Common policies
The following policies are commonly used to secure network traffic.
For a baseline set of recommended policies, refer to Secure your Internet traffic and SaaS apps.
Refer to the network policies page for a comprehensive list of other selectors, operators, and actions.
To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Application | in | Artificial Intelligence | Block |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block unauthorized applications", "description": "Block access to unauthorized AI applications", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "", "device_posture": "" }'Configure access on a per user or group basis by adding identity-based conditions to your policies.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Application | in | Salesforce | And | Block |
| User Group Names | in | Contractors |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(app.ids[*] in {606})", "identity": "any(identity.groups.name[*] in {\"Contractors\"})", "device_posture": "" }'Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the device posture section. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
In the following example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| SNI Domain | is | internalapp.com | And | Block |
| Passed Device Posture Checks | not in | Device serial numbers |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "All-NET-ApplicationAccess-Allow", "description": "Ensure access to the application comes from authorized WARP clients", "precedence": 70, "enabled": false, "action": "block", "filters": [ "l4" ], "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", "device_posture": "not(any(device_posture.checks.passed[*] in {\"<DEVICE_SERIAL_NUMBERS_LIST_UUID>\"}))" }'To get the UUIDs of your device posture checks, use the List device posture rules endpoint.
resource "cloudflare_zero_trust_gateway_policy" "all_net_applicationaccess_allow" { account_id = var.cloudflare_account_id name = "All-NET-ApplicationAccess-Allow" description = "Ensure access to the application comes from authorized WARP clients" precedence = 70 enabled = false action = "block" filters = ["l4"] traffic = "any(net.sni.domains[*] == \"internalapp.com\")" posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))"}To require users to re-authenticate after a certain amount of time has elapsed, configure WARP sessions.
Restrict user access to only the specific sites or applications configured in your HTTP policies.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Detected Protocol | is | TLS | And | Allow |
| Destination Port | in | 80, 443 |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow HTTP and HTTPS traffic", "description": "Restrict traffic to HTTP and HTTPS traffic", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}", "identity": "", "device_posture": "" }'| Selector | Operator | Value | Action |
|---|---|---|---|
| Protocol | in | TCP, UDP | Block |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other traffic", "description": "Block all other traffic that is not HTTP or HTTPS", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.protocol in {\"tcp\" \"udp\"}", "identity": "", "device_posture": "" }'If your organization blocks traffic by default with a Network policy and you want to inspect HTTP traffic on all ports, you need to explicitly allow HTTP and TLS traffic to filter it.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Detected Protocol | is | TLS | Or | Allow |
| Detected Protocol | is | HTTP |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow on inspect all ports", "description": "Filter HTTPS traffic when using inspect all ports", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.detected_protocol == \"tls\" or net.detected_protocol == \"http\"", "identity": "", "device_posture": "" }'When using proxy endpoints, by default all devices added to the proxy endpoint can access your internal applications and services connected through Cloudflare Tunnel. To restrict access and add an additional layer of security, create the following policies.
When using source IP proxy endpoints, restrict access to only users connecting through the proxy endpoint from specific source IPs.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Proxy Endpoint | in | Proxy Endpoint | And | Allow |
| Source IP | in | 203.0.113.0/24 | And | |
| Destination IP | in | 10.0.0.0/8 |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow proxy endpoint traffic from specific source IPs", "description": "Allow traffic from proxy endpoint users with specific source IPs to reach private network", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"<PROXY_ENDPOINT_ID>\"} and net.src.ip in {203.0.113.0/24} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }'Replace <PROXY_ENDPOINT_ID> with your proxy endpoint ID.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Proxy Endpoint | in | Proxy Endpoint | And | Block |
| Destination IP | in | 10.0.0.0/8 |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other proxy endpoint traffic", "description": "Block any other proxy endpoint traffic from accessing the private network", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"<PROXY_ENDPOINT_ID>\"} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }'Replace <PROXY_ENDPOINT_ID> with your proxy endpoint ID.
When using authorization proxy endpoints, add an additional layer of security by restricting access to only users connecting from specific source IPs. This prevents unauthorized access even if user credentials are compromised.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Proxy Endpoint | in | Proxy Endpoint | And | Allow |
| Source IP | in | 203.0.113.0/24 | And | |
| Destination IP | in | 10.0.0.0/8 |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow authorized proxy endpoint traffic from specific source IPs", "description": "Allow traffic from authorization proxy endpoint users with specific source IPs to reach private network", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"<PROXY_ENDPOINT_ID>\"} and net.src.ip in {203.0.113.0/24} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }'Replace <PROXY_ENDPOINT_ID> with your proxy endpoint ID.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Proxy Endpoint | in | Proxy Endpoint | And | Block |
| Destination IP | in | 10.0.0.0/8 |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block all other authorized proxy endpoint traffic", "description": "Block any other authorization proxy endpoint traffic from accessing the private network", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.proxy_endpoint.ids[*] in {\"<PROXY_ENDPOINT_ID>\"} and net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }'Replace <PROXY_ENDPOINT_ID> with your proxy endpoint ID.
Restrict access to resources which you have connected through Cloudflare Tunnel.
The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Destination IP | in | 10.0.0.0/8 | And | Allow |
| User Email | matches regex | .*@example.com |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Allow company employees", "description": "Allow any users with an organization email to reach the application", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.dst.ip in {10.0.0.0/8}", "identity": "identity.email matches \".*@example.com\"", "device_posture": "" }'| Selector | Operator | Value | Action |
|---|---|---|---|
| Destination IP | in | 10.0.0.0/8 | Block |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block everyone else", "description": "Block any other users from accessing the application", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": "" }'Override traffic directed toward a specific IP address with a different IP address.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Destination IP | in | 203.0.113.17 | And | Network Override |
| Destination Port | is | 80 |
| Override IP | Override Port |
|---|---|
1.1.1.1 | 80 |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Override example.com with 1.1.1.1", "description": "Override a site'\''s IP address with another IP", "enabled": true, "action": "l4_override", "filters": [ "l4" ], "traffic": "net.dst.ip in {203.0.113.17} and net.dst.port == 80", "identity": "", "device_posture": "", "rule_settings": { "l4override": { "ip": "1.1.1.1", "port": 80 }, "override_host": "", "override_ips": null } }'Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
