diff --git a/src/content/changelog/cloudflare-one/cf1-data-security-analytics-v1.mdx b/src/content/changelog/cloudflare-one/cf1-data-security-analytics-v1.mdx
index 8c3f60530b5ddb5..456b47c7909a7de 100644
--- a/src/content/changelog/cloudflare-one/cf1-data-security-analytics-v1.mdx
+++ b/src/content/changelog/cloudflare-one/cf1-data-security-analytics-v1.mdx
@@ -7,20 +7,20 @@ products:
- casb
---
-Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data.
+Zero Trust now includes **Data security analytics**, providing you with unprecedented visibility into your organization sensitive data.
The new dashboard includes:
-* **Sensitive Data Movement Over Time:**
- - See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths.
+- **Sensitive Data Movement Over Time:**
+ - See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths.
-* **Sensitive Data at Rest in SaaS & Cloud:**
- - View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3).
+- **Sensitive Data at Rest in SaaS & Cloud:**
+ - View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3).
-* **DLP Policy Activity:**
- - Identify which of your Data Loss Prevention (DLP) policies are being triggered most often.
- - See which specific users are responsible for triggering DLP policies.
+- **DLP Policy Activity:**
+ - Identify which of your Data Loss Prevention (DLP) policies are being triggered most often.
+ - See which specific users are responsible for triggering DLP policies.
-To access the new dashboard, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Analytics** on the sidebar.
+To access the new dashboard, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** on the sidebar.
diff --git a/src/content/changelog/cloudflare-one/new-cloudflare-one-navigation-and-product-experience.mdx b/src/content/changelog/cloudflare-one/new-cloudflare-one-navigation-and-product-experience.mdx
index 7bc569827faf4ab..97f93490d4b2a37 100644
--- a/src/content/changelog/cloudflare-one/new-cloudflare-one-navigation-and-product-experience.mdx
+++ b/src/content/changelog/cloudflare-one/new-cloudflare-one-navigation-and-product-experience.mdx
@@ -13,14 +13,12 @@ There is a new guided experience on login detailing the changes, and you can use
Notable changes
-- Product names have been removed from many top-level navigation items to help bring clarity to what they help you accomplish. For example, you can find Gateway policies under ‘Traffic policies’ and CASB findings under ‘Cloud & SaaS findings.’
-- You can view all analytics, logs, and real-time monitoring tools from ‘Insights.’
-- ‘Networks’ better maps the ways that your corporate network interacts with Cloudflare. Some pages like Tunnels, are now a tab rather than a full page as part of these changes. You can find them at Networks > Connectors.
-- Settings are now located closer to the tools and resources they impact. For example, this means you’ll find your WARP configurations at Team & Resources > Devices.
+
+- Product names have been removed from many top-level navigation items to help bring clarity to what they help you accomplish. For example, you can find Gateway policies under ‘Traffic policies' and CASB findings under ‘Cloud & SaaS findings.'
+- You can view all analytics, logs, and real-time monitoring tools from ‘Insights.'
+- ‘Networks' better maps the ways that your corporate network interacts with Cloudflare. Some pages like Tunnels, are now a tab rather than a full page as part of these changes. You can find them at Networks > Connectors.
+- Settings are now located closer to the tools and resources they impact. For example, this means you'll find your WARP configurations at Team & Resources > Devices.
No changes to our API endpoint structure or to any backend services have been made as part of this effort.
-
-
-
diff --git a/src/content/docs/analytics/analytics-integrations/sentinel.mdx b/src/content/docs/analytics/analytics-integrations/sentinel.mdx
index 83c5751ef1dd3fd..8f2648126a8a629 100644
--- a/src/content/docs/analytics/analytics-integrations/sentinel.mdx
+++ b/src/content/docs/analytics/analytics-integrations/sentinel.mdx
@@ -3,7 +3,6 @@ pcx_content_type: how-to
title: Sentinel
sidebar:
order: 105
-
---
import { Details } from "~/components";
@@ -30,9 +29,10 @@ This guide provides clear, step-by-step instructions for integrating Cloudflare
3. Select **Create Logpush Job**. Choose the log type you want to export (for example, **HTTP requests**).
4. For the destination, select **Azure Blob Storage**.
5. Enter your Azure Blob Storage details:
- - SAS Token (Shared Access Signature)
+ - SAS Token (Shared Access Signature)
+
+ To generate a SAS token from the Azure portal, first navigate to your storage account. Under the **Data Storage** section, select **Containers** and choose the relevant container. Within the settings, locate and select **Shared access signature**. Configure the required permissions, such as `write` and `create`, and specify the start and expiration dates for the token. Once configured, generate the SAS token accordingly.
- To generate a SAS token from the Azure portal, first navigate to your storage account. Under the **Data Storage** section, select **Containers** and choose the relevant container. Within the settings, locate and select **Shared access signature**. Configure the required permissions, such as `write` and `create`, and specify the start and expiration dates for the token. Once configured, generate the SAS token accordingly.
6. Save and activate the Logpush job.
For complete details, refer to the [Cloudflare Logpush to Azure documentation](/logs/logpush/logpush-job/enable-destinations/azure/).
@@ -290,10 +290,8 @@ SecurityRuleDescription
-## Resources
+## Resources
[Download Cloudflare's CCF Sentinel Solution](https://marketplace.microsoft.com/en-us/product/azure-application/cloudflare.azure-sentinel-solution-cloudflare-ccf?tab=Overview)
-[Microsoft Data Lake Overview](https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-overview)
+[Microsoft Data Lake Overview](https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-overview)
[About the CCF Platform](https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector)
-
-
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx
index dfe341c20dd5ab3..d3bd70ffb9ce0c7 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx
@@ -34,20 +34,20 @@ The following Access cookies are essential to Access functionality. Cookies that
### CF_Authorization (team domain)
-| Details | Expiration | HttpOnly | SameSite | Required? |
-| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- |
+| Details | Expiration | HttpOnly | SameSite | Required? |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- |
| [JSON web token (JWT)](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-jwts) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | View
If set, adheres to [global session duration](/cloudflare-one/access-controls/access-settings/session-management/#global-session-duration).
If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).
If neither are set, defaults to 24 hours.View
If set, adheres to [policy session duration](/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).
If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).
If neither are set, defaults to 24 hours.View
If set, adheres to [policy session duration](/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).
If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).
If neither are set, defaults to 24 hours.
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
2. From the **Datasets** tab, select **Add a dataset**.
3. Select **Exact Data Match (EDM)**.
4. Upload your dataset file. Select **Next**.
@@ -65,7 +65,7 @@ DLP will encrypt your dataset and save its hash.
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
2. From the **Datasets** tab, select **Add a dataset**.
3. Select **Custom Wordlist (CWL)**.
4. Name your dataset. Optionally, add a description.
@@ -83,8 +83,8 @@ The dataset will appear in the list with an **Uploading** status. Once the uploa
Uploaded DLP datasets are read-only. To update a dataset, you must upload a new file to replace the original.
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **DLP datasets**.
-2. Select the dataset you want to update.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
+2. From the **Datasets** tab, select the dataset you want to update.
3. Select **Upload dataset** and choose your updated dataset. Select **Next**.
4. If your select dataset is an Exact Data Match dataset, review and choose the new columns. Select **Next**.
5. Select **Save dataset**.
@@ -109,13 +109,12 @@ DLP supports documents in `.docx` and `.txt` format. Documents must be under 10
To upload a new document entry to DLP:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
-2. Go to **Documents**.
-3. Select **Add a document entry**.
-4. Name your document. Optionally, add a description.
-5. In **Minimum similarity for matches**, enter a value between 0% and 100%.
-6. In **Upload document**, choose and upload your document file.
-7. Select **Save**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
+2. From the **Documents** tab, select **Add a document entry**.
+3. Name your document. Optionally, add a description.
+4. In **Minimum similarity for matches**, enter a value between 0% and 100%.
+5. In **Upload document**, choose and upload your document file.
+6. Select **Save**.
The document will appear in the list with a **Pending** status. Once the upload is complete, the status will change to **Complete**. If you created a document entry with Terraform, the status will be **No file** until you upload a file.
@@ -125,8 +124,8 @@ To use your uploaded document fingerprint, add it as an existing entry to a [cus
Uploaded document entries are read-only. To update a document entry, you must upload a new file to replace the original.
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
-2. Choose the document you want to update and select **Edit**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Detection entries**.
+2. From the **Documents** tab, choose the document you want to update and select **Edit**.
3. (Optional) Update the name and minimum similarity for matches for your document entry. You can also open the existing uploaded document.
4. In **Update document entry**, choose and upload your updated document file.
5. Select **Save**.
diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx
index 29bf6af7278de26..4749223a42ec7c9 100644
--- a/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/data-loss-prevention/dlp-policies/index.mdx
@@ -57,7 +57,7 @@ Different sites will send requests in different ways. For example, some sites wi
## 4. View DLP logs
-1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Logs** > **HTTP logs**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Logs** > **HTTP request logs**.
2. Select **Filter**.
3. Choose an item under one of the following filters:
- **DLP Profiles** shows the requests which matched a specific DLP profile.
diff --git a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
index 21c6e8c8884c638..3458a87dac6d9cf 100644
--- a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
+++ b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
@@ -16,7 +16,7 @@ You can sign up today at [this link](https://one.dash.cloudflare.com). Follow th
## What is a team domain/team name?
-Your team domain is a unique subdomain assigned to your Cloudflare account, for example, `.cloudflareaccess.com`. [Setting up a team domain](/cloudflare-one/setup/#create-a-zero-trust-organization) is an essential step in your Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) — and will be able to make login requests to them. The customizable portion of your team domain is called **team name**. You can view your team name and team domain in Zero Trust under **Settings** > **Custom Pages**.
+Your team domain is a unique subdomain assigned to your Cloudflare account, for example, `.cloudflareaccess.com`. [Setting up a team domain](/cloudflare-one/setup/#create-a-zero-trust-organization) is an essential step in your Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) — and will be able to make login requests to them. The customizable portion of your team domain is called **team name**. You can view your team name and team domain in Cloudflare One under **Custom pages** > **Team name and domain**.
| team name | team domain |
| ---------------- | --------------------------------------- |
@@ -41,25 +41,25 @@ After changing your team name, you will need to check your Block page, Login pag
To verify that your team name change is successfully rendering on the Block page, Login page and App Launcher:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**.
-2. Find the **Account Gateway block page** and **Login page** sections, then select **Customize** next to the page you would like to review first.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Custom pages** > **Team name and domain**.
+2. Find the **Account Gateway block page** and **Access login page** sections, then select **Manage** next to the page you would like to review first.
3. Review that the value in **Your Organization's name** matches your new team name.
4. If the desired name is not already displayed, change the value to your desired team name and select **Save**.
-5. Check both pages (**Account Gateway block page** and **Login page**) to set **Your Organization's name** as your desired team name.
+5. Check both pages (**Account Gateway block page** and **Access login page** to set **Your Organization's name** as your desired team name.
-The App Launcher will display the same team name set on the Login page, so you do not need to update the **Your Organization's name** field in the App Launcher page.
+The App Launcher will display the same team name set on the Access login page, so you do not need to update the **Your Organization's name** field in the App Launcher page.
## How do I change my subscription plan?
-To make changes to your subscription, visit the Billing section under Account in [Zero Trust](https://one.dash.cloudflare.com/). You can change or cancel your subscription at any time. Just remember - if you downgrade your plan during a billing cycle, your downgraded pricing will apply in the next billing cycle. If you upgrade during a billing cycle, you will be billed for the upgraded plan at the moment you select it.
