* [Actions](#actions) -* [Selectors](#selectors) -* [Comparison operators](#comparison-operators) -* [Value](#value) -* [Logical operators](#logical-operators) +- [Actions](#actions) +- [Selectors](#selectors) +- [Comparison operators](#comparison-operators) +- [Value](#value) +- [Logical operators](#logical-operators) - + ## Actions @@ -36,41 +36,39 @@ Like actions in DNS and HTTP policies, actions in network policies define which API value: `allow` -
**Traffic** -* [Application](#application) -* [Destination Continent IP Geolocation](#destination-continent) -* [Destination Country IP Geolocation](#destination-country) -* [Destination IP](#destination-ip) -* [Destination Port](#destination-port) -* [Detected Protocol](#detected-protocol) -* [Protocol](#protocol) -* [Proxy Endpoint](#proxy-endpoint) -* [SNI](#sni) -* [SNI Domain](#sni-domain) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source Internal IP](#source-internal-ip) -* [Source IP](#source-ip) -* [Source Port](#source-port) -* [Virtual Network](#virtual-network) +- [Application](#application) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [Destination Port](#destination-port) +- [Detected Protocol](#detected-protocol) +- [Protocol](#protocol) +- [Proxy Endpoint](#proxy-endpoint) +- [SNI](#sni) +- [SNI Domain](#sni-domain) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Source Port](#source-port) +- [Virtual Network](#virtual-network) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
@@ -85,35 +83,33 @@ Policies with Allow actions allow network traffic to reach certain IPs or ports. API value: `audit_ssh` -
**Traffic** -* [Application](#application) -* [Destination Continent IP Geolocation](#destination-continent) -* [Destination Country IP Geolocation](#destination-country) -* [Destination IP](#destination-ip) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source Internal IP](#source-internal-ip) -* [Source IP](#source-ip) -* [Source Port](#source-port) -* [Virtual Network](#virtual-network) +- [Application](#application) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Source Port](#source-port) +- [Virtual Network](#virtual-network) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
@@ -133,41 +129,39 @@ Gateway only audits SSH traffic over port `22`. Non-standard ports, including th API value: `block` -
**Traffic** -* [Application](#application) -* [Destination Continent IP Geolocation](#destination-continent) -* [Destination Country IP Geolocation](#destination-country) -* [Destination IP](#destination-ip) -* [Destination Port](#destination-port) -* [Detected Protocol](#detected-protocol) -* [Protocol](#protocol) -* [Proxy Endpoint](#proxy-endpoint) -* [SNI](#sni) -* [SNI Domain](#sni-domain) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source Internal IP](#source-internal-ip) -* [Source IP](#source-ip) -* [Source Port](#source-port) -* [Virtual Network](#virtual-network) +- [Application](#application) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [Destination Port](#destination-port) +- [Detected Protocol](#detected-protocol) +- [Protocol](#protocol) +- [Proxy Endpoint](#proxy-endpoint) +- [SNI](#sni) +- [SNI Domain](#sni-domain) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Source Port](#source-port) +- [Virtual Network](#virtual-network) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
@@ -185,42 +179,40 @@ Policies with Block actions block network traffic from reaching certain IPs or p API value: `l4_override` -
**Traffic** -* [Destination Continent IP Geolocation](#destination-continent) -* [Destination Country IP Geolocation](#destination-country) -* [Destination IP](#destination-ip) -* [Destination Port](#destination-port) -* [Protocol](#protocol) -* [SNI](#sni) -* [SNI Domain](#sni-domain) -* [Source Continent IP Geolocation](#source-continent) -* [Source Country IP Geolocation](#source-country) -* [Source Internal IP](#source-internal-ip) -* [Source IP](#source-ip) -* [Source Port](#source-port) -* [Virtual Network](#virtual-network) +- [Destination Continent IP Geolocation](#destination-continent) +- [Destination Country IP Geolocation](#destination-country) +- [Destination IP](#destination-ip) +- [Destination Port](#destination-port) +- [Protocol](#protocol) +- [SNI](#sni) +- [SNI Domain](#sni-domain) +- [Source Continent IP Geolocation](#source-continent) +- [Source Country IP Geolocation](#source-country) +- [Source Internal IP](#source-internal-ip) +- [Source IP](#source-ip) +- [Source Port](#source-port) +- [Virtual Network](#virtual-network) **Identity** -* [SAML Attributes](#users) -* [User Email](#users) -* [User Group Emails](#users) -* [User Group IDs](#users) -* [User Group Names](#users) -* [User Name](#users) +- [SAML Attributes](#users) +- [User Email](#users) +- [User Group Emails](#users) +- [User Group IDs](#users) +- [User Group Names](#users) +- [User Name](#users) **Device