From f1eeb6bc5b03fff97089306d2a697fd595d0dc90 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 11 Dec 2024 15:12:37 -0600 Subject: [PATCH 1/3] Add DNS policy partial --- .../policies/gateway/initial-setup/dns.mdx | 14 +++++-------- .../build-dns-policies/create-policy.mdx | 15 +------------- .../gateway/get-started/create-dns-policy.mdx | 20 +++++++++++++++++++ 3 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx index 940e9ffea38df15..e6ed33199473623 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx @@ -25,7 +25,7 @@ To filter DNS requests from an individual device such as a laptop or phone: 1. [Install the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your device. 2. In the WARP client Settings, log in to your organization's Zero Trust instance. -3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/block-page/), [install the Cloudflare root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) on your device. +3. (Optional) If you want to display a [custom block page](/cloudflare-one/policies/gateway/block-page/), [install a Cloudflare root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) on your device. ### Connect DNS locations @@ -44,20 +44,16 @@ Gateway identifies locations differently depending on the DNS query protocol: ## 2. Verify device connectivity +To verify your device is connected to Zero Trust: + -## 3. Add recommended policies - -To create a new DNS policy, go to **Gateway** > **Firewall policies** > **DNS** in Zero Trust. We recommend adding the following policy: - -### Block all security categories - -Block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. +## 3. Create your first DNS policy - + ## 4. Add optional policies diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx index 93d8565fead5904..984d2120868d741 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx @@ -11,17 +11,4 @@ DNS policies determine how Gateway should handle a DNS request. When a user send You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/). -To create a new DNS policy: - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. -2. In the **DNS** tab, select **Add a policy**. -3. Name the policy. -4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): - -6. Select **Create policy**. - -For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). + diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx new file mode 100644 index 000000000000000..d64fbee19051925 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx @@ -0,0 +1,20 @@ +--- +{} +--- + +import { Render } from "~/components"; + +To create a new DNS policy: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. +2. In the **DNS** tab, select **Add a policy**. +3. Name the policy. +4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. +5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): + +6. Select **Create policy**. + +For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). From e756577154fb289f7499e6285521a5ecaa253e2b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 11 Dec 2024 15:28:55 -0600 Subject: [PATCH 2/3] Add HTTP partial --- .../policies/gateway/initial-setup/http.mdx | 17 ++--------- .../build-http-policies/create-policy.mdx | 24 +++------------ .../get-started/create-http-policy.mdx | 29 +++++++++++++++++++ 3 files changed, 35 insertions(+), 35 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx index 2741e8dceaf771d..d924814c0977349 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx @@ -35,22 +35,9 @@ To filter HTTP requests from a device: params={{ one: "HTTP", two: "requests" }} /> -## 3. Add recommended policies +## 3. Create your first HTTP policy -To create a new HTTP policy, go to **Gateway** > **Firewall policies** > **HTTP** in Zero Trust. -We recommend adding the following policies: - -### Bypass inspection for incompatible applications - -Bypass HTTP inspection for applications which use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). This will help avoid any incompatibilities that may arise from an initial rollout. By the _Do Not Inspect_ app type, Gateway will filter any new applications when they are added to the group. - - - -### Block all security categories - -Block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. - - + ## 4. Add optional policies diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/create-policy.mdx index 2b566ef29b4e199..43d81c2b197e158 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/create-policy.mdx @@ -13,26 +13,10 @@ Now that you have considered which devices and applications TLS inspection shoul Use a standard naming convention when building all policies. Policy names should be unique across the Cloudflare account, follow the same structure, and be as descriptive as possible. -To create a new HTTP policy: - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. - -2. In the **HTTP** tab, select **Add a policy**. - -3. Name the policy. - -4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. - -5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: - - - -6. Select **Create policy**. - -For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/). + ## Order your policies diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx new file mode 100644 index 000000000000000..d146717bc39f976 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -0,0 +1,29 @@ +--- +{} +--- + +import { Render } from "~/components"; + +To create a new HTTP policy: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. +2. In the **HTTP** tab, select **Add a policy**. +3. Name the policy. +4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. +5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: + + + + Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: + + + +6. Select **Create policy**. + +For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/). From 41c1e5325297393cb72df9b5c702cc26b76a303d Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 11 Dec 2024 15:35:29 -0600 Subject: [PATCH 3/3] Add network partial --- .../policies/gateway/initial-setup/http.mdx | 2 ++ .../gateway/initial-setup/network.mdx | 12 ++++++++--- .../build-network-policies/create-policy.mdx | 18 ++++------------- .../get-started/create-network-policy.mdx | 20 +++++++++++++++++++ 4 files changed, 35 insertions(+), 17 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx index d924814c0977349..461e7ef78ac9805 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx @@ -30,6 +30,8 @@ To filter HTTP requests from a device: ## 2. Verify device connectivity +To verify your device is connected to Zero Trust: + **Network**. 2. Under **Gateway logging**, enable activity logging for all Network logs. 3. On your WARP-enabled device, open a browser and visit any website. @@ -43,6 +45,10 @@ To filter traffic from private networks, refer to the [Cloudflare Tunnel guide]( 3. Note the **Public IP**. 5. In Zero Trust, go to **Logs** > **Gateway** > **Network**. Before building Network policies, make sure you see Network logs from the Source IP assigned to your device. -## 3. Add policies +## 3. Create your first network policy + + + +## 4. Add optional policies -To create a new network policy, go to **Gateway** > **Firewall policies** > **Network** in Zero Trust. Refer to our list of [common network policies](/cloudflare-one/policies/gateway/network-policies/common-policies) for policies you may want to create. +Refer to our list of [common network policies](/cloudflare-one/policies/gateway/network-policies/common-policies) for policies you may want to create. diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx index f851a8d4abf54b2..b16bee0681ae60f 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/create-policy.mdx @@ -9,17 +9,7 @@ import { Render } from "~/components"; You can control network-level traffic by filtering requests by selectors such as IP addresses and ports. You can also integrate network policies with an [identity provider](/cloudflare-one/identity/idp-integration/) to apply identity-based filtering. -To create a new network policy: - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. -2. In the **Network** tab, select **Add a policy**. -3. Name the policy. -4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. - -6. Select **Create policy**. - -For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/). + diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx new file mode 100644 index 000000000000000..93e7cd9acb26c15 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx @@ -0,0 +1,20 @@ +--- +{} +--- + +import { Render } from "~/components"; + +To create a new network policy: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. +2. In the **Network** tab, select **Add a policy**. +3. Name the policy. +4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. +5. Choose an **Action** to take when traffic matches the logical expression. + +6. Select **Create policy**. + +For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/).