+To make changes to your subscription, visit the Billing section under **Settings** in [Cloudflare One](https://one.dash.cloudflare.com/). You can change or cancel your subscription at any time. Just remember - if you downgrade your plan during a billing cycle, your downgraded pricing will apply in the next billing cycle. If you upgrade during a billing cycle, you will be billed for the upgraded plan at the moment you select it.
## How are active seats measured?
-Cloudflare Zero Trust subscriptions consist of seats that users in your account consume. When users authenticate to an application or enroll their agent into WARP, they count against one of your active seats. Seats can be added, removed, or revoked at **Settings** > **Account** > **Plan**. If all seats are currently consumed, you must first remove users before decreasing your purchased seat count.
+Cloudflare Zero Trust subscriptions consist of seats that users in your account consume. When users authenticate to an application or enroll their agent into WARP, they count against one of your active seats. Seats can be added, removed, or revoked at **Settings** > **Cloudflare One plan**. If all seats are currently consumed, you must first remove users before decreasing your purchased seat count.
### Removing users
-User seats can be removed for Access and Gateway at **My Team** > **Users**. Removing a user will have consequences both on Access and on Gateway:
+User seats can be removed for Access and Gateway at **Team & Resources** > **Users** > **Your users**. Removing a user will have consequences both on Access and on Gateway:
- **Access**: All active sessions for that user will be invalidated. A user will be able to log back into an application unless you create an [Access policy](/cloudflare-one/access-controls/policies/) to block future logins from that user.
@@ -77,4 +77,4 @@ The Revoke action will terminate active sessions and log out active devices, but
## How do I know if my network is protected behind Cloudflare Zero Trust?
-You can visit the [Zero Trust help page](https://help.teams.cloudflare.com). This page will give you an overview of your network details, as well as an overview of the categories that are being blocked and/or allowed.
+You can visit the [Zero Trust help page](https://help.one.cloudflare.com/). This page will give you an overview of your network details, as well as an overview of the categories that are being blocked and/or allowed.
diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
index 505ab2cda635e4b..4908e75b8ccb4c2 100644
--- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
+++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
@@ -39,7 +39,6 @@ To install the Cloudflare root certificate, follow [this guide](/cloudflare-one/
Gateway presents an **HTTP Response Code: 526** error page in the following cases:
- **An untrusted certificate is presented from the origin to Gateway.** Gateway will consider a certificate is untrusted if any of these conditions are true:
-
- The server certificate issuer is unknown or is not trusted by the service.
- The server certificate is revoked and fails a CRL check.
- There is at least one expired certificate in the certificate chain for the server certificate.
@@ -47,7 +46,6 @@ Gateway presents an **HTTP Response Code: 526** error page in the following case
- The common name on the certificate contains invalid characters (such as underscores). Gateway uses [BoringSSL](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=Google&CertificateStatus=Active&ValidationYear=0) to validate certificates. Chrome's [validation logic](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/cert/x509_certificate.cc#429) allows non-RFC 1305 compliant certificates, which is why the website may load when you turn off WARP.
- **The connection from Gateway to the origin is insecure.** Gateway does not trust origins which:
-
- Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the [SSL Server Test tool](https://www.ssllabs.com/ssltest/index.html) to check which ciphers are supported by the origin.
- Do not support [FIPS-compliant ciphers](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin).
- Redirect all HTTPS requests to HTTP.
@@ -67,7 +65,7 @@ For more troubleshooting information, refer to [Support](/support/troubleshootin
You may not see analytics on the Overview page for the following reasons:
-- **You are not sending DNS queries to Gateway**. Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your DNS location by going to **Gateway** > **DNS locations** and then expanding the location.
+- **You are not sending DNS queries to Gateway**. Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your DNS location by going to **Networks** > **Resolvers & Proxies** > **DNS locations** and then expanding the location.
- **You are using other DNS resolvers**. If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses.
- **The source IPv4 address for your DNS location is incorrect**. If you are using IPv4, check the source IPv4 address that you entered for the DNS location matches with the network's source IPv4 address.
- **Analytics is not available yet**. It takes some time to generate the analytics for Cloudflare Gateway. If you are not seeing anything even after 5 minutes, file a support ticket.
@@ -203,14 +201,15 @@ Before deploying a new certificate, [update WARP](/cloudflare-one/team-and-resou
For WARP client versions before and after 2024.12.554.0, certificate propagation will only occur when the WARP client is responsible for automatically installing the certificate on the client device. To enable the WARP client to propogate certificates:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
-2. Turn on **Install CA to system certificate store**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices**.
+2. Select the **Management** tab.
+3. Turn on **Install CA to system certificate store**.
If **Install CA to system certificate store** is turned off, you must [manually install the certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/), use an [MDM solution](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software) to distribute the Cloudflare certificate to your fleet of devices, or not use the Cloudflare certificate because you do not want to have TLS decryption enabled. [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) must be enabled to enforce Gateway HTTP policies for HTTPS traffic.
After enabling certificate propagation, you must update your certificate:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**, then select **Manage** next to **Cloudflare certificates**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**, then select **Certificates**.
2. Select **Generate certificate**.
3. Select the expiration date for this new certificate (five years is the default, but this can be adjusted) and select **Generate certificate**.
4. The new certificate will be marked **Inactive** at first. Select the **three dots** to the right of the certificate, then select **Activate** to activate the certificate.
@@ -229,10 +228,10 @@ macOS Big Sur and newer releases do not allow WARP to automatically trust the ce
After confirming that the certificate is installed and trusted on the end-user device, mark the certificate as **In-Use**. To mark the certificate as **In-Use**:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**, then select **Manage** next to **Cloudflare certificates**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**, then select **Certificates**.
2. Select a certificate.
3. In the detailed menu under **Basic Information**, select **Confirm and turn on certificate**.
-4. Once turned on, the new certificate will now show as **In-Use** in Zero Trust. **In-Use** indicates that the certificate is being used for inspection.
+4. Once turned on, the new certificate will now show as **In-Use** in Cloudflare One. **In-Use** indicates that the certificate is being used for inspection.
It is recommended to have end users disconnect and reconnect WARP to expedite this change being reflected on their local machine. To verify the new certificate is being used correctly:
@@ -310,13 +309,13 @@ You can also examine logs in your identity provider to identify any denied reque
If your WSL2 environment is losing connectivity while using WARP, check your [split tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/).
-The issue may arise because the IP range that the WSL environment uses to communicate with the host device is included in the split tunnel configuration. Excluding the WSL environment’s IP range should restore connectivity.
+The issue may arise because the IP range that the WSL environment uses to communicate with the host device is included in the split tunnel configuration. Excluding the WSL environment's IP range should restore connectivity.
You must ensure the host device is included in the WARP tunnel while excluding the WSL environment to prevent connectivity issues between WSL and the host device.
To debug this issue:
-1. Review the WSL2 environment's IP address and compare it with the laptop’s IP.
+1. Review the WSL2 environment's IP address and compare it with the laptop's IP.
2. Check if the WSL network is [included in the split tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode).
3. If the WSL network is included, exclude it from the split tunnel to prevent connectivity issues.
@@ -336,7 +335,7 @@ To resolve this error, review the following options:
| `0` (disabled) | **Disabled** | ✅ Works - browser will use local IP address |
| `2` (enabled) | **Enabled / Default** | ✅ Works - mDNS resolves successfully |
-## After putting Google Workspace behind Access, I can’t log in. It keeps redirecting between Access and Google without ever completing authentication.
+## After putting Google Workspace behind Access, I can't log in. It keeps redirecting between Access and Google without ever completing authentication.
When you put your Google Workspace behind Access, users will not be able to log in using Google or Google Workspace as an identity provider.
diff --git a/src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx b/src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx
index cc31272d8b4293f..1ae2f4a7b1b42b5 100644
--- a/src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx
+++ b/src/content/docs/cloudflare-one/insights/dex/ip-visibility.mdx
@@ -46,7 +46,7 @@ IP information is crucial for IT administrators to accurately troubleshoot netwo
To view IP information for a user device:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **Devices**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices** > **Your devices**.
2. Select a device, then select **View details**.
3. Under **Details**, scroll down to **IP details**.
4. Review the IP details for your selected device's most recent session.
@@ -55,7 +55,7 @@ To view IP information for a user device:
DEX's IP visibility allows you to review an event log of a device's IP history for the last seven days. To view a device's IP history:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **Devices**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices** > **Your devices**.
2. Select a device > **View details** > under **Details**, scroll down to **IP details**.
3. Select **View device history**.
4. View the device's IP history and status from the last seven days.
diff --git a/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx b/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx
index 34d8d8786f58cce..8f8ed8daa9a020a 100644
--- a/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx
+++ b/src/content/docs/cloudflare-one/insights/dex/monitoring.mdx
@@ -17,7 +17,7 @@ A fleet is a collection of user devices. All devices in a fleet have WARP instal
To view fleet status:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Monitoring**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Insights** > **Digital experience**.
2. In **DEX Monitoring**, review the information under the **Fleet Status** tab.
### View metrics
@@ -32,12 +32,12 @@ To view analytics on a per-device level, go to [Device monitoring](/cloudflare-o
- **Connectivity status**: Percentage of devices in a given WARP client state.
- | Status | Description |
- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
- | Connected | WARP has successfully established a connection to the Cloudflare global network. |
- | Disconnected | WARP has been intentionally or unintentionally disconnected from the Cloudflare global network. |
+ | Status | Description |
+ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+ | Connected | WARP has successfully established a connection to the Cloudflare global network. |
+ | Disconnected | WARP has been intentionally or unintentionally disconnected from the Cloudflare global network. |
| Paused | A user or administrator has taken an explicit action to temporarily turn off WARP, for example by entering an [Admin Override](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#admin-override) code. Paused clients will [auto-connect](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#auto-connect) after a timeout period. |
- | Connecting | WARP is pending connection, but is actively trying to establish a connection to the Cloudflare global network. |
+ | Connecting | WARP is pending connection, but is actively trying to establish a connection to the Cloudflare global network. |
- **Mode**: [WARP mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) deployed on the device.
@@ -59,7 +59,7 @@ Review network and device performance for a device enrolled in your fleet.
To view a device's network and device performance metrics:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My team** > **Devices**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices** > **Your devices**.
2. Select a device > **View details**.
3. Select the **DEX** tab.
4. In **Device Monitoring**, scroll down to **Network performance** and **Device Performance**.
@@ -84,4 +84,8 @@ To view a device's network and device performance metrics:
## Export DEX device state event logs
-
+
diff --git a/src/content/docs/cloudflare-one/insights/dex/rules.mdx b/src/content/docs/cloudflare-one/insights/dex/rules.mdx
index ed283403536285d..7a55c335e517891 100644
--- a/src/content/docs/cloudflare-one/insights/dex/rules.mdx
+++ b/src/content/docs/cloudflare-one/insights/dex/rules.mdx
@@ -15,10 +15,11 @@ DEX rules are ideal for admins who want to define the scope of a test to a speci
To create a rule:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Rules**.
-2. Select **Add a rule**.
-3. Give your rule a name and build your desired expressions.
-4. Select **Create rule** to finalize your rule.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Digital experience**.
+2. Select the **Rules** tab.
+3. Select **Add a rule**.
+4. Give your rule a name and build your desired expressions.
+5. Select **Create rule** to finalize your rule.
### Selectors
@@ -44,20 +45,23 @@ After you have created a rule, you can add it to a test. If you do not add a rul
To add a rule to a test:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Tests**.
-2. Choose an existing test and select **Edit**, or select **Add a test** to make a new test.
-3. Under **Select DEX rules**, select the rule you would like to apply.
-4. Select **Save test** for an existing rule or **Add rule** for the new test.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Digital experience**.
+2. Select the **Tests** tab.