Posture** -* [Passed Device Posture Checks](#device-posture) - +- [Passed Device Posture Checks](#device-posture)
-Policies with Network Override actions override traffic directed to, or coming from, certain IPv4/IPv6 addresses or ports. Destination IPs can be public IPs or private IPs connected to your Zero Trust network. For example, the following configuration overrides traffic sent to a public IP with a private IP based on a user’s identity: +Policies with Network Override actions override traffic directed to, or coming from, certain IPv4/IPv6 addresses or ports. Destination IPs can be public IPs or private IPs connected to your Zero Trust network. For example, the following configuration overrides traffic sent to a public IP with a private IP based on a user's identity: | Selector | Operator | Value | Logic | Action | | -------------- | -------- | --------------- | ----- | ---------------- | @@ -238,11 +230,17 @@ Gateway matches network traffic against the following selectors, or criteria. ### Destination Continent - + ### Destination Country - + ### Destination IP @@ -266,10 +264,8 @@ Gateway matches network traffic against the following selectors, or criteria. :::note - To enable Gateway filtering on TCP and UDP, go to **Settings** > **Network** > **Proxy**. Network policies apply to all enabled protocols unless you use the **Protocol** selector within a policy. - ::: ### Proxy Endpoint @@ -294,7 +290,10 @@ The country of the user making the request. + ### Source IP @@ -310,7 +309,10 @@ The country of the user making the request. + ## Comparison operators @@ -318,9 +320,7 @@ The country of the user making the request. + diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx index bd0468f2d9f286..6eee9f716e278f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/ssh-logging.mdx @@ -96,7 +96,7 @@ ssh @ :::note -If the target resource is already in a user’s `.ssh/known_hosts` file, the user must first remove existing SSH keys before attempting to connect: +If the target resource is already in a user's `.ssh/known_hosts` file, the user must first remove existing SSH keys before attempting to connect: ```sh ssh-keygen -R diff --git a/src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx b/src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx index 536dab71af7d78..a67051243acce9 100644 --- a/src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx +++ b/src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx @@ -116,7 +116,7 @@ The [Cron Trigger](/workers/configuration/cron-triggers/) in this example schedu wrangler secret put AZURE_AD_CLIENT_SECRET ``` - You will be prompted to input the secret’s value. Enter the **Client secret** obtained when [setting up AzureAD as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). + You will be prompted to input the secret's value. Enter the **Client secret** obtained when [setting up AzureAD as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). The Worker script will begin executing once per minute. To view realtime logs, run the following command and wait for the script to execute: diff --git a/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx b/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx index 0153b530f026f9..ee60192de54823 100644 --- a/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx +++ b/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx @@ -8,7 +8,7 @@ title: Render a VNC client in browser Cloudflare can render a Virtual Network Computer (VNC) terminal in your browser without any client software or configuration required. -Administrators can use Cloudflare Tunnel to connect a VNC host to Cloudflare’s network. Using Cloudflare Access, you can apply Zero Trust policies to determine who can access your VNC server. Cloudflare’s network will then enforce the Zero Trust policies and, when a user is allowed, render the client in the browser. +Administrators can use Cloudflare Tunnel to connect a VNC host to Cloudflare's network. Using Cloudflare Access, you can apply Zero Trust policies to determine who can access your VNC server. Cloudflare's network will then enforce the Zero Trust policies and, when a user is allowed, render the client in the browser. **This walkthrough covers how to:** @@ -162,6 +162,6 @@ Service Auth and Bypass policies are not supported for browser-based VNC applica 5. In **Additional settings**, set **Browser rendering** to _VNC_. -Users will see a login screen with your configured identity providers. After successful authentication, they may be prompted to enter the VNC server’s password. +Users will see a login screen with your configured identity providers. After successful authentication, they may be prompted to enter the VNC server's password. You can define granular access controls across each individual VNC instance. From d61e16bb2fc461c561ba1602129b7dbddeeded54 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 