Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Applications and app types

Gateway allows you to build DNS, Network, and HTTP policies based on applications and app types. This feature gives you more granular control over how web applications are used on your network.

​​ Applications

When you choose the Application selector in a Gateway policy builder, the Value drop-down menu will show all supported applications and their respective app types. Alternatively, you can use the Gateway API to fetch a list of applications, app types, and ID numbers.

​​ App types

Application type Definition
Collaboration & Online Meetings Applications used to communicate or collaborate in a business setting.
Development Applications used for software development and development operations.
Email Applications used for email.
Encrypted DNS Applications used for encrypting DNS.
File Sharing Applications used to share files.
Finance & Accounting Applications used as finance and accounting tools.
Human Resources Applications used to manage employees and workforce tools.
Instant Messaging Applications used for instant messaging.
IT Management Applications used to manage IT deployments.
Legal Applications used as legal tools.
Productivity Applications used as business tools.
Public Cloud Applications used to manage public cloud infrastructure.
Sales & Marketing Applications used as sales and marketing tools.
Security Applications used for information security.
Social Networking Applications used for social networking.
Streaming Applications used for streaming video or audio.
Do Not Inspect Applications that are incompatible with the TLS man-in the middle certificate that is required for Cloudflare Gateway’s proxy to function. These applications either use certificate pinning or send non-web traffic such as Session Initiation Protocol (SIP) or Extensible Messaging and Presence Protocol (XMPP) over TLS.

​​ Do Not Inspect applications

Some applications are incompatible with TLS decryption for a variety of reasons, one of which is certificate pinning. This is a process used by applications to verify that the TLS certificate presented from the origin server matches a known, specified list of certificates hardcoded in the application.

This is a countermeasure to man-in-the-middle attacks where an attacker presents a trusted, but false, certificate on behalf of the origin in order to decrypt the traffic. This is exactly what TLS interception in a Secure Web Gateway does, although for the purposes of securing a user’s web traffic.

Gateway automatically groups applications incompatible with TLS decryption into the Do Not Inspect app type. To ensure that traffic gets through to these applications, you can create an HTTP policy for all Do Not Inspect applications.

Gateway periodically updates the Do Not Inspect app type to include new applications. By creating this Do Not Inspect HTTP policy and selecting all applications within the Do Not Inspect app type, you will ensure that your Do Not Inspect policy will apply to any new applications added to the app type.

​​ Office 365 integration

You can perform a one-click action to bypass TLS decryption for all Office 365 traffic. To enable, go to Settings > Network > Bypass decryption of Office 365 traffic and select Create policy. This will create a Do Not Inspect policy for all Office 365 domains and IP addresses specified by Microsoft. This policy also uses our own Cloudflare intelligence to determine which traffic belongs to Office 365.