+3. Choose an existing test and select **Edit**, or select **Add a test** to make a new test.
+4. Under **Select DEX rules**, select the rule you would like to apply.
+5. Select **Save test** for an existing rule or **Add rule** for the new test.
:::note
+
:::
To view which tests a rule is being applied to:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Rules**.
-2. Select a rule > **Edit**.
-3. Select the **DEX tests** tab and review the list of tests that include your selected rule.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Digital experience**.
+2. Select the **Rules** tab.
+3. Choose a rule and select **Edit**.
+4. Select the **DEX tests** tab and review the list of tests that include your selected rule.
## Create a test using a rule
@@ -65,12 +69,13 @@ You can create a new test from the [DEX test dashboard as described above](/clou
To create a new test using a rule from DEX rules:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Rules**.
-2. Select a rule > **Edit**.
-3. Select the **DEX tests** tab.
-4. You will be able to review all the tests that currently include this rule. To create a new test, select **Create a test using this rule**.
-5. Enter all required information, making sure that the box next to your rule name is checked.
-6. Select **Add test**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Digital experience**.
+2. Select the **Rules** tab.
+3. Select a rule and select **Edit**.
+4. Select the **DEX tests** tab.
+5. You will be able to review all the tests that currently include this rule. To create a new test, select **Create a test using this rule**.
+6. Enter all required information, making sure that the box next to your rule name is checked.
+7. Select **Add test**.
## Related resources
diff --git a/src/content/docs/cloudflare-one/insights/dex/tests/http.mdx b/src/content/docs/cloudflare-one/insights/dex/tests/http.mdx
index f472ec596aecb37..4690dfc610874b2 100644
--- a/src/content/docs/cloudflare-one/insights/dex/tests/http.mdx
+++ b/src/content/docs/cloudflare-one/insights/dex/tests/http.mdx
@@ -8,8 +8,7 @@ sidebar:
import { Details, Render } from "~/components";
-
-| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
| ------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
| - Gateway with WARP
- Secure Web Gateway without DNS Filtering
| All plans |
@@ -30,15 +29,16 @@ An HTTP test sends a `GET` request from an end-user device to a specific web app
To set up an HTTP test for an application:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Tests**.
-2. Select **Add a Test**.
-3. Fill in the following fields:
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Digital experience**.
+2. Select the **Tests** tab.
+3. Select **Add a Test**.
+4. Fill in the following fields:
- **Name**: Enter any name for the test.
- **Target**: Enter the URL of the website or application that you want to test (for example, `https://jira.site.com`). Both public and private hostnames are supported. If testing a private hostname, ensure that the domain is on your [local domain fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) list.
- **Source device profiles**: (Optional) Select the [WARP device profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) that you want to run the test on. If no profiles are selected, the test will run on all supported devices connected to your Zero Trust organization.
- **Test type**: Select _HTTP Get_.
- **Test frequency**: Specify how often the test will run. Input a minute value between 5 and 60.
-4. Select **Add test**.
+5. Select **Add test**.
Next, [view the results](/cloudflare-one/insights/dex/tests/view-results/) of your test.
@@ -51,12 +51,16 @@ An HTTP test measures the following data:
| Resource fetch time | Total time of all steps of the request, measured from [`startTime` to `responseEnd`](https://developer.mozilla.org/en-US/docs/Web/API/Performance_API/Resource_timing). |
| Server response time | Round-trip time for the device to receive a response from the target. |
| DNS response time | Round-trip time for the DNS query to resolve. |
-| HTTP status codes | [Status code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status) returned by the target. |
+| HTTP status codes | [Status code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status) returned by the target. |
## Export DEX application test logs
-
-
+
+
## Related resources
-- [DEX rules](/cloudflare-one/insights/dex/rules/) - Specify the target group of a test.
\ No newline at end of file
+- [DEX rules](/cloudflare-one/insights/dex/rules/) - Specify the target group of a test.
diff --git a/src/content/docs/cloudflare-one/insights/dex/tests/traceroute.mdx b/src/content/docs/cloudflare-one/insights/dex/tests/traceroute.mdx
index 339788a99445241..3c5edc87c72e3c6 100644
--- a/src/content/docs/cloudflare-one/insights/dex/tests/traceroute.mdx
+++ b/src/content/docs/cloudflare-one/insights/dex/tests/traceroute.mdx
@@ -9,7 +9,7 @@ import { Details, Render } from "~/components";
-| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
| ------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
| - Gateway with WARP
- Secure Web Gateway without DNS Filtering
| All plans |
@@ -30,15 +30,16 @@ A traceroute test measures the network path of an IP packet from an end-user dev
To set up a traceroute test for an application:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Tests**.
-2. Select **Add a Test**.
-3. Fill in the following fields:
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Digital experience**.
+2. Select the **Tests** tab.
+3. Select **Add a Test**.
+4. Fill in the following fields:
- **Name**: Enter any name for the test.
- **Target**: Enter the IP address of the server you want to test (for example, `192.0.2.0`). You can test either a public-facing endpoint or a private endpoint you have connected to Cloudflare.
- **Source device profiles**: (Optional) Select the [WARP device profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) that you want to run the test on. If no profiles are selected, the test will run on all supported devices connected to your Zero Trust organization.
- **Test type**: Select _Traceroute_.
- **Test frequency**: Specify how often the test will run. Input a minute value between 5 and 60.
-4. Select **Add test**.
+5. Select **Add test**.
Next, [view the results](/cloudflare-one/insights/dex/tests/view-results/) of your test.
@@ -46,18 +47,22 @@ Next, [view the results](/cloudflare-one/insights/dex/tests/view-results/) of yo
A traceroute test measures the following data:
-| Data | Description |
-| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Network path | IP address, average response time, and packet loss for each hop between the device and the target. |
-| Round trip time | Time between sending out a packet and receiving a response from the target. |
-| Number of hops | Number of routers encountered between the device and the target. |
-| Packet loss | Percentage of IP packets that failed to receive a response. |
-| Availability | Percentage of tests where at least one packet reached the destination. |
+| Data | Description |
+| --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Network path | IP address, average response time, and packet loss for each hop between the device and the target. |
+| Round trip time | Time between sending out a packet and receiving a response from the target. |
+| Number of hops | Number of routers encountered between the device and the target. |
+| Packet loss | Percentage of IP packets that failed to receive a response. |
+| Availability | Percentage of tests where at least one packet reached the destination. |
| Last seen ISP | The Internet Service Provider that is managing the connection from the device to Cloudflare. (Only available on macOS and Windows.)
DEX looks up the IP address of the ISP in a geolocation database and returns the corresponding [ASO and ASN](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/). If the ASO and ASN are `Unknown`, it means this information is unavailable in the geolocation data provider. |
## Export DEX application test logs
-
+
## Related resources
diff --git a/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx b/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx
index ac3312f08c05e43..09a2764a470a871 100644
--- a/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx
+++ b/src/content/docs/cloudflare-one/insights/dex/tests/view-results.mdx
@@ -18,7 +18,7 @@ Use the results of a DEX test to monitor availability and performance for a spec
To view an overview of test results for all devices:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Monitoring**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Digital experience**.
2. Select the **Tests** tab.
3. Under **Application tests**, select a test to view detailed results.
@@ -26,14 +26,18 @@ To view an overview of test results for all devices:
To view analytics on a per-device level:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **My Team** > **Devices**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices** > **Your devices**.
2. Select the device you want to view, and then select **View details**.
3. Select the **Tests** tab.
4. Select a test to view detailed results.
## Export DEX application test logs
-
+
## Related resources
diff --git a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx
index 56f39f4e33ca142..a40193c602a2736 100644
--- a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx
+++ b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx
@@ -35,7 +35,7 @@ Authentication logs do not capture the user's actions during a self-hosted or Sa
To view logs for identity-based authentication events:
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Logs** > **Access**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Insights** > **Logs** > **Access authentication logs**.
2. Select a row to view details such as the login method, the IP address of the user, and more.
@@ -43,15 +43,15 @@ To view logs for identity-based authentication events:
The [Access authentication logs](/api/resources/zero_trust/subresources/access/subresources/logs/subresources/access_requests/methods/list/) API endpoint provides a custom URL to export audit log events for your account.
```json title="Response"
@@ -83,31 +83,31 @@ Identity-based authentication logs contain the following fields:
##### Basic information
-| Field | Description |
-| ---------------- | ------------------------------------------------------------------------------------- |
-| **App** | Name of the Access application. |
-| **User email** | Email address of the authenticating user. |
-| **User ID** | UUID of the authenticating user. |
-| **IP address** | IP address of the authenticating user. |
-| **App UID** | UUID of the Access application. |
-| **App domain** | URL of the Access application. |
+| Field | Description |
+| ---------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| **App** | Name of the Access application. |
+| **User email** | Email address of the authenticating user. |
+| **User ID** | UUID of the authenticating user. |
+| **IP address** | IP address of the authenticating user. |
+| **App UID** | UUID of the Access application. |
+| **App domain** | URL of the Access application. |
| **App type** | Specifies the type of Access application: self-hosted, browser SSH, browser VNC, browser RDP, SaaS, or infrastructure. |
-| **Event** | Type of authentication event, such as a login attempt. |
-| **Connection** | IdP used to authenticate. |
-| **Allow** | Result of the authentication event. |
-| **Request time** | Timestamp of the authentication event. |
-| **Ray ID** | A unique identifier for every request through Cloudflare. |
-| **Country** | Country associated with the user's IP address. |
+| **Event** | Type of authentication event, such as a login attempt. |
+| **Connection** | IdP used to authenticate. |
+| **Allow** | Result of the authentication event. |
+| **Request time** | Timestamp of the authentication event. |
+| **Ray ID** | A unique identifier for every request through Cloudflare. |
+| **Country** | Country associated with the user's IP address. |
##### Infrastructure applications
Cloudflare Access logs the following information when the user authenticates to an [infrastructure application](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/):
-| Field | Description |
-| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Hostname** | Hostname of the infrastructure target. |
-| **Target ID** | UUID of the infrastructure target. |
-| **SSH user** | The UNIX user, such as `root`, that the authenticating user specified when connecting to the infrastructure target. |
+| Field | Description |
+| ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Hostname** | Hostname of the infrastructure target. |
+| **Target ID** | UUID of the infrastructure target. |
+| **SSH user** | The UNIX user, such as `root`, that the authenticating user specified when connecting to the infrastructure target. |
| **SSH logs** | SSH commands that the user ran on the target. Requires configuring an [SSH encryption key](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#ssh-command-logs) before the session begins. |
### Non-identity authentication
diff --git a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx
index 08bc7051fdd2bd1..9ad7d556ec4de25 100644
--- a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx
+++ b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx
@@ -15,15 +15,15 @@ Gateway logs will only show the public IP address for the **Source IP** field. P
Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted [SSH command logs](/cloudflare-one/traffic-policies/network-policies/ssh-logging/) for sessions proxied by Gateway.
-To view Gateway activity logs, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Logs** > **Gateway**. Select an individual row to investigate the event in more detail.
+To view Gateway activity logs, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Insights** > **Logs** and choose a type of Gateway log. Select an individual row to investigate the event in more detail.
Enterprise users can generate more detailed logs with [Logpush](/cloudflare-one/insights/logs/logpush/).
## Selective logging
-By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logs or only log blocked requests. To customize what type of events are recorded, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Settings** > **Network**. Under **Activity Logging**, indicate your DNS, Network, and HTTP log preferences.
+By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logs or only log blocked requests. To customize what type of events are recorded, log in to [Cloudflare One](https://one.dash.cloudflare.com/) and go to **Traffic policies** > **Traffic settings**. Under **Traffic logging** > **Log traffic activity**, indicate your DNS, Network, and HTTP log preferences.