22 Aug 2024 17:20:46 -0500 Subject: [PATCH 2/3] Replace ambiguous double quotes --- .../saas-apps/google-cloud-saas.mdx | 29 +++++++++---------- .../saas-apps/google-workspace-saas.mdx | 29 +++++++++---------- .../warp/download-warp/index.mdx | 11 ++++--- .../identity/idp-integration/generic-oidc.mdx | 2 +- 4 files changed, 33 insertions(+), 38 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx index a8c6228cd7a014..f3d0505feb2c46 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-cloud-saas.mdx @@ -4,10 +4,9 @@ title: Google Cloud updated: 2024-07-03 sidebar: order: 13 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; This guide covers how to configure [Google Cloud](https://support.google.com/cloudidentity/topic/7558767) as a SAML application in Cloudflare Zero Trust. @@ -15,28 +14,28 @@ This guide covers how to configure [Google Cloud](https://support.google.com/clo When configuring Google Cloud with Access, the following limitations apply: -* Users will not be able to log in using [Google](/cloudflare-one/identity/idp-integration/google/) or [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/) as an identity provider after Google Cloud is configured with Access. +- Users will not be able to log in using [Google](/cloudflare-one/identity/idp-integration/google/) or [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/) as an identity provider after Google Cloud is configured with Access. -* The integration of Access as a single sign-on provider for your Google Cloud account does not work for Google super admins. It will work for other users. +- The integration of Access as a single sign-on provider for your Google Cloud account does not work for Google super admins. It will work for other users. ::: ## Prerequistes -* An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust -* Admin access to a Google Workspace account -* [Cloud Identity Free or Premium](https://support.google.com/cloudidentity/answer/7389973) set up in your organization's Google Cloud account +- An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust +- Admin access to a Google Workspace account +- [Cloud Identity Free or Premium](https://support.google.com/cloudidentity/answer/7389973) set up in your organization's Google Cloud account ## 1. Add a SaaS application to Cloudflare Zero Trust 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. 2. Select **Add an application** > **SaaS** > **Select**. -3. For **Application**, select *Google Cloud*. +3. For **Application**, select _Google Cloud_. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: - * **Entity ID**: `google.com` - * **Assertion Consumer Service URL**: `https://www.google.com/a//acs` - * **Name ID format**: *Email* + - **Entity ID**: `google.com` + - **Assertion Consumer Service URL**: `https://www.google.com/a//acs` + - **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Select **Save configuration**. 9. Configure [Access policies](/cloudflare-one/policies/access/) for the application. @@ -54,9 +53,9 @@ When configuring Google Cloud with Access, the following limitations apply: 2. Select **Third-party SSO profile for your organization** > **Add SSO Profile**. 3. Turn on **Set up SSO with third-party identity provider**. 4. Fill in the following information: - * **Sign-in page URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. - * **Sign-out page URL**: `https://.cloudflareaccess.com/cdn-cgi/access/logout`, where `` is your Zero Trust team name. - * **Verification certificate**: Upload the `.crt` certificate file from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). + - **Sign-in page URL**: SSO endpoint from application configuration in Cloudflare Zero Trust. + - **Sign-out page URL**: `https://.cloudflareaccess.com/cdn-cgi/access/logout`, where `` is your Zero Trust team name. + - **Verification certificate**: Upload the `.crt` certificate file from step [2. Create a x.509 certificate](#2-create-a-x509-certificate). 5. (Optional) Turn on **Use a domain specific issuer**. If you select this option, Google will send an issuer specific to your Google Cloud domain (`google.com/a/` instead of the standard `google.com`). ## 4. Test the integration @@ -65,6 +64,6 @@ Open an incognito browser window and go to your Google Cloud URL (`https://conso ## Troubleshooting -`Error: “G Suite - This account cannot be accessed because the login credentials could not be verified.”` +`Error: "G Suite - This account cannot be accessed because the login credentials could not be verified."