From c7c88c11133df2af5b97fe79a405e834ca9cd5fe Mon Sep 17 00:00:00 2001
From: Max Phillips <mphillips@cloudflare.com>
Date: Mon, 11 Nov 2024 17:22:31 -0600
Subject: [PATCH 1/2] Add DNI note

---
 .../policies/gateway/http-policies/tls-decryption.mdx           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
index a7864c52ec457ee..98da0a074864514 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
@@ -42,7 +42,7 @@ Applications that use certificate pinning and mTLS authentication do not trust C
 If you try to perform TLS decryption, these applications may not load or may return an error. To resolve this issue, you can:
 
 - Add a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to supported applications.
-- Create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](/cloudflare-one/policies/gateway/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates.
+- Create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](/cloudflare-one/policies/gateway/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. Note that if you create a Do Not Inspect policy for an application or website, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning.
 - Configure a [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in Include mode to ensure Gateway will only inspect traffic destined for your IPs or domains. This is useful for organizations that deploy Zero Trust on users' personal devices or otherwise expect personal applications to be used.
 
 Alternatively, to allow HTTP filtering while accessing a site with an insecure certificate, set your [Untrusted certificate action](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) to _Pass through_.

From 096d5a800c2d4496d1986db92ed539349586fd69 Mon Sep 17 00:00:00 2001
From: Max Phillips <mphillips@cloudflare.com>
Date: Mon, 11 Nov 2024 17:31:53 -0600
Subject: [PATCH 2/2] Add context for errors

---
 .../policies/gateway/http-policies/tls-decryption.mdx           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
index 98da0a074864514..13731062358564a 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
@@ -39,7 +39,7 @@ Gateway does not support TLS decryption for applications which use:
 
 Applications that use certificate pinning and mTLS authentication do not trust Cloudflare certificates. For example, most mobile applications use <GlossaryTooltip term="certificate pinning" link="/ssl/reference/certificate-pinning/">certificate pinning</GlossaryTooltip>. Cloudflare does not trust applications that use self-signed certificates instead of certificates signed by a public CA.
 
-If you try to perform TLS decryption, these applications may not load or may return an error. To resolve this issue, you can:
+If you try to perform TLS decryption on an application with an incompatible certificate configuration, the application may return an SSL or trust error and/or fail to load. To resolve this issue, you can:
 
 - Add a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to supported applications.
 - Create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](/cloudflare-one/policies/gateway/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. Note that if you create a Do Not Inspect policy for an application or website, you will lose the ability to log or block HTTP requests, apply DLP policies, and perform AV scanning.