-These settings will only apply to logs displayed in Zero Trust. Logpush data is unaffected.
+These settings will only apply to logs displayed in Cloudflare One. Logpush data is unaffected.
## DNS logs
@@ -31,27 +31,27 @@ These settings will only apply to logs displayed in Zero Trust. Logpush data is
#### Basic information
-| Field | Description |
-| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| **Query name** | Name of the domain that was queried. |
-| **Query ID** | UUID of the query assigned by Cloudflare. |
+| Field | Description |
+| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Query name** | Name of the domain that was queried. |
+| **Query ID** | UUID of the query assigned by Cloudflare. |
| **Email** | Email address of the user who registered the WARP client where traffic originated from. If a non-identity on-ramp (such as a [proxy endpoint](/cloudflare-one/team-and-resources/devices/agentless/pac-files/)) or machine-level authentication (such as a [service token](/cloudflare-one/access-controls/service-credentials/service-tokens/)) was used, this value will be `non_identity@.cloudflareaccess.com`. |
-| **Action** | The [Action](/cloudflare-one/traffic-policies/dns-policies/#actions) Gateway applied to the query (such as Allow or Block). |
-| **Time** | Date and time of the DNS query. |
-| **Resolver decision** | The reason why Gateway applied a particular **Action** to the request. Refer to the [list of resolver decisions](#resolver-decisions). |
-| **Resolved IPs** | Resolved IP addresses in the response. |
-| **CNAMEs** | `CNAME` records in the query. |
+| **Action** | The [Action](/cloudflare-one/traffic-policies/dns-policies/#actions) Gateway applied to the query (such as Allow or Block). |
+| **Time** | Date and time of the DNS query. |
+| **Resolver decision** | The reason why Gateway applied a particular **Action** to the request. Refer to the [list of resolver decisions](#resolver-decisions). |
+| **Resolved IPs** | Resolved IP addresses in the response. |
+| **CNAMEs** | `CNAME` records in the query. |
#### Configuration information
-| Field | Description |
-| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| Field | Description |
+| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| **DNS location** | [User-configured location](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) from where the DNS query was made. |
-| **Policy name** | Name of the matched policy. |
-| **Policy ID** | ID of the matched policy. |
-| **Policy description** | Description of the matched policy. |
-| **DoH subdomain** | DoH subdomain of the DNS location. |
-| **Protocol** | Protocol that was used to make the DNS query (such as `https`). |
+| **Policy name** | Name of the matched policy. |
+| **Policy ID** | ID of the matched policy. |
+| **Policy description** | Description of the matched policy. |
+| **DoH subdomain** | DoH subdomain of the DNS location. |
+| **Protocol** | Protocol that was used to make the DNS query (such as `https`). |
#### Identities
@@ -143,12 +143,12 @@ Gateway can log failed connections in [network session logs](/logs/logpush/logpu
#### Matched policies
-| Field | Description |
-| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| Field | Description |
+| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| **DNS location** | [User-configured location](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) from where the DNS query was made. |
-| **Policy name** | Name of the matched policy. |
-| **Policy ID** | ID of the policy enforcing the decision Gateway made. |
-| **Policy description** | Description of the matched policy. |
+| **Policy name** | Name of the matched policy. |
+| **Policy ID** | ID of the policy enforcing the decision Gateway made. |
+| **Policy description** | Description of the matched policy. |
#### Identities
@@ -163,25 +163,25 @@ Gateway can log failed connections in [network session logs](/logs/logpush/logpu
#### Network query details
-| Field | Description |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Source IP** | IP address of the user sending the packet. |
-| **Source port** | Source port number for the packet. |
-| **Source country** | Country code for the packet source. |
-| **Source IP continent** | Continent code of the source IP address. |
-| **Source IP country** | Country code of the source IP address. |
-| **Destination IP** | IP address of the packet's target. |
-| **Destination port** | Destination port number for the packet. |
-| **Destination IP continent** | Continent code of the IP address for the packet's destination. |
-| **Destination IP country** | Country code of the IP address for the packet's destination. |
-| **Transport protocol** | Protocol over which the packet was sent. |
-| **Detected Protocol** | The detected [network protocol](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). |
-| **SNI** | Host whose Server Name Indication (SNI) header Gateway will filter traffic against. |
+| Field | Description |
+| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Source IP** | IP address of the user sending the packet. |
+| **Source port** | Source port number for the packet. |
+| **Source country** | Country code for the packet source. |
+| **Source IP continent** | Continent code of the source IP address. |
+| **Source IP country** | Country code of the source IP address. |
+| **Destination IP** | IP address of the packet's target. |
+| **Destination port** | Destination port number for the packet. |
+| **Destination IP continent** | Continent code of the IP address for the packet's destination. |
+| **Destination IP country** | Country code of the IP address for the packet's destination. |
+| **Transport protocol** | Protocol over which the packet was sent. |
+| **Detected Protocol** | The detected [network protocol](/cloudflare-one/traffic-policies/network-policies/protocol-detection/). |
+| **SNI** | Host whose Server Name Indication (SNI) header Gateway will filter traffic against. |
| **Virtual Network** | [Virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. |
-| **Category details** | Category or categories associated with the packet. |
-| **Proxy endpoint** | [PAC file proxy endpoint](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) Gateway forwarded traffic to, if applicable. |
-| **Application ID** | ID of the application that matched the domain. |
-| **Application name** | Name of the application that matched the domain. |
+| **Category details** | Category or categories associated with the packet. |
+| **Proxy endpoint** | [PAC file proxy endpoint](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) Gateway forwarded traffic to, if applicable. |
+| **Application ID** | ID of the application that matched the domain. |
+| **Application name** | Name of the application that matched the domain. |
## HTTP logs
@@ -205,20 +205,20 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th
| **Source internal IP** | Private IP address assigned by the user's local network. |
| **User agent** | User agent header sent in the request by the originating device. |
| **Policy details** | Policy corresponding to the decision Gateway made based on the traffic criteria of the request. |
-| **DLP profiles** | Name of the matched [DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/). |
+| **DLP profiles** | Name of the matched [DLP profile](/cloudflare-one/data-loss-prevention/dlp-profiles/). |
| **DLP profile entries** | Name of the matched entry within the DLP profile. |
| **Uploaded/downloaded file** | Information about the file transferred in the request found by [enhanced file detection](#enhanced-file-detection). Details include: - File name
- File type
- File size
- File hash (for Allowed requests only)
- Content type
- Direction (Upload/Download)
- Action (Block/Allow)
|
#### Matched policies
-| Field | Description |
-| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| Field | Description |
+| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| **DNS location** | [User-configured location](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/) from where the DNS query was made. |
-| **Policy name** | Name of the matched policy. |
-| **Policy ID** | ID of the matched policy. |
-| **Policy description** | Description of the matched policy. |
-| **Matched category ID** | ID of the category matched in the policy. |
-| **Matched category name** | Name of the category matched in the policy. |
+| **Policy name** | Name of the matched policy. |
+| **Policy ID** | ID of the matched policy. |
+| **Policy description** | Description of the matched policy. |
+| **Matched category ID** | ID of the category matched in the policy. |
+| **Matched category name** | Name of the category matched in the policy. |
#### Identities
@@ -233,29 +233,29 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th
#### HTTP query details
-| Field | Description |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **HTTP Version** | HTTP version of the origin that Gateway connected to on behalf of the user. |
-| **HTTP Method** | HTTP method used for the request (such as `GET` or `POST`). |
-| **HTTP Status Code** | [HTTP status code](/support/troubleshooting/http-status-codes/) returned in the response. |
-| **URL** | Full URL of the HTTP request. |
-| **Referer** | Referer request header containing the address of the page making the request. |
-| **Source IP** | Public source IP address of the HTTP request. |
-| **Source Port** | Port that was used to make the HTTP request. |
-| **Source IP continent** | Continent code of the HTTP request. |
-| **Source IP country** | Country code of the HTTP request. |
-| **Destination IP** | Public IP address of the destination requested. |
-| **Destination Port** | Port of the destination requested. |
-| **Destination IP continent** | Continent code of the destination requested. |
-| **Destination IP country** | Country code of the destination requested. |
-| **Blocked file reason** | Reason why the file was blocked if a file transfer occurred or was attempted. |
-| **Category details** | Detailed information on the category the blocked file belongs to. |
-| **Application ID** | ID of the application that matched the domain. |
-| **Application name** | Name of the application that matched the domain. |
-| **Categories** | [Content categories](/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. |
-| **Proxy endpoint** | [PAC file proxy endpoint](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) Gateway forwarded traffic to, if applicable. |
+| Field | Description |
+| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **HTTP Version** | HTTP version of the origin that Gateway connected to on behalf of the user. |
+| **HTTP Method** | HTTP method used for the request (such as `GET` or `POST`). |
+| **HTTP Status Code** | [HTTP status code](/support/troubleshooting/http-status-codes/) returned in the response. |
+| **URL** | Full URL of the HTTP request. |
+| **Referer** | Referer request header containing the address of the page making the request. |
+| **Source IP** | Public source IP address of the HTTP request. |
+| **Source Port** | Port that was used to make the HTTP request. |
+| **Source IP continent** | Continent code of the HTTP request. |
+| **Source IP country** | Country code of the HTTP request. |
+| **Destination IP** | Public IP address of the destination requested. |
+| **Destination Port** | Port of the destination requested. |
+| **Destination IP continent** | Continent code of the destination requested. |
+| **Destination IP country** | Country code of the destination requested. |
+| **Blocked file reason** | Reason why the file was blocked if a file transfer occurred or was attempted. |
+| **Category details** | Detailed information on the category the blocked file belongs to. |
+| **Application ID** | ID of the application that matched the domain. |
+| **Application name** | Name of the application that matched the domain. |
+| **Categories** | [Content categories](/cloudflare-one/traffic-policies/domain-categories/) that the domain belongs to. |
+| **Proxy endpoint** | [PAC file proxy endpoint](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) Gateway forwarded traffic to, if applicable. |
| **Virtual Network** | [Virtual network](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) that the client is connected to. |
-| **Sandbox scanned** | Status of the [file quarantine](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). |
+| **Sandbox scanned** | Status of the [file quarantine](/cloudflare-one/traffic-policies/http-policies/file-sandboxing/). |
#### File detection details
@@ -275,9 +275,9 @@ Enhanced file detection is an optional feature to extract more file information
To turn on enhanced file detection:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network**.
-2. In **Firewall**, turn on **TLS decryption**.
-3. In **Gateway Logging**, turn on **Enable enhanced file detection**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**.
+2. In **Proxy and inspection settings**, turn on **Inspect HTTPS requests with TLS decryption**.
+3. In **Policy settings**, turn on **Allow enhanced file detection**.
### Isolate requests
diff --git a/src/content/docs/cloudflare-one/insights/logs/logpush.mdx b/src/content/docs/cloudflare-one/insights/logs/logpush.mdx
index 384765f392a128a..51ee0bfbe2ed94f 100644
--- a/src/content/docs/cloudflare-one/insights/logs/logpush.mdx
+++ b/src/content/docs/cloudflare-one/insights/logs/logpush.mdx
@@ -16,13 +16,13 @@ With Cloudflare's [Logpush](/logs/logpush/) service, you can configure the autom
## Export Zero Trust logs with Logpush
:::caution[Dashboard limitation]
-Zero Trust does not support configuring [Cloudflare R2](/logs/logpush/logpush-job/enable-destinations/r2/) as a Logpush destination in the dashboard. To use R2 as a destination for Zero Trust logs, configure your Logpush jobs [with the API](/logs/logpush/logpush-job/enable-destinations/r2/#manage-via-api).
