From 21bbd3a2d7367056a09331b254a46cefa3a3dcd1 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Apr 2025 17:28:30 -0500 Subject: [PATCH 1/6] Update content categories partial --- .../policies/gateway/egress-policies/index.mdx | 2 +- .../gateway/selectors/net-http-content-categories.mdx | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 19de0a07450d1b8..6fbeb0c6c8f927c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -68,7 +68,7 @@ Gateway matches egress traffic against the following selectors, or criteria: diff --git a/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx index dc4ae28405299f9..88d7364e5a0b729 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx @@ -5,8 +5,8 @@ params: import { Markdown } from "~/components"; -| UI name | API example | -| ------------------ | ------------------------------------------------------ | -| Content Categories | not(any({props.APIendpoint}[*] in \{1\})) | +| UI name | API example | +| ------------------ | ------------------------------------------------- | +| Content Categories | any({props.APIendpoint}[*] in \{1\}) | For more information, refer to the list of [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories). From db579b19e57c7c07c6f2d6bc60a66aa12a54659a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Apr 2025 17:39:35 -0500 Subject: [PATCH 2/6] Update domain selector partial --- .../policies/gateway/dns-policies/index.mdx | 5 ++++- .../policies/gateway/egress-policies/index.mdx | 5 ++++- .../policies/gateway/resolver-policies.mdx | 5 ++++- .../partials/cloudflare-one/gateway/selectors/domain.mdx | 9 +++++---- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index 08f0a52ad860311..cd8ccec029bdd4e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -347,7 +347,10 @@ Use this selector to filter DNS responses by their `TXT` records. ### Domain - + ### Host diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 6fbeb0c6c8f927c..f0f475a5d914107 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -101,7 +101,10 @@ Gateway matches egress traffic against the following selectors, or criteria: ### Domain - + diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx index 1194e63a5d0cf1e..75b9610502dcc90 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx @@ -105,7 +105,10 @@ For more information on creating a DNS policy, refer to [DNS policies](/cloudfla ### Domain - + ### Host diff --git a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx index 8c6120987d580b7..c85501f76d238fa 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/domain.mdx @@ -1,9 +1,10 @@ --- -{} +params: + - APIendpoint --- Use this selector to match against a domain and all subdomains. For example, you can match `example.com` and its subdomains, such as `www.example.com`. -| UI name | API example | Evaluation phase | -| ------- | -------------------------------------- | --------------------- | -| Domain | `any(dns.domains[*] == "example.com")` | Before DNS resolution | +| UI name | API example | Evaluation phase | +| ------- | ------------------------------------------------- | --------------------- | +| Domain | any({props.APIendpoint}[*] in \{1\}) | Before DNS resolution | From 56cac93b12fab6c23ceed34c2ab992421e97411e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Apr 2025 17:46:37 -0500 Subject: [PATCH 3/6] Update host selector partial --- .../policies/gateway/dns-policies/index.mdx | 2 +- .../policies/gateway/egress-policies/index.mdx | 5 ++++- .../policies/gateway/resolver-policies.mdx | 2 +- .../partials/cloudflare-one/gateway/selectors/host.mdx | 9 +++++---- .../gateway/selectors/net-http-content-categories.mdx | 2 -- 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index cd8ccec029bdd4e..29bc9f72e040fa1 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -354,7 +354,7 @@ Use this selector to filter DNS responses by their `TXT` records. ### Host - + ### Indicator Feeds diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index f0f475a5d914107..c0bdecde2879272 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -110,7 +110,10 @@ Gateway matches egress traffic against the following selectors, or criteria: ### Host - + diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx index 75b9610502dcc90..0909917831fefca 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx @@ -112,7 +112,7 @@ For more information on creating a DNS policy, refer to [DNS policies](/cloudfla ### Host - + ### Location diff --git a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx index 202698975f677bd..ae797bf3d89e340 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/host.