Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Common network policies

The following policies are commonly used to secure network traffic.

Refer to the network policies page for a comprehensive list of other selectors, operators, and actions.

​​ Block unauthorized applications

To minimize the risk of shadow IT, some organizations choose to limit their users’ access to certain web-based tools and applications. For example, the following policy blocks AI assistants:

Selector Operator Value Action
Application in ChatGPT, Bard Block

​​ Check user identity

Configure access on a per user or group basis by adding identity-based conditions to your policies.

Selector Operator Value Logic Action
Application in Salesforce And Block
User Group Names in Contractors

​​ Enforce device posture

Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the device posture section.

In the following example, users can only access an application if they connect from a company device.

Selector Operator Value Logic Action
Passed Device Posture Checks not in Device serial numbers And Block
SNI Domain is internalapp.com

​​ Enforce session duration

Require users to re-authenticate after a certain amount of time has elapsed.

​​ Restrict access to private networks

Restrict access to resources which you have connected through Cloudflare Tunnel.

The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. Make sure that the Allow policy has higher priority (by positioning it towards the top of the list in the UI).

​​ 1. Allow company employees

Selector Operator Value Logic Action
Destination IP in 10.0.0.0/8 And Allow
User Email Matches regex .*@example.com

​​ 2. Block everyone else

Selector Operator Value Action
Destination IP in 10.0.0.0/8 Block