+Cloudflare One does not support configuring [Cloudflare R2](/logs/logpush/logpush-job/enable-destinations/r2/) as a Logpush destination in the dashboard. To use R2 as a destination for Zero Trust logs, configure your Logpush jobs [with the API](/logs/logpush/logpush-job/enable-destinations/r2/#manage-via-api).
:::
To configure Logpush for Zero Trust logs:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Logs** > **Logpush**.
-2. If this is your first Logpush job, select **Add a Logpush job**. Otherwise, select **Go to logpush configurations**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Logs**.
+2. Select **Manage Logpush**.
3. In Logpush, select **Create a Logpush job**.
4. Choose a [Logpush destination](/logs/logpush/logpush-job/enable-destinations/).
5. Follow the service-specific instructions to configure and validate your destination.
@@ -39,22 +39,22 @@ For more information on supported destinations, refer to [Enable destinations](/
Refer to [Logpush datasets](/logs/logpush/logpush-job/datasets/) for a list of all available fields.
-| Dataset | Description |
-| ---------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Access Requests](/logs/logpush/logpush-job/datasets/account/access_requests/) | HTTP requests to sites protected by Cloudflare Access |
-| [Audit Logs](/logs/logpush/logpush-job/datasets/account/audit_logs/) | Authentication events through Cloudflare Access |
-| [Browser Isolation User Actions](/logs/logpush/logpush-job/datasets/account/biso_user_actions/) | Data transfer actions performed by a user in the remote browser |
-| [CASB Findings](/logs/logpush/logpush-job/datasets/account/casb_findings/) | Security issues detected by Cloudflare CASB |
-| [Device Posture Results](/logs/logpush/logpush-job/datasets/account/device_posture_results/) | Device posture status from the WARP client |
-| [DEX Application Tests](/logs/logpush/logpush-job/datasets/account/dex_application_tests/) | Device application synthetic test results from the WARP client |
-| [DEX Device State Events](/logs/logpush/logpush-job/datasets/account/dex_device_state_events/) | Device event data like connectivity, CPU usage, and Disk I/O from the WARP client |
-| [Gateway DNS](/logs/logpush/logpush-job/datasets/account/gateway_dns/) | DNS queries inspected by Cloudflare Gateway |
-| [Gateway HTTP](/logs/logpush/logpush-job/datasets/account/gateway_http/) | HTTP requests inspected by Cloudflare Gateway |
-| [Gateway Network](/logs/logpush/logpush-job/datasets/account/gateway_network/) | Network packets inspected by Cloudflare Gateway |
-| [SSH Logs](/logs/logpush/logpush-job/datasets/account/ssh_logs/) | SSH command logs for [Access for Infrastructure targets](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) |
-| [WARP Config Changes](/logs/logpush/logpush-job/datasets/account/warp_config_changes/) | Event logs that are generated whenever a WARP device changes [profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) |
-| [WARP Toggle Events](/logs/logpush/logpush-job/datasets/account/warp_toggle_changes/) | Event logs that are generated whenever a WARP device toggles WARP on or off |
-| [Zero Trust Network Session Logs](/logs/logpush/logpush-job/datasets/account/zero_trust_network_sessions/) | Network session logs for traffic proxied by Cloudflare Gateway |
+| Dataset | Description |
+| ---------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Access Requests](/logs/logpush/logpush-job/datasets/account/access_requests/) | HTTP requests to sites protected by Cloudflare Access |
+| [Audit Logs](/logs/logpush/logpush-job/datasets/account/audit_logs/) | Authentication events through Cloudflare Access |
+| [Browser Isolation User Actions](/logs/logpush/logpush-job/datasets/account/biso_user_actions/) | Data transfer actions performed by a user in the remote browser |
+| [CASB Findings](/logs/logpush/logpush-job/datasets/account/casb_findings/) | Security issues detected by Cloudflare CASB |
+| [Device Posture Results](/logs/logpush/logpush-job/datasets/account/device_posture_results/) | Device posture status from the WARP client |
+| [DEX Application Tests](/logs/logpush/logpush-job/datasets/account/dex_application_tests/) | Device application synthetic test results from the WARP client |
+| [DEX Device State Events](/logs/logpush/logpush-job/datasets/account/dex_device_state_events/) | Device event data like connectivity, CPU usage, and Disk I/O from the WARP client |
+| [Gateway DNS](/logs/logpush/logpush-job/datasets/account/gateway_dns/) | DNS queries inspected by Cloudflare Gateway |
+| [Gateway HTTP](/logs/logpush/logpush-job/datasets/account/gateway_http/) | HTTP requests inspected by Cloudflare Gateway |
+| [Gateway Network](/logs/logpush/logpush-job/datasets/account/gateway_network/) | Network packets inspected by Cloudflare Gateway |
+| [SSH Logs](/logs/logpush/logpush-job/datasets/account/ssh_logs/) | SSH command logs for [Access for Infrastructure targets](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) |
+| [WARP Config Changes](/logs/logpush/logpush-job/datasets/account/warp_config_changes/) | Event logs that are generated whenever a WARP device changes [profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) |
+| [WARP Toggle Events](/logs/logpush/logpush-job/datasets/account/warp_toggle_changes/) | Event logs that are generated whenever a WARP device toggles WARP on or off |
+| [Zero Trust Network Session Logs](/logs/logpush/logpush-job/datasets/account/zero_trust_network_sessions/) | Network session logs for traffic proxied by Cloudflare Gateway |
## Parse DNS logs
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks.mdx
index 0306bd749398ff4..094e3b990a6f9f4 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks.mdx
@@ -10,8 +10,8 @@ import { Details, Render, Tabs, TabItem } from "~/components";
| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
-| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
-| - Gateway with WARP
- Secure Web Gateway without DNS filtering
| All plans |
+| ---------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| - Gateway with WARP
- Secure Web Gateway without DNS filtering
| All plans |
| System | Availability |
| -------- | ------------ |
@@ -50,13 +50,12 @@ The following example demonstrates how to add two overlapping IP routes to Cloud
To route overlapping IPs over virtual networks:
1. First, create two unique virtual networks:
- 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
- 2. Find the **Virtual networks** setting and select **Manage**.
- 3. Select **Create virtual network**.
- 4. Name your virtual network `staging-vnet` and select **Save**.
- 5. Repeat Steps 1a-1d to create another virtual network called `production-vnet`.
+ 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Routes**.
+ 2. In **Virtual networks**, select **Create virtual network**.
+ 3. Name your virtual network `staging-vnet` and select **Save**.
+ 4. Repeat Steps 1a-1d to create another virtual network called `production-vnet`.
2. Next, create a Cloudflare Tunnel for each private network:
- 1. Go to **Networks** > **Tunnels**.
+ 1. Go to **Networks** > **Connectors** > **Cloudflare Tunnels**.
2. Select **Create a tunnel**.
3. Name your tunnel `Staging tunnel` and select **Save tunnel**.
4. Install the connector within your staging environment.
@@ -69,65 +68,66 @@ The following example demonstrates how to add two overlapping IP routes to Cloud
-
- To route overlapping IPs over virtual networks:
- 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
- - `Cloudflare Tunnel Write`
-
- 2. Create two unique virtual networks:
- ```tf
- resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "staging_vnet" {
- account_id = var.cloudflare_account_id
- name = "staging-vnet"
- comment = "Staging virtual network"
- is_default = false
- }
-
- resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "production_vnet" {
- account_id = var.cloudflare_account_id
- name = "production-vnet"
- comment = "Production virtual network"
- is_default = false
- }
- ```
-
- 3. Create a Cloudflare Tunnel for each private network:
- ```tf
- resource "cloudflare_zero_trust_tunnel_cloudflared" "staging_tunnel" {
- account_id = var.cloudflare_account_id
- name = "Staging tunnel"
- config_src = "cloudflare"
- }
-
- resource "cloudflare_zero_trust_tunnel_cloudflared" "production_tunnel" {
- account_id = var.cloudflare_account_id
- name = "Production tunnel"
- config_src = "cloudflare"
- }
- ```
-
- 4. Route `10.128.0.1/32` through `Staging tunnel` and assign it to `staging-vnet`. Route `10.128.0.1/32` through `Production tunnel` and assign it to `production-vnet`.
-
- ```tf
- resource "cloudflare_zero_trust_tunnel_cloudflared_route" "staging_tunnel_route" {
- account_id = var.cloudflare_account_id
- tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.staging_tunnel.id
- network = "10.128.0.1/32"
- comment = "Staging tunnel route"
- virtual_network_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id
- }
-
- resource "cloudflare_zero_trust_tunnel_cloudflared_route" "production_tunnel_route" {
- account_id = var.cloudflare_account_id
- tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.production_tunnel.id
- network = "10.128.0.1/32"
- comment = "Production tunnel route"
- virtual_network_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.production_vnet.id
- }
- ```
- 5. [Get the token](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/remote-tunnel-permissions/#get-the-tunnel-token) for each tunnel.
-
- 6. Using the tunnel tokens, run `Staging tunnel` in your staging environment and run `Production tunnel` in your production environment. Refer to [Install and run the tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api/#4-install-and-run-the-tunnel).
+
+ To route overlapping IPs over virtual networks:
+ 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+ - `Cloudflare Tunnel Write`
+
+ 2. Create two unique virtual networks:
+ ```tf
+ resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "staging_vnet" {
+ account_id = var.cloudflare_account_id
+ name = "staging-vnet"
+ comment = "Staging virtual network"
+ is_default = false
+ }
+
+ resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "production_vnet" {
+ account_id = var.cloudflare_account_id
+ name = "production-vnet"
+ comment = "Production virtual network"
+ is_default = false
+ }
+ ```
+
+ 3. Create a Cloudflare Tunnel for each private network:
+ ```tf
+ resource "cloudflare_zero_trust_tunnel_cloudflared" "staging_tunnel" {
+ account_id = var.cloudflare_account_id
+ name = "Staging tunnel"
+ config_src = "cloudflare"
+ }
+
+ resource "cloudflare_zero_trust_tunnel_cloudflared" "production_tunnel" {
+ account_id = var.cloudflare_account_id
+ name = "Production tunnel"
+ config_src = "cloudflare"
+ }
+ ```
+
+ 4. Route `10.128.0.1/32` through `Staging tunnel` and assign it to `staging-vnet`. Route `10.128.0.1/32` through `Production tunnel` and assign it to `production-vnet`.
+
+ ```tf
+ resource "cloudflare_zero_trust_tunnel_cloudflared_route" "staging_tunnel_route" {
+ account_id = var.cloudflare_account_id
+ tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.staging_tunnel.id
+ network = "10.128.0.1/32"
+ comment = "Staging tunnel route"
+ virtual_network_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id
+ }
+
+ resource "cloudflare_zero_trust_tunnel_cloudflared_route" "production_tunnel_route" {
+ account_id = var.cloudflare_account_id
+ tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.production_tunnel.id
+ network = "10.128.0.1/32"
+ comment = "Production tunnel route"
+ virtual_network_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.production_vnet.id
+ }
+ ```
+ 5. [Get the token](/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/remote-tunnel-permissions/#get-the-tunnel-token) for each tunnel.
+
+ 6. Using the tunnel tokens, run `Staging tunnel` in your staging environment and run `Production tunnel` in your production environment. Refer to [Install and run the tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api/#4-install-and-run-the-tunnel).
+
@@ -225,13 +225,13 @@ The following example demonstrates how to add two overlapping IP routes to Cloud
To delete a virtual network:
- 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels** and ensure that no IP routes are assigned to the virtual network you are trying to delete. If your virtual network is in use, delete the route or reassign it to a different virtual network.
+ 1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels** and ensure that no IP routes are assigned to the virtual network you are trying to delete. If your virtual network is in use, delete the route or reassign it to a different virtual network.