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/host.mdx @@ -1,9 +1,10 @@ --- -{} +params: + - APIendpoint --- Use this selector to match against only the hostname specified. For example, you can match `test.example.com` but not `example.com` or `www.test.example.com`. -| UI name | API example | Evaluation phase | -| ------- | -------------------------------- | --------------------- | -| Host | `dns.fqdn == "test.example.com"` | Before DNS resolution | +| UI name | API example | Evaluation phase | +| ------- | --------------------------------------------------- | --------------------- | +| Host | {props.APIendpoint} == \"example.com\" | Before DNS resolution | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx index 88d7364e5a0b729..e4b42094ea16da6 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx @@ -3,8 +3,6 @@ params: - APIendpoint --- -import { Markdown } from "~/components"; - | UI name | API example | | ------------------ | ------------------------------------------------- | | Content Categories | any({props.APIendpoint}[*] in \{1\}) | From be2b3dc3295b0851da7cf8323dd01e00d3fc88ab Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Apr 2025 17:53:09 -0500 Subject: [PATCH 4/6] Add WARP version --- .../policies/gateway/egress-policies/index.mdx | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index c0bdecde2879272..5967c21a9445f11 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -180,17 +180,13 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to: -1. In your WARP Connector device profile, ensure Split Tunnel is set to [**Exclude IPs and domains**](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode). -2. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel list. -3. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: +1. Ensure you have deployed WARP version 2025.4.589.1 or later. +2. In your WARP Connector device profile, ensure Split Tunnel is set to [**Exclude IPs and domains**](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode). +3. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel list. +4. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: - `100.64.0.0/12` - `100.81.0.0/16` - `100.82.0.0/15` - `100.84.0.0/14` - `100.88.0.0/13` - `100.96.0.0/11` -4. Add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS): - ```xml - doh_in_tunnel - - ``` From 0c6f0605374c8bf357eb6061efa08be7c69ec9bc Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 29 Apr 2025 15:57:09 -0500 Subject: [PATCH 5/6] Add WARP beta --- .../policies/gateway/egress-policies/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx index 760ddd1c413e3cc..aafabcf430a3ad5 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx @@ -180,9 +180,10 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to: -1. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), ensure Split Tunnel is set to [**Exclude IPs and domains**](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode). -2. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel list. -3. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: +1. Ensure you have deployed [WARP beta version 2025.4.589.1](/cloudflare-one/connections/connect-devices/warp/download-warp/beta-releases/) or later on your users' devices. +2. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), ensure Split Tunnel is set to [**Exclude IPs and domains**](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode). +3. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel list. +4. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses: - `100.64.0.0/12` - `100.81.0.0/16` - `100.82.0.0/15` From 77937b5f40a906b2a46e88d4afc16d592c5e817c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 30 Apr 2025 12:00:24 -0500 Subject: [PATCH 6/6] Fix other API examples --- .../cloudflare-one/gateway/selectors/destination-ip.mdx | 6 +++--- .../cloudflare-one/gateway/selectors/destination-port.mdx | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/partials/cloudflare-one/gateway/selectors/destination-ip.mdx b/src/content/partials/cloudflare-one/gateway/selectors/destination-ip.mdx index 554c7aed3e67da0..fff5591a77fbebf 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/destination-ip.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/destination-ip.mdx @@ -4,6 +4,6 @@ The IP address of the request's target. -| UI name | API example | -| -------------- | ---------------------------- | -| Destination IP | `net.dst.ip == "10.0.0.0/8"` | +| UI name | API example | +| -------------- | ------------------------- | +| Destination IP | `net.dst.ip == 192.0.2.0` | diff --git a/src/content/partials/cloudflare-one/gateway/selectors/destination-port.mdx b/src/content/partials/cloudflare-one/gateway/selectors/destination-port.mdx index 85f249da3621ea9..dea4ef78649ddac 100644 --- a/src/content/partials/cloudflare-one/gateway/selectors/destination-port.mdx +++ b/src/content/partials/cloudflare-one/gateway/selectors/destination-port.mdx @@ -4,6 +4,6 @@ The port number of the request's target. -| UI name | API example | -| ---------------- | ------------------------ | -| Destination Port | `net.dst.port == "2222"` | +| UI name | API example | +| ---------------- | ---------------------- | +| Destination Port | `net.dst.port == 2222` |