` If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx index fdda1d28c1c6ed..1cada49ab9e63f 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx @@ -4,25 +4,22 @@ title: Google Workspace updated: 2024-06-04 sidebar: order: 13 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; -This guide covers how to configure [Google Workspace](https://support.google.com/a/topic/7579248?hl=en\&ref_topic=7556686\&sjid=14539485562330725560-NA) as a SAML application in Cloudflare Zero Trust. +This guide covers how to configure [Google Workspace](https://support.google.com/a/topic/7579248?hl=en&ref_topic=7556686&sjid=14539485562330725560-NA) as a SAML application in Cloudflare Zero Trust. :::note - The integration of Access as a single sign-on provider for your Google Workspace account does not work for Google super admins. It will work for other users. - ::: ## Prerequistes -* An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust -* Admin access to a Google Workspace account +- An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust +- Admin access to a Google Workspace account ## 1. Create an application in Zero Trust @@ -31,14 +28,14 @@ The integration of Access as a single sign-on provider for your Google Workspace 2. Select **SaaS application**. 3. Fill in the following information: - * **Application**: *Google*. - * **Entity ID**: `google.com` - * **Assertion Consumer Service URL**: `https://www.google.com/a//acs`, where `` is your Google Workspace domain. - * **Name ID Format**: *Email*. + - **Application**: _Google_. + - **Entity ID**: `google.com` + - **Assertion Consumer Service URL**: `https://www.google.com/a//acs`, where `` is your Google Workspace domain. + - **Name ID Format**: _Email_. :::caution -When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/identity/idp-integration/google/) or [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/) as an identity provider. +When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/identity/idp-integration/google/) or [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/) as an identity provider. ::: 4. On the next page, [create an Access policy](/cloudflare-one/policies/access/) for your application. For example, you could allow users with an `@your_domain.com` email address. @@ -66,9 +63,9 @@ When you put your Google Workspace behind Access, users will not be able to log 3. Select **Third-party SSO profile for your organization**. 4. Enable **Set up SSO with third-party identity provider**. 5. Fill in the following information: - * **Sign-in page URL**: Copy and then paste your **SSO endpoint** from Zero Trust. - * **Sign-out page URL**: `https://.cloudflareaccess.com/cdn-cgi/access/logout`, where `` is your Zero Trust team name. - * **Verification certificate**: Upload the certificate file containing your public key. + - **Sign-in page URL**: Copy and then paste your **SSO endpoint** from Zero Trust. + - **Sign-out page URL**: `https://.cloudflareaccess.com/cdn-cgi/access/logout`, where `` is your Zero Trust team name. + - **Verification certificate**: Upload the certificate file containing your public key. 6. (Optional) Enable **Use a domain specific issuer**. If you select this option, Google will send an issuer specific to your Google Workspace domain (`google.com/a/` instead of the standard `google.com`). ## 4. Test the integration @@ -81,6 +78,6 @@ An Access login screen should appear. ## Troubleshooting -`Error: “G Suite - This account cannot be accessed because the login credentials could not be verified.”` +`Error: "G Suite - This account cannot be accessed because the login credentials could not be verified."` If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/download-warp/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/download-warp/index.mdx index cbe6365e3fc298..ce4c6a5f30439b 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/download-warp/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/download-warp/index.mdx @@ -3,10 +3,9 @@ pcx_content_type: reference title: Download WARP sidebar: order: 2 - --- -import { Render } from "~/components" +import { Render } from "~/components"; You can download the WARP client from Zero Trust. To do that, go to **Settings** > **Downloads** and scroll down to **Download the WARP client**. @@ -44,11 +43,11 @@ Alternatively, download the client from one of the following links after checkin | -------------- | ------- | | **OS version** | iOS 11+ | -[Download from the iOS App Store](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492) or search for “Cloudflare One Agent”. +[Download from the iOS App Store](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492) or search for "Cloudflare One Agent". :::note[Migrate from 1.1.1.1] -The legacy iOS client, [1.1.1.1: Faster Internet](https://apps.apple.com/us/app/1-1-1-1-faster-internet/id1423538627), is becoming the Cloudflare One Agent. Learn more in our [migration guide](/cloudflare-one/connections/connect-devices/warp/download-warp/cloudflare-one-agent-migration/). +The legacy iOS client, [1.1.1.1: Faster Internet](https://apps.apple.com/us/app/1-1-1-1-faster-internet/id1423538627), is becoming the Cloudflare One Agent. Learn more in our [migration guide](/cloudflare-one/connections/connect-devices/warp/download-warp/cloudflare-one-agent-migration/). ::: ## Android @@ -57,11 +56,11 @@ The legacy iOS client, [1.1.1.1: Faster Internet](https://apps.apple.com/us/app/ | -------------- | ---- | | **OS version** | 5.0+ | -[Download from the Google Play store](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent) or search for “Cloudflare One Agent”. +[Download from the Google Play store](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent) or search for "Cloudflare One Agent". :::note[Migrate from 1.1.1.1] -The legacy Android client, [1.1.1.1 + WARP: Safer Internet](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone), is becoming the Cloudflare One Agent. Learn more in our [migration guide](/cloudflare-one/connections/connect-devices/warp/download-warp/cloudflare-one-agent-migration/). +The legacy Android client, [1.1.1.1 + WARP: Safer Internet](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone), is becoming the Cloudflare One Agent. Learn more in our [migration guide](/cloudflare-one/connections/connect-devices/warp/download-warp/cloudflare-one-agent-migration/). ::: ## ChromeOS diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx index 1be89605eee454..59d255676a9a3d 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx @@ -27,7 +27,7 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte - Token URL: The `token_endpoint` URL of your IdP - Certificate URL: The `jwks_uri` endpoint of your IdP to allow the IdP keys to sign the tokens - You can find these values on your identity provider's **OIDC discovery endpoint**. Some providers call this the “well-known URL”. + You can find these values on your identity provider's **OIDC discovery endpoint**. Some providers call this the "well-known URL". 4. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. From 15fef30c9532a74278af27f814cf4a57094b7390 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 22 Aug 2024 17:29:27 -0500 Subject: [PATCH 3/3] Change links to language-agnostic --- .../saas-apps/docusign-access.mdx | 4 +- .../saas-apps/google-workspace-saas.mdx | 2 +- .../connect-networks/use-cases/rdp.mdx | 2 +- .../identity/idp-integration/okta.mdx | 55 ++++++++++--------- 4 files changed, 32 insertions(+), 31 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx index 0b55390926604d..ec871675a13d0d 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/docusign-access.mdx @@ -6,13 +6,13 @@ sidebar: order: 10 --- -This guide covers how to configure [Docusign](https://support.docusign.com/s/document-item?language=en_US&bundleId=rrf1583359212854&topicId=ozd1583359139126.html&_LANG=enus) as a SAML application in Cloudflare Zero Trust. +This guide covers how to configure [Docusign](https://support.docusign.com/s/document-item?bundleId=rrf1583359212854&topicId=ozd1583359139126.html) as a SAML application in Cloudflare Zero Trust. ## Prerequisites - An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust - Admin access to a Docusign account that has Single Sign-On available -- A [domain](https://support.docusign.com/s/document-item?language=en_US&bundleId=rrf1583359212854&topicId=gso1583359141256.html&_LANG=enus) verified in Docusign +- A [domain](https://support.docusign.com/s/document-item?bundleId=rrf1583359212854&topicId=gso1583359141256.html) verified in Docusign ## 1. Create the Access for SaaS application diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx index 1cada49ab9e63f..b25f2a480d568e 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx @@ -8,7 +8,7 @@ sidebar: import { GlossaryTooltip } from "~/components"; -This guide covers how to configure [Google Workspace](https://support.google.com/a/topic/7579248?hl=en&ref_topic=7556686&sjid=14539485562330725560-NA) as a SAML application in Cloudflare Zero Trust. +This guide covers how to configure [Google Workspace](https://support.google.com/a/topic/7579248?ref_topic=7556686&sjid=14539485562330725560-NA) as a SAML application in Cloudflare Zero Trust. :::note diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp.mdx index 7dc71414e6ecb9..b2939f219e5b47 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp.mdx @@ -39,7 +39,7 @@ You can use any RDP client to access and configure the RDP server. To access the server through Microsoft Remote Desktop: -1. Download and install [Microsoft Remote Desktop](https://apps.microsoft.com/store/detail/microsoft-remote-desktop/9WZDNCRFJ3PS?hl=en-us&gl=us). +1. Download and install [Microsoft Remote Desktop](https://apps.microsoft.com/store/detail/microsoft-remote-desktop/9WZDNCRFJ3PS). 2. Once downloaded, open Microsoft Remote Desktop and select **Add a PC**. 3. For **PC name**, enter the public IP address of your RDP server. In GCP, this is the **External IP** of the VM instance. 4. For **User account**, select **Add User Account** and enter your auto-generated password and username. