Clarify behaviour of connectivity.cloudflareclient.com

[jamie-sandbox]

Existing documentation URL(s)

https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#connectivity-check

What changes are you suggesting?

The documentation states that connectivity.cloudflareclient.com performs a check inside the WARP tunnel, and therefore does not need to be whitelisted on the firewall.

However, we are seeing thousands of requests to connectivity.cloudflareclient.com in the logs of our corporate proxy server, implying that connections are following the system proxy settings and are not going through the WARP tunnel all of the time.

This has been observed both in full WARP and DoH-only modes.

Please can the expected behaviour be clarified? Should we add connectivity.cloudflareclient.com to our PAC file to force it to bypass the proxy server?

Additional information

No response

[Tinubu1234]

Please help me open my u

[deadlypants1973]

@jamie-sandbox we answered your query about connectivity.cloudflareclient.com here: #16062. The dev docs are correct in their current state and you shouldn't have to worry about this functionality, but if there's a specific goal you have in mind, could you share that goal or could you close this issue and file a support ticket?

[jamie-sandbox]

@deadlypants1973 Thanks for your response however this needs to be re-opened.

As stated in my original description, we are seeing lots of connections which are going outside of the tunnel (contrary to what the documentation would suggest).

We need clarification of:

a) Is this intentional, or a bug? (I suspect this is a bug)

b) If it is intentional, do we need to exempt this on our PAC file? Or is it acceptable for the connectivity checks to go through a corporate proxy?

It would be good if the documentation could reference this and state what the expected behaviour and configuration is.

[deadlypants1973]

Hey @jamie-sandbox , Version 2025.2.600.0 (https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/) should have a fix for this. There's a disclaimer that if connectivity.cloudflareclient.com's IP is excluded explicitly by the user, then it will continue to flow outside the tunnel. (But this should not be a common or a default setting.) However, now that connectivity.cloudflareclient.com is going inside the tunnel, the Windows firewall won't see any connections to that. You should not need to configure any allows for these static IPs (162.159.138.65 and 162.159.137.65)

[github-actions]

This issue was closed automatically because there has been no response from the original author. As it stands currently, we don't have enough information to take action. If you believe this issue was closed in error, a) apologies and b) open a new issue and reference this one in the body.