Common policies
The following policies are commonly used to secure network traffic.
Refer to the network policies page for a comprehensive list of other selectors, operators, and actions.
To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Application | in | Artificial Intelligence | Block |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block unauthorized applications", "description": "Block access to unauthorized AI applications", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "", "device_posture": ""}'Configure access on a per user or group basis by adding identity-based conditions to your policies.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Application | in | Salesforce | And | Block |
| User Group Names | in | Contractors |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(app.ids[*] in {606})", "identity": "any(identity.groups.name[*] in {\"Contractors\"})", "device_posture": ""}'Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the device posture section. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| SNI Domain | is | example.com | And | Block |
| Passed Device Posture Checks | not in | Device serial numbers |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Enforce device posture", "description": "Limit access to an internal application to approved organization devices", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "any(net.sni.domains[*] == \"example.com\")", "identity": "", "device_posture": "not(any(device_posture.checks.passed[*] in {\"<POSTURE_CHECK_UUID>\"}))"}'To get the UUIDs of your device posture checks, use the List device posture rules endpoint.
To require users to re-authenticate after a certain amount of time has elapsed, configure WARP sessions.
Restrict user access to only the specific sites or applications configured in your HTTP policies.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Detected Protocol | is | TLS | And | Allow |
| Destination Port | in | 80, 443 |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Allow HTTP and HTTPS traffic", "description": "Restrict traffic to HTTP and HTTPS traffic", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}", "identity": "", "device_posture": ""}'| Selector | Operator | Value | Action |
|---|---|---|---|
| Protocol | in | TCP, UDP | Block |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block all other traffic", "description": "Block all other traffic that is not HTTP or HTTPS", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.protocol in {\"tcp\" \"udp\"}", "identity": "", "device_posture": ""}'Restrict access to resources which you have connected through Cloudflare Tunnel.
The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Destination IP | in | 10.0.0.0/8 | And | Allow |
| User Email | matches regex | .*@example.com |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Allow company employees", "description": "Allow any users with an organization email to reach the application", "enabled": true, "action": "allow", "filters": [ "l4" ], "traffic": "net.dst.ip in {10.0.0.0/8}", "identity": "identity.email matches \".*@example.com\"", "device_posture": ""}'| Selector | Operator | Value | Action |
|---|---|---|---|
| Destination IP | in | 10.0.0.0/8 | Block |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block everyone else", "description": "Block any other users from accessing the application", "enabled": true, "action": "block", "filters": [ "l4" ], "traffic": "net.dst.ip in {10.0.0.0/8}", "identity": "", "device_posture": ""}'