- 2. Next, go to **Settings** > **WARP Client**.
+ 2. Next, go to **Networks** > **Routes**.
- 3. Find the **Virtual networks** setting and select **Manage**.
+ 3. In **Virtual networks**, find your virtual network.
- 4. Select the three-dot menu for your virtual network and select **Delete**.
+ 4. Select the three-dot menu and choose **Delete**.
You can optionally delete the tunnel associated with your virtual network.
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx
index d5e4d57f471c988..7098f7021b39658 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx
@@ -92,13 +92,12 @@ There are a few different possible root causes behind the `websocket: bad handsh
- WebSockets are not [enabled](/network/websockets/#enable-websockets).
- Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to **Off (not secure)**. To resolve:
-
1. On the Cloudflare dashboard for your zone, go to **SSL/TLS** > **Overview**.
2. Ensure that your SSL/TLS encryption mode is set to either **Flexible**, **Full** or **Full (strict)**.
- Your requests are blocked by [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/). To resolve, make sure you set **Definitely automated** to _Allow_ in the bot fight mode settings.
-- Your SSH or RDP Access application has the [Binding Cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access** > **Applications** and edit the application settings.
+- Your SSH or RDP Access application has the [Binding Cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled. To disable the cookie, go to **Access controls** > **Applications** and edit the application settings.
- One or more [Workers routes](/workers/configuration/routing/routes/) are overlapping with the tunnel hostname, and the Workers do not properly handle the traffic. To resolve, you could either exclude your tunnel from the Worker route by not defining a route that includes the tunnel's hostname or update your Worker to only handle specific paths and forward all other requests to the origin, for example, by using `return fetch(req)`.
@@ -156,7 +155,6 @@ Proxied traffic through Cloudflare Tunnel is buffered by default unless the orig
This error occurs when you try to add a CIDR route that falls within Cloudflare WARP's CGNAT IP range. The `100.96.0.0/12` range, which covers addresses from `100.96.0.1` to `100.111.255.254`, is reserved for internal WARP routing and cannot be added as a Cloudflare Tunnel route. To connect your private network, you will need to change its IP/CIDR so that it does not overlap with `100.96.0.0/12`.
-
## Troubleshooting
[Troubleshooting](/cloudflare-one/faq/troubleshooting/) - Browse other Cloudflare One-related troubleshooting errors and solutions.
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx
index 2d2d2c4e1edb8a1..f21f8c7a486ccfd 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx
@@ -129,10 +129,8 @@ To turn off SSH command logging, delete your uploaded public key:
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings** > **SSH log encryption public key**.
-
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings** > **SSH log encryption public key**.
2. Select **Remove**.
-
3. Select **Remove key** to confirm.
Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to [Gateway Audit SSH](/cloudflare-one/traffic-policies/network-policies/ssh-logging/) policies.
@@ -475,4 +473,8 @@ By completing all four troubleshooting steps, you should have resolved any conne
### 5. Get help
-
+
diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
index 608b78451fec247..83b3e7038946ee4 100644
--- a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
+++ b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx
@@ -32,7 +32,7 @@ Our Network Vector Rendering (NVR) technology allows us to deliver a secure remo
### Brave
-Brave’s WebRTC IP Handling Policy can impact how Cloudflare RBI loads and functions. If the WebRTC IP Handling Policy is configured to **Disable Non-Proxied UDP**, RBI may fail to load correctly.
+Brave's WebRTC IP Handling Policy can impact how Cloudflare RBI loads and functions. If the WebRTC IP Handling Policy is configured to **Disable Non-Proxied UDP**, RBI may fail to load correctly.
To ensure RBI loads correctly, go to `brave://settings/privacy` in your Brave browser window, find **WebRTC IP Handling Policy**, and change the setting from **Disable Non-Proxied UDP** to one of the following:
diff --git a/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx
index 42856884904c012..da627af8783506d 100644
--- a/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx
+++ b/src/content/docs/cloudflare-one/reusable-components/custom-pages/app-launcher-customization.mdx
@@ -16,8 +16,8 @@ You can display your own branding, messages, and links to users when they open t
To customize the App Launcher appearance:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**.
-2. Find the **Customize App Launcher** setting and select **Customize**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Reusable components** > **Custom pages**.
+2. Find the **App Launcher customization** setting and select **Manage**.
3. Give the App Launcher the look and feel of your organization by adding:
- Your organization's name
- A logo
diff --git a/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx
index 99a05d43181ba60..bca8ff841df8f05 100644
--- a/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx
+++ b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx
@@ -93,7 +93,8 @@ To turn on the block page or override your global block page setting for an indi
file="gateway/add-block-page"
product="cloudflare-one"
params={{
- firewallPolicyPath: "**Gateway** > **Firewall policies** > **DNS**",
+ firewallPolicyPath:
+ "**Traffic policies** > **Firewall policies** > **DNS**",
blockBehaviorAction: "turn on",
}}
/>
@@ -105,7 +106,8 @@ To turn on the block page or override your global block page setting for an indi
file="gateway/add-block-page"
product="cloudflare-one"
params={{
- firewallPolicyPath: "**Gateway** > **Firewall policies** > **HTTP**",
+ firewallPolicyPath:
+ "**Traffic policies** > **Firewall policies** > **HTTP**",
blockBehaviorAction: "go to",
}}
/>
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx
index c16bcbaeffc4424..d79ed0250a30210 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment.mdx
@@ -12,8 +12,8 @@ import { Details, Render } from "~/components";
| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
-| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
-| All modes | All plans |
+| ---------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| All modes | All plans |
| System | Availability | Minimum WARP version |
| ------------------- | ------------ | -------------------- |
@@ -49,6 +49,7 @@ To configure WARP to install a root certificate on your organization's devices:
WARP will now download any [certificates set to **Available**](/cloudflare-one/team-and-resources/devices/user-side-certificates/#activate-a-root-certificate). After download, WARP will add the certificates to the device's system certificate store in `installed_certs/.pem` and append the contents to the `installed_cert.pem` file. If you have any scripts using `installed_cert.pem`, Cloudflare recommends you set them to use the individual files in the `installed_certs/` directory instead. `installed_certs.pem` will be deprecated by 2025-06-31.
:::note
+
:::
@@ -121,6 +122,6 @@ The WARP client will also place the certificate in `/var/lib/cloudflare-warp/ins
## Uninstall the certificate
-If the certificate was installed by the WARP client, it is automatically removed when you turn on another certificate for inspection in Zero Trust, turn off **Install CA to system certificate store**, or [uninstall WARP](/cloudflare-one/team-and-resources/devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications).
+If the certificate was installed by the WARP client, it is automatically removed when you turn on another certificate for inspection in Cloudflare One, turn off **Install CA to system certificate store**, or [uninstall WARP](/cloudflare-one/team-and-resources/devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications).
To manually remove the certificate, refer to the instructions supplied by your operating system or the third-party application.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx
index 1687c52fc6e453f..af7b63e48f3cde5 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx
@@ -34,12 +34,11 @@ To generate a new Cloudflare root certificate for your Zero Trust organization:
-1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Settings** > **Certificates and downloads**.
-2. Select **View**.
-3. In Cloudflare certificates, select **Manage**.
-4. Select **Generate certificate**.
-5. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days.
-6. Select **Generate certificate**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**.
+2. Select **Certificates**.
+3. Select **Generate certificate**.
+4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days.
+5. Select **Generate certificate**.
@@ -69,11 +68,10 @@ To activate your root certificate:
-1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Settings** > **Certificates and downloads**.
-2. Select **View**.
-3. In Cloudflare certificates, select **Manage**.
-4. Select the certificate you want to activate.
-5. Select **Activate**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**.
+2. Select **Certificates**.
+3. Select the certificate you want to activate.
+4. Select **Activate**.
@@ -94,11 +92,10 @@ Once you deploy and install your certificate, you can turn it on for use in insp
-1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Settings** > **Certificates and downloads**.
-2. Select **View**.
-3. In Cloudflare certificates, select **Manage**.
-4. Select the certificate you want to turn on.
-5. In **Basic information**, select **Confirm and turn on certificate**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**.
+2. Select **Certificates**.
+3. Select the certificate you want to turn on.
+4. In **Basic information**, select **Confirm and turn on certificate**.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx
index 58af6bf4f721cd1..7c138e8d27ac0cc 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment.mdx
@@ -18,20 +18,19 @@ If your device does not support [certificate installation via WARP](/cloudflare-
Zero Trust will only inspect traffic using installed certificates set to [**Available** and **In-Use**](/cloudflare-one/team-and-resources/devices/user-side-certificates/#activate-a-root-certificate).
-## Download the Cloudflare root certificate
+## Download a Cloudflare root certificate
:::note[Download limitation]
-You can only download Cloudflare-generated certificates from the Zero Trust dashboard or with WARP.
+You can only download Cloudflare-generated certificates from the Cloudflare One dashboard or with WARP.
:::
First, [generate](/cloudflare-one/team-and-resources/devices/user-side-certificates/#generate-a-cloudflare-root-certificate) and download a Cloudflare certificate. The certificate is available in both `.pem` and `.crt` file format. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.
-1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Settings** > **Certificates and downloads**.
-2. Select **View**.
-3. In **Cloudflare certificates**, select **Manage**.
-4. Select the certificate you want to download.
-5. Select **More actions**.
- - Depending on which format you want, choose **Download .pem** and/or **Download .crt**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**.
+2. Select **Certificates**.
+3. Select the certificate you want to download.
+4. Select **More actions**.
+5. Depending on which format you want, choose **Download .pem** and/or **Download .crt**.
Alternatively, you can download and install a certificate [using WARP](/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/#install-a-certificate-using-warp). WARP will add the certificates to the device's system certificate store in `installed_certs/.pem`.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains.mdx
index 945c860e969e7a9..90bd742996d8261 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains.mdx
@@ -41,7 +41,7 @@ Local Domain Fallback configuration only impacts where DNS requests get resolved
To view the fallback domains applied to a device, you can:
-- In [Zero Trust](https://one.dash.cloudflare.com/), go to **My Team** > **Devices** > find the target device and the **Last active device profile** > follow the [steps above](#view-domains).
+- In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices** > find the target device and the **Last active device profile** > follow the [steps above](#view-domains).
- (Desktop only) Run `warp-cli settings` in the terminal of the target device and review the [fallback domains](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/troubleshooting-guide/#fallback-domains) section of the output.
- (Desktop only) Collect [WARP diagnostic logs](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/warp-logs/) for the device and review the [fallback domain](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/troubleshooting-guide/#fallback-domains) section in `warp_settings.txt`.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
index 666d977748300d2..9188efca736fab1 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
@@ -59,7 +59,7 @@ If the user has an active browser session with the IdP, WARP will use the existi
## Limitations
-- **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **My Team** > **Devices**. User B can then properly [enroll](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/).
+- **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **Team & Resources** > **Devices**. User B can then properly [enroll](/cloudflare-one/team-and-resources/devices/warp/deployment/manual-deployment/).
- **Active connections are not terminated** — Active sessions such as SSH and RDP will remain connected beyond the timeout limit.
- **Binding Cookie is not supported** - WARP authentication will not work for Access applications that have the [Binding Cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#binding-cookie) enabled.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx
index 468fe8ebf36403a..57ef97c482ee229 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment.mdx
@@ -25,7 +25,7 @@ To enroll devices using a service token:
-You can verify which devices have enrolled by going to **My Team** > **Devices**. Devices that enrolled using a service token (or any other Service Auth policy) will have the **Email** field show as `non_identity@.cloudflareaccess.com`.