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx index e98307da243d41..7f016032d1ebf1 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: Okta sidebar: order: 17 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Okta provides cloud software that helps companies manage and secure user authentication to modern applications, and helps developers build identity controls into applications, website web services, and devices. You can integrate Okta with Cloudflare Zero Trust and build rules based on user identity and group membership. Cloudflare Zero Trust supports Okta integrations using either the OIDC (default) or [SAML](/cloudflare-one/identity/idp-integration/okta-saml/) protocol. @@ -40,12 +39,12 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us ![Configuring the Groups claim filter in Okta](~/assets/images/cloudflare-one/identity/okta/okta-2.png) -9. Set the **Groups claim filter** to *Matches regex* and its value to `.*`. +9. Set the **Groups claim filter** to _Matches regex_ and its value to `.*`. - :::note + :::note - Groups managed outside of Okta (for example, Entra ID/Azure AD or Google groups) may require different regex values. For more information, refer to the [Okta documentation](https://support.okta.com/help/s/article/Why-isnt-my-Groups-claim-returning-Active-Directory-groups?language=en_US). - ::: + Groups managed outside of Okta (for example, Entra ID/Azure AD or Google groups) may require different regex values. For more information, refer to the [Okta documentation](https://support.okta.com/help/s/article/Why-isnt-my-Groups-claim-returning-Active-Directory-groups). + ::: 10. In the **General** tab, copy the **Client ID** and **Client secret**. @@ -57,14 +56,15 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us 13. Fill in the following information: - * **Name**: Name your identity provider. - * **App ID**: Enter your Okta client ID. - * **Client secret**: Enter your Okta client secret. - * **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`. + - **Name**: Name your identity provider. + - **App ID**: Enter your Okta client ID. + - **Client secret**: Enter your Okta client secret. + - **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`. 14. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups. 15. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims): + 1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled. 2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta. 3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity) @@ -77,12 +77,10 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha :::note - If you see the error `Failed to fetch user/group information from the identity`, double-check your Okta configuration: -* If you have more than 100 Okta groups, ensure you include the API token. -* The request may be blocked by the [ThreatInsights feature](https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/ti-index.htm) within Okta. - +- If you have more than 100 Okta groups, ensure you include the API token. +- The request may be blocked by the [ThreatInsights feature](https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/ti-index.htm) within Okta. ::: @@ -90,12 +88,15 @@ If you see the error `Failed to fetch user/group information from the identity`, The Okta integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). To enable SCIM provisioning between Access and Okta, you need two separate app integrations in Okta: -* The Okta OIDC connector you created when adding [Okta as an identity provider](/cloudflare-one/identity/idp-integration/okta/#set-up-okta-as-an-oidc-provider). -* A second Okta application of type **SCIM 2.0 Test App (Header Auth)**. This is technically a SAML app but is responsible for sending user and group info via SCIM. +- The Okta OIDC connector you created when adding [Okta as an identity provider](/cloudflare-one/identity/idp-integration/okta/#set-up-okta-as-an-oidc-provider). +- A second Okta application of type **SCIM 2.0 Test App (Header Auth)**. This is technically a SAML app but is responsible for sending user and group info via SCIM. ### 1. Enable SCIM in Zero Trust - + ### 2. Configure SCIM in Okta @@ -125,9 +126,9 @@ The Okta integration allows you to synchronize IdP groups and automatically depr 12. On the **Provisioning** tab, select **Edit** and enable: - * **Create Users** - * **Update User Attributes** - * **Deactivate Users** + - **Create Users** + - **Update User Attributes** + - **Deactivate Users** ![Configure provisioning settings in Okta](~/assets/images/cloudflare-one/identity/okta/enable-provisioning.png) @@ -143,12 +144,12 @@ Provisioning will begin immediately. To verify the integration, select **View Lo ```json { - "config": { - "client_id": "", - "client_secret": "", - "okta_account": "https://dev-abc123.oktapreview.com" - }, - "type": "okta", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "okta_account": "https://dev-abc123.oktapreview.com" + }, + "type": "okta", + "name": "my example idp" } ```