Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Network policies

With Cloudflare Zero Trust, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare Zero Trust integrates with your identity provider, it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they access that resource from.

A network policy consists of an Action as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field. You can use And and Or logical operators to evaluate multiple conditions.

If a condition in an expression joins a query attribute (such as Source IP) and a response attribute (such as Resolved IP), then the condition will be evaluated when the response is received.

​​ Actions

Like actions in DNS and HTTP policies, actions in network policies define which decision you want to apply to a given set of elements. You can assign one action per policy.

​​ Allow

API value: allow

Policies with Allow actions allow network traffic to reach certain IPs or ports. For example, the following configuration allows specific users to reach a given IP address:

Selector Operator Value Logic Action
Destination IP In 92.100.02.102 And Allow
Email In *@example.com

​​ Audit SSH

API value: audit_ssh

Policies with Audit SSH actions allow administrators to log SSH traffic. Gateway will detect SSH traffic over port 22. For example, the following configuration logs SSH commands sent to a given IP address:

Selector Operator Value Action
Destination IP In 203.0.113.83 Audit SSH

For more information on SSH logging, refer to Configure SSH proxy and command logs.

​​ Block

API value: block

Policies with Block actions block network traffic from reaching certain IPs or ports. For example, the following configuration blocks all traffic directed to port 443:

Selector Operator Value Action
Destination Port In 443 Block

​​ Network Override

API value: l4_override

Policies with Network Override actions override traffic directed to, or coming from, certain IPv4/IPv6 addresses or ports. Destination IPs can be public IPs or private IPs connected to your Zero Trust network. For example, the following configuration overrides traffic sent to a public IP with a private IP based on a user’s identity:

Selector Operator Value Logic Action
Destination IP In 95.92.143.151 And Network Override
User Email In *@example.com And
Override IP 10.0.0.1

​​ Selectors

Gateway matches network traffic against the following selectors, or criteria.

​​ Application

You can apply network policies to a growing list of popular web applications. Refer to Application and app types for more information.

UI name API example Evaluation phase
Application any(app.ids[*] in {505}) Before DNS resolution

​​ Destination Continent

The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the Value field:

  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network
UI name API example
Destination Continent IP Geolocation net.dst.geo.continent == "EU"

​​ Destination Country

The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.

UI name API example
Destination Country IP Geolocation net.dst.geo.country == "RU"

​​ Destination IP

The IP address of the request’s target.

UI name API example
Destination IP net.dst.ip == "10.0.0.0/8"

​​ Destination Port

The port number of the request’s target.

UI name API example
Destination Port net.dst.port == "2222"

​​ Detected Protocol

The inferred network protocol based on our protocol detection.

UI name API example
Detected Protocol net.protocol.detection == "ssh"

​​ Device Posture

With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way.

UI name API example
Passed Device Posture Checks any(device_posture.checks.failed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})"

​​ Protocol

The protocol used to send the packet.

UI name API example
Protocol net.protocol == "tcp"

​​ Proxy Endpoint

The proxy server where your browser forwards HTTP traffic.

UI name API example
Proxy Endpoint proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com"

​​ SNI

The host whose Server Name Indication (SNI) header Gateway will filter traffic against. This will allow for an exact match.

UI name API example
SNI net.sni.host == "www.example.com"

​​ SNI Domain

The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for example.com will match example.com, www.example.com, and my.test.example.com.

UI name API example
SNI Domain net.sni.domains == "example.com"

​​ Source Continent

The continent of the user making the request.

Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a continent, enter its two-letter code into the Value field:

  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network
UI name API example Evaluation phase
Source Continent IP Geolocation net.src.geo.continent == "North America" Before DNS resolution

​​ Source Country

The country of the user making the request.

Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.

UI name API example Evaluation phase
Source Country IP Geolocation net.src.geo.country == "RU" Before DNS resolution

​​ Source Internal IP

Use this selector to apply network policies to a private IP address, assigned by a user’s local network, that requests arrive to Gateway from. This selector will only apply to users connected through a Magic GRE or IPSec tunnel.

UI name API example
Source Internal IP net.src.internal_src_ip == "192.168.86.0/27"

​​ Source IP

UI name API example
Source IP net.src.ip == "10.0.0.0/8"

​​ Source Port

UI name API example
Source Port net.src.port == "2222"

​​ Users

The User, User Group, and SAML Attributes selectors require Gateway with WARP mode to be enabled in the Zero Trust WARP client, and the user to be enrolled in the organization via the WARP client. For more information on identity-based selectors, refer to the Identity-based policies page.

​​ Virtual Network

The Tunnel Virtual Network that the device is connected to via the WARP client.

UI name API example
Virtual Network net.vnet_id == "957fc748-591a-e96s-a15d-1j90204a7923"

​​ Comparison operators

Comparison operators are the way Gateway matches traffic to a selector. When you choose a Selector in the dashboard policy builder, the Operator dropdown menu will display the available options for that selector.

Operator Meaning
is equals the defined value
is not does not equal the defined value
in matches at least one of the defined values
not in does not match any of the defined values
in list in a pre-defined list of values
not in list not in a pre-defined list of values
matches regex regex evaluates to true
does not match regex regex evaluates to false
greater than exceeds the defined number
greater than or equal to exceeds or equals the defined number
less than below the defined number
less than or equal to below or equals the defined number

​​ Value

You can input a single value or use regular expressions to specify a range of values.

Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for Wildcards.

For example, if you want to match multiple domains, you could use the pipe symbol (|) as an OR operator. In Gateway, you do not need to use an escape character (\) before the pipe symbol. The following configuration blocks requests to two hosts if either appears in a request header:

Selector Operator Value Action
Host Matches regex .\*whispersystems.org|.\*signal.org Block

To evaluate if your regex matches, you can use Rustexp.

​​ Logical operators

To evaluate multiple conditions in an expression, select the Add logical operator. These expressions can be compared further with the Or logical operator.

Operator Meaning
And match all of the conditions in the expression
Or match any of the conditions in the expression

The Or operator will only work with conditions in the same expression group. For example, you cannot compare conditions in Traffic with conditions in Identity or Device Posture.