+You can verify which devices have enrolled by going to **Team & Resources** > **Devices**. Devices that enrolled using a service token (or any other Service Auth policy) will have the **Email** field show as `non_identity@.cloudflareaccess.com`.
### Check for mTLS certificate
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/partners/intune.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/partners/intune.mdx
index 05ce611acb0d708..c31997ed253d665 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/partners/intune.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/partners/intune.mdx
@@ -146,11 +146,11 @@ You must deploy a [user-side certificate](/cloudflare-one/team-and-resources/dev
6. In the [Microsoft Intune admin center](https://intune.microsoft.com), go to **Devices** > select **macOS**.
- 
+ 
7. Under **Manage devices**, select **Configuration**.
- 
+ 
8. Select **Create** > **New Policy**.
@@ -189,11 +189,10 @@ Before deploying WARP, you need to allow its system extensions.
8. Enable **Allowed System Extensions**.
9. Select **Edit instance** and add:
+ - Bundle Identifier: `com.cloudflare.1dot1dot1dot1dot1.macos`
+ - Team Identifier: `68BUP38M2J`
- - Bundle Identifier: `com.cloudflare.1dot1dot1dot1dot1.macos`
- - Team Identifier: `68BUP38M2J`
-
- 
+ 
10. Select **Save**.
@@ -209,69 +208,72 @@ This step allows WARP to install without user interaction. By completing this st
1. Open a text editor and paste in the following `.mobileconfig` template:
- ```xml
-
-
-
-
- PayloadDisplayName
- Cloudflare WARP
- PayloadIdentifier
- cloudflare_warp
- PayloadOrganization
- Cloudflare, Ltd.
- PayloadRemovalDisallowed
-
- PayloadType
- Configuration
- PayloadScope
- System
- PayloadUUID
- YOUR_PAYLOAD_UUID_HERE
- PayloadVersion
- 1
- PayloadContent
-
-
- organization
- YOUR_TEAM_NAME_HERE
- auto_connect
- 120
- onboarding
-
- PayloadDisplayName
- Warp Configuration
- PayloadIdentifier
- com.cloudflare.warp.YOUR_PAYLOAD_UUID_HERE
- PayloadOrganization
- Cloudflare Ltd.
- PayloadType
- com.cloudflare.warp
- PayloadUUID
- YOUR_PAYLOAD_UUID_HERE
- PayloadVersion
- 1
-
-
-
-
- ```
+ ```xml
+
+
+
+
+ PayloadDisplayName
+ Cloudflare WARP
+ PayloadIdentifier
+ cloudflare_warp
+ PayloadOrganization
+ Cloudflare, Ltd.
+ PayloadRemovalDisallowed
+
+ PayloadType
+ Configuration
+ PayloadScope
+ System
+ PayloadUUID
+ YOUR_PAYLOAD_UUID_HERE
+ PayloadVersion
+ 1
+ PayloadContent
+
+
+ organization
+ YOUR_TEAM_NAME_HERE
+ auto_connect
+ 120
+ onboarding
+
+ PayloadDisplayName
+ Warp Configuration
+ PayloadIdentifier
+ com.cloudflare.warp.YOUR_PAYLOAD_UUID_HERE
+ PayloadOrganization
+ Cloudflare Ltd.
+ PayloadType
+ com.cloudflare.warp
+ PayloadUUID
+ YOUR_PAYLOAD_UUID_HERE
+ PayloadVersion
+ 1
+
+
+
+
+ ```
+
2. Open your macOS Terminal and run `uuidgen`. This will generate a value for `PayloadUUID`. Use this value to replace the default value (`YOUR_PAYLOAD_UUID_HERE`) used in the template (three locations total).
3. Update your organization's string (`YOUR_TEAM_NAME_HERE`) with your [team name](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name).
4. Modify the file with your desired [deployment parameters](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/).
- ```xml
-
-
- organization
- YOUR_TEAM_NAME_HERE
- // add desired deployment parameters here
- ```
-
- :::tip[Best practice]
- Start by deploying the template in its default, minimal form. This helps you verify a successful deployment before adding custom parameters.
- :::
+
+ ```xml
+
+
+ organization
+ YOUR_TEAM_NAME_HERE
+ // add desired deployment parameters here
+ ```
+
+ :::tip[Best practice]
+ Start by deploying the template in its default, minimal form. This helps you verify a successful deployment before adding custom parameters.
+ :::
+
5. In the [Microsoft Intune admin center](https://intune.microsoft.com), go to **Devices** > **macOS**.
6. Under **Manage devices**, select **Configuration**.
@@ -301,32 +303,24 @@ Complete Step 4 at least one hour after steps 1, 2, and 3 so clients have enough
:::
1. Log in to [Cloudflare One](https://one.dash.cloudflare.com/).
-
-2. Go to **Settings** > **Certificates and downloads**, and select **View**.
-
-3. Under **Download the WARP client**, find macOS, and select **Download release**.
-
- You will be taken to the WARP documentation on [stable releases for macOS](/cloudflare-one/team-and-resources/devices/warp/download-warp/#macos) and download a `.pkg` file.
-
- :::note[Repeat this step to update WARP when a new release is available]
- Every time WARP releases a new version, you must repeat this process and get a new `.pkg` file for the new WARP version.
- :::
-
-4. Log in to the [Microsoft Intune admin center](https://intune.microsoft.com), and go to **Apps** > **macOS**.
-
-5. Select **Create**.
-
-6. For **App type**, select _macOS app (PKG)_.
-
-7. In **App information**, select the `.pkg` file you downloaded and input required details. Enter `Cloudflare` as the Publisher.
-
-8. In **Requirements**, refer to the OS versions listed in [stable releases for macOS](/cloudflare-one/team-and-resources/devices/warp/download-warp/#macos) and find what matches for you.
-
-9. In **Detection rules**, note that the WARP package will have filled in the App bundle ID and App version.
-
-10. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. Select **Next**.
-
-11. Review your configuration in **Review + create** and select **Create**.
+2. Go to **Settings**.
+3. In **Downloads**, select **View**.
+4. Under **Download the WARP client**, find macOS, and select **Download release**.
+
+ You will be taken to the WARP documentation on [stable releases for macOS](/cloudflare-one/team-and-resources/devices/warp/download-warp/#macos) and download a `.pkg` file.
+
+ :::note[Repeat this step to update WARP when a new release is available]
+ Every time WARP releases a new version, you must repeat this process and get a new `.pkg` file for the new WARP version.
+ :::
+
+5. Log in to the [Microsoft Intune admin center](https://intune.microsoft.com), and go to **Apps** > **macOS**.
+6. Select **Create**.
+7. For **App type**, select _macOS app (PKG)_.
+8. In **App information**, select the `.pkg` file you downloaded and input required details. Enter `Cloudflare` as the Publisher.
+9. In **Requirements**, refer to the OS versions listed in [stable releases for macOS](/cloudflare-one/team-and-resources/devices/warp/download-warp/#macos) and find what matches for you.
+10. In **Detection rules**, note that the WARP package will have filled in the App bundle ID and App version.
+11. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. Select **Next**.
+12. Review your configuration in **Review + create** and select **Create**.
By completing this step, you deliver the WARP client to targeted macOS devices, either automatically (assignment scope set as **Required**) or on-demand (assignment scope as **Available**) through your company portal.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin.mdx
index 54620a1ba6b2af0..4c04ebfa118874a 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-prelogin.mdx
@@ -9,7 +9,7 @@ import { Details, Render } from "~/components";
-| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| [WARP modes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
| --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
| - Gateway with WARP
- Gateway with DoH
- Secure Web Gateway without DNS filtering
- Proxy mode
| All plans |
@@ -96,9 +96,9 @@ To enable the Windows pre-login feature, an MDM file in the following format mus
```
-WARP will apply the pre-login configuration when no other WARP registration exists and the user has not yet logged into Windows. When the pre-login configuration is in effect, the device will appear on **My Team** > **Devices** with the email `non_identity@.cloudflareaccess.com`.
+WARP will apply the pre-login configuration when no other WARP registration exists and the user has not yet logged into Windows. When the pre-login configuration is in effect, the device will appear on **Team & Resources** > **Devices** with the email `non_identity@.cloudflareaccess.com`.
-After the user logs into Windows, WARP will automatically switch to the default MDM configuration and prompt the user to authenticate with the IdP. Once authenticated, WARP registers and connects with the user identity. The **My Team** > **Devices** page will now show a new device associated with the user's email.
+After the user logs into Windows, WARP will automatically switch to the default MDM configuration and prompt the user to authenticate with the IdP. Once authenticated, WARP registers and connects with the user identity. The **Team & Resources** > **Devices** page will now show a new device associated with the user's email.
If [multi-user mode](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/windows-multiuser/) is turned off, this user registration will be used for any subsequent connections, including before the next Windows user login. Deleting the user registration would cause WARP to switch back to the pre-login configuration as soon as the user logs out of Windows.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/download-warp/cloudflare-one-agent-migration.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/download-warp/cloudflare-one-agent-migration.mdx
index 9f0d9e1ab540337..f0d24d03ea52542 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/download-warp/cloudflare-one-agent-migration.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/download-warp/cloudflare-one-agent-migration.mdx
@@ -3,10 +3,9 @@ pcx_content_type: how-to
title: Migrate 1.1.1.1 app
sidebar:
order: 12
-
---
-import { TabItem, Tabs } from "~/components"
+import { TabItem, Tabs } from "~/components";
Users can connect to Cloudflare Zero Trust services through an agent that runs on their device. Cloudflare previously bundled that functionality into the [WARP client](/warp-client/), an application that also provides privacy-focused DNS and VPN services for consumers (known as 1.1.1.1 w/ WARP). Supporting both enterprise and consumer functionality in the same application allowed us to build Zero Trust upon the same foundation used by millions of consumers across the globe, but has limited the pace at which changes could be released. As a result, we are launching a dedicated Cloudflare One Agent that replaces the WARP client for Zero Trust deployments.
@@ -31,13 +30,12 @@ If you downloaded and installed the 1.1.1.1 app manually, here are the recommend
1. Update the **1.1.1.1** app to version 6.29 or above. The update ensures that 1.1.1.1 can [co-exist](#what-to-do-with-the-old-app) with the new Cloudflare One Agent app.
2. If you have enabled [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), ensure that you have a [Do Not Inspect policy](/cloudflare-one/traffic-policies/initial-setup/http/) in place for the following applications:
-
- * *Google Services (Do Not Inspect)*
- * *Google Play Store (Do Not Inspect)*
- * *Google (Do Not Inspect)*
- * *Google Drive (Do Not Inspect)*
- * *Google Chat (Do Not Inspect)*
- * *Google Meet (Do Not Inspect)*
+ - _Google Services (Do Not Inspect)_
+ - _Google Play Store (Do Not Inspect)_
+ - _Google (Do Not Inspect)_
+ - _Google Drive (Do Not Inspect)_
+ - _Google Chat (Do Not Inspect)_
+ - _Google Meet (Do Not Inspect)_
This prevents certificate pinning issues when performing the Android migration.
@@ -51,7 +49,7 @@ If you downloaded and installed the 1.1.1.1 app manually, here are the recommend
-If you enrolled the Cloudflare One Agent in the same Zero Trust organization as 1.1.1.1, you will be automatically logged out of Zero Trust on 1.1.1.1. The 1.1.1.1 app will revert to consumer mode, and the **Login with Cloudflare Zero Trust** button on the old app will redirect to the new app.
+If you enrolled the Cloudflare One Agent in the same Zero Trust organization as 1.1.1.1, you will be automatically logged out of Cloudflare One on 1.1.1.1. The 1.1.1.1 app will revert to consumer mode, and the **Login with Cloudflare Zero Trust** button on the old app will redirect to the new app.
If you enrolled the Cloudflare One Agent in a different Zero Trust organization, you will remain logged into your other Zero Trust organization on 1.1.1.1.
@@ -103,4 +101,4 @@ Once users have enrolled, the migration process is complete. The 1.1.1.1 app wil
### Verify migration
-To check whether a user has migrated, go to **My Team** > **Devices**. A device enrolled through the Cloudflare One Agent will appear as a new device with a new device ID. Their old 1.1.1.1 registration will remain as an inactive device.
+To check whether a user has migrated, go to **Team & Resources** > **Devices**. A device enrolled through the Cloudflare One Agent will appear as a new device with a new device ID. Their old 1.1.1.1 registration will remain as an inactive device.
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/client-errors.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/client-errors.mdx
index e5b41424d3333f4..818eedd906bd82d 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/client-errors.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/troubleshooting/client-errors.mdx
@@ -3,10 +3,9 @@ pcx_content_type: reference
title: Client errors
sidebar:
order: 2
-
---
-import { Details, Render } from "~/components"
+import { Details, Render } from "~/components";
This page lists the error codes that can appear in the WARP client GUI. If you do not see your error below, refer to [common issues](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/common-issues/) or [contact Cloudflare Support](/support/contacting-cloudflare-support/).
@@ -18,32 +17,32 @@ This page lists the error codes that can appear in the WARP client GUI. If you d
-## CF\_CAPTIVE\_PORTAL\_TIMED\_OUT
+## CF_CAPTIVE_PORTAL_TIMED_OUT
### Symptoms
-* Unable to login to a captive portal network
-* No Internet connectivity
+- Unable to login to a captive portal network
+- No Internet connectivity
### Cause
[Captive portal detection](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#captive-portal-detection) is turned on and one of the following issues occurred:
-* The user did not complete the captive portal login process within the time limit set by WARP.
-* The captive portal redirected the user to a flow that is not yet supported by the captive portal detection feature.
+- The user did not complete the captive portal login process within the time limit set by WARP.
+- The captive portal redirected the user to a flow that is not yet supported by the captive portal detection feature.
### Resolution
1. Increase the [captive portal timeout](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#captive-portal-detection) to allow users more time to login.
2. If this does not resolve the issue, allow users to manually [turn off WARP](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#lock-warp-switch). We recommend setting an [auto connect](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#auto-connect) value so that the client turns itself back on after a few minutes.
-## CF\_CONNECTIVITY\_FAILURE\_UNKNOWN
+## CF_CONNECTIVITY_FAILURE_UNKNOWN
### Symptoms
-* Unable to connect WARP
-* No Internet connectivity
-* User may be behind a captive portal
+- Unable to connect WARP
+- No Internet connectivity
+- User may be behind a captive portal
### Cause
@@ -54,13 +53,13 @@ The initial [connectivity check](/cloudflare-one/team-and-resources/devices/warp
1. Retrieve [WARP debug logs](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/warp-logs/) for the device.
2. Follow the troubleshooting steps in [Unable to connect WARP](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/common-issues/#unable-to-connect-warp).
-## CF\_DNS\_LOOKUP\_FAILURE
+## CF_DNS_LOOKUP_FAILURE
### Symptoms
-* Unable to connect WARP
-* Unable to browse the Internet
-* `nslookup` and `dig` commands fail on the device
+- Unable to connect WARP
+- Unable to browse the Internet
+- `nslookup` and `dig` commands fail on the device
### Cause
@@ -73,11 +72,11 @@ WARP was unable to resolve hostnames via its [local DNS proxy](/cloudflare-one/t
3. Ensure that no third-party tools are interfering with WARP for control of DNS.
4. Ensure that no third-party tools are [performing TLS decryption](/cloudflare-one/team-and-resources/devices/warp/troubleshooting/common-issues/#a-third-party-security-product-is-interfering-with-gateway) on traffic to the [WARP IP addresses](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/).
-## CF\_DNS\_PROXY\_FAILURE
+## CF_DNS_PROXY_FAILURE
### Symptoms
-* Unable to connect WARP in a [mode that enables DNS filtering](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/).
+- Unable to connect WARP in a [mode that enables DNS filtering](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/).
### Cause
@@ -89,31 +88,29 @@ On macOS, you may see `mDNSResponder` instead of the specific application name -
1. Remove or disable DNS interception in the third-party process.
-
Below is a non-exhaustive list of third-party software that are known to cause `mDNSResponder` to bind to port `53`. Rather than try to stop `mDNSResponder`, you should either configure the third-party software so that they no longer use port `53`, or temporarily disable them before connecting to WARP.
-* **Docker**: [Turn off kernel networking for UDP](https://github.com/docker/for-mac/issues/7008#issuecomment-1746653802) in Docker.
-* **Internet Sharing feature**: To disable Internet Sharing:
+- **Docker**: [Turn off kernel networking for UDP](https://github.com/docker/for-mac/issues/7008#issuecomment-1746653802) in Docker.
+- **Internet Sharing feature**: To disable Internet Sharing:
1. On macOS, go to **System Settings** > **General** > **Sharing**.
2. Turn off **Internet Sharing**.
-* **Certain VM software (such as VMware Workstation or Parallels)**: The presence of VM software does not guarantee that it is the offending program, since compatibility with WARP is highly dependent on the VM's configuration. To work around the issue, connect to WARP before running any VMs:
+- **Certain VM software (such as VMware Workstation or Parallels)**: The presence of VM software does not guarantee that it is the offending program, since compatibility with WARP is highly dependent on the VM's configuration. To work around the issue, connect to WARP before running any VMs:
1. Stop/quit all VMs.
2. Connect to WARP.
3. Start the VMs again.
-
2. Alternatively, switch WARP to [Secure Web Gateway without DNS filtering](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode.
-## CF\_FAILED\_READ\_SYSTEM\_DNS\_CONFIG
+## CF_FAILED_READ_SYSTEM_DNS_CONFIG
### Symptoms
-* Unable to connect WARP
-* Unable to browse the Internet
+- Unable to connect WARP
+- Unable to browse the Internet
### Cause
@@ -125,11 +122,11 @@ On macOS and Linux, validate that `/etc/resolv.conf` is [formatted correctly](ht
On Windows, validate that the registry entry `HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList` contains only valid search domains. Examples of invalid entries include IP addresses and domains that start with a period (such as `.local`).
-## CF\_FAILED\_TO\_SET\_MTLS
+## CF_FAILED_TO_SET_MTLS
### Symptoms
-* Unable to connect WARP
+- Unable to connect WARP
### Cause
@@ -140,11 +137,11 @@ The device failed to present a [valid mTLS certificate](/cloudflare-one/team-and
1. Ensure that there are no admin restrictions on certificate installation.
2. Re-install the client certificate on the device.
-## CF\_HAPPY\_EYEBALLS\_MITM\_FAILURE
+## CF_HAPPY_EYEBALLS_MITM_FAILURE
### Symptoms
-* Unable to connect WARP
+- Unable to connect WARP
### Cause
@@ -154,15 +151,15 @@ A router, firewall, antivirus software, or other third-party security product is
1. Configure the third-party security product to allow the [WARP ingress IPs and ports](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/#warp-ingress-ip).
2. Ensure that your Internet router is working properly and try rebooting the router.
-3. Check that the device is not revoked by going to **My team** > **Devices**.
+3. Check that the device is not revoked by going to **Team & Resources** > **Devices**.
-## CF\_HOST\_UNREACHABLE\_CHECK
+## CF_HOST_UNREACHABLE_CHECK
### Symptoms
-* Unable to connect WARP
-* No Internet connectivity
-* User may be behind a captive portal
+- Unable to connect WARP
+- No Internet connectivity
+- User may be behind a captive portal
### Cause
@@ -173,12 +170,12 @@ The [connectivity check](/cloudflare-one/team-and-resources/devices/warp/deploym
1. Check for the presence of third-party HTTP filtering software (AV, DLP, or firewall) that could be intercepting traffic to the [WARP IPs](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall).
2. In the third-party software, bypass inspection for all IP traffic going through WARP. To find out what traffic routes through the WARP tunnel, refer to [Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/).
-## CF\_INSUFFICIENT\_DISK
+## CF_INSUFFICIENT_DISK
### Symptoms
-* Unable to connect WARP
-* OS warns that the disk is full
+- Unable to connect WARP
+- OS warns that the disk is full
### Cause
@@ -190,12 +187,12 @@ The hard drive is full or has incorrect permissions for WARP to write data.
2. Check for disk permissions that may prevent WARP from using disk space.
3. Empty trash or remove large files.
-## CF\_INSUFFICIENT\_FILE\_DESCRIPTORS
+## CF_INSUFFICIENT_FILE_DESCRIPTORS
### Symptoms
-* Unable to connect WARP
-* Unable to open files on the device
+- Unable to connect WARP
+- Unable to open files on the device
### Cause
@@ -205,12 +202,12 @@ The device does not have sufficient file descriptors to create network sockets o
Increase the file descriptor limit in your system settings.
-## CF\_INSUFFICIENT\_MEMORY
+## CF_INSUFFICIENT_MEMORY
### Symptoms
-* Unable to connect WARP
-* Device is very slow
+- Unable to connect WARP
+- Device is very slow
### Cause
@@ -221,11 +218,11 @@ The device does not have enough memory to run WARP.
1. Ensure that your device meets the [minimum memory requirements](/cloudflare-one/team-and-resources/devices/warp/download-warp/) for WARP.
2. List all running processes to check memory usage.
-## CF\_LOCAL\_POLICY\_FILE\_FAILED\_TO\_PARSE
+## CF_LOCAL_POLICY_FILE_FAILED_TO_PARSE
### Symptoms
-* Unable to connect WARP
+- Unable to connect WARP
### Cause
@@ -237,12 +234,12 @@ The WARP client was deployed on the device using an invalid MDM configuration fi
2. Locate the MDM configuration file on your device.
3. Ensure that the file is formatted correctly and only contains [accepted arguments](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/).
-## CF\_NO\_NETWORK
+## CF_NO_NETWORK
### Symptoms
-* Unable to connect WARP
-* No Internet connectivity
+- Unable to connect WARP
+- No Internet connectivity
### Cause
@@ -255,18 +252,18 @@ The device is not connected to a Wi-Fi network or LAN that has connectivity to t
3. Check that your device is retrieving a valid IP address.
4. If this does not resolve the error, try rebooting your device or running your system's network diagnostics tool.
-## CF\_REGISTRATION\_MISSING
+## CF_REGISTRATION_MISSING
### Symptoms
-* Unable to connect WARP
+- Unable to connect WARP
### Cause
The device is not authenticated to an [organization](/cloudflare-one/setup/#create-a-zero-trust-organization) because:
-* The device was revoked in Zero Trust.
-* The registration was corrupted or deleted for an unknown reason.
+- The device was revoked in Zero Trust.
+- The registration was corrupted or deleted for an unknown reason.
### Resolution
@@ -277,7 +274,7 @@ The device is not authenticated to an [organization](/cloudflare-one/setup/#crea
5. If this does not resolve the error, select **Logout from Cloudflare Zero Trust** and then log back in. Logging out is only possible if [Allow device to leave organization](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled for your device.
6. If the issue persists, contact your administrator for assistance.
-### CF\_REGISTRATION\_MISSING (Revoked)
+### CF_REGISTRATION_MISSING (Revoked)
#### Cause
@@ -287,11 +284,11 @@ Your device was unenrolled from your company's [organization](/cloudflare-one/se
Contact your company or team administrator for assistance.
-## CF\_TLS\_INTERCEPTION\_BLOCKING\_DOH
+## CF_TLS_INTERCEPTION_BLOCKING_DOH
### Symptoms
-* DