Network policies
With Cloudflare Zero Trust, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare Zero Trust integrates with your identity provider, it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they access that resource from.
A network policy consists of an Action as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field.
Actions
Just like actions in DNS and HTTP policies, actions in network policies define which decision you want to apply to a given set of elements. You can assign one action per policy.
Allow
Policies with Allow actions allow network traffic to reach certain IPs or ports. For example, the following configuration allows specific users to reach a given IP address:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Destination IP | In | 92.100.02.102 | Allow |
| In | *@example.com |
Block
Policies with Block actions block network traffic from reaching certain IPs or ports. For example, the following configuration blocks all traffic directed to port 443:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Destination Port | In | 443 | Block |
Network Override
Policies with Network Override actions do not inspect traffic directed to, or coming from, certain IPs or ports. For example, the following configuration overrides traffic to a public IP to a Private IP based on a user’s identity:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Destination IP | In | 95.92.143.151 | Network Override |
| User Email | In | *@example.com | |
| Override IP | 10.0.0.1 |
Selectors
Gateway matches network traffic against the following selectors, or criteria.
Application
You can apply Network policies to a growing list of popular web applications. Refer to the Application and app types page for more information.
| UI name | API example |
|---|---|
| Application | any(app.ids[*] in {505} |
A list of supported applications and their ID numbers is available through the Gateway API endpoint.
Destination Continent
The continent that the request is destined for. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the Value field:
- AF – Africa
- AN – Antarctica
- AS – Asia
- EU – Europe
- NA – North America
- OC – Oceania
- SA – South America
- T1 – Tor network
| UI name | API example |
|---|---|
| Destination Continent IP Geolocation | net.dst.geo.continent == "EU" |
Destination Country
The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.
| UI name | API example |
|---|---|
| Destination Country IP Geolocation | net.dst.geo.country == "RU" |
Destination IP
The IP address of the request’s target.
| UI name | API example |
|---|---|
| Destination IP | net.dst.ip == "10.0.0.0/8" |
Destination Port
The port number of the request’s target.
| UI name | API example |
|---|---|
| Destination Port | net.dst.port == "2222" |
Device Posture
With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device, and/or if the device or software are configured in a particular way.
| UI name | API example |
|---|---|
| Passed Device Posture Check | any(device_posture.checks.failed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" |
Protocol
The protocol used to send the packet.
| UI name | API example |
|---|---|
| Protocol | net.protocol == "tcp" |
SNI
The host whose Server Name Indication (SNI) header Gateway will filter traffic against. This will allow for an exact match.
| UI name | API example |
|---|---|
| SNI | net.sni.host == "www.example.com" |
SNI Domain
The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for example.com will match example.com, www.example.com, and my.test.example.com.
| UI name | API example |
|---|---|
| SNI Domain | net.sni.domains == "example.com" |
Source Continent
The continent of the user making the request. Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a continent, enter its two-letter code into the Value field:
- AF – Africa
- AN – Antarctica
- AS – Asia
- EU – Europe
- NA – North America
- OC – Oceania
- SA – South America
- T1 – Tor network
| UI name | API example |
|---|---|
| Source Continent IP Geolocation | net.src.geo.continent == "North America" |
Source Country
The country of the user making the request. Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.
| UI name | API example |
|---|---|
| Source Country IP Geolocation | net.src.geo.country == "RU" |
Source IP
The IP address of the user making the request.
| UI name | API example |
|---|---|
| Source IP | net.src.ip == "10.0.0.0/8" |
Source Port
The source port of the user making the request.
| UI name | API example |
|---|---|
| Source Port | net.src.port == "2222" |
Users
The User, User Group, and SAML Attributes selectors require Gateway with WARP mode to be enabled in the Zero Trust WARP client, and the user to be enrolled in the organization via the WARP client. For more information on identity-based selectors, refer to the Identity-based policies page.
Operators
Operators are the way Gateway matches traffic to a selector. When you choose a Selector in the dashboard policy builder, the Operator dropdown menu will display the available options for that selector.
| Operator | Meaning |
|---|---|
| is | equals the defined value |
| is not | does not equal the defined value |
| in | matches at least one of the defined values |
| not in | does not match any of the defined values |
| in list | in a pre-defined list of values |
| not in list | not in a pre-defined list of values |
| matches regex | regex evaluates to true |
| does not match regex | regex evaluates to false |
| greater than | exceeds the defined number |
| greater than or equal to | exceeds or equals the defined number |
| less than | below the defined number |
| less than or equal to | below or equals the defined number |
Value
You can input a single value or use regular expressions to specify a range of values.
Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for Using wildcards in subdomains and paths.
For example, if you want to match multiple domains, you could use the pipe symbol (|) as an OR operator. In Gateway, you do not need to use an escape character (\) before the pipe symbol. The following configuration blocks requests to two hosts if either appears in a request header:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Host | Matches regex | .\*whispersystems.org |.\*signal.org | Block |
To evaluate if your regex matches, you can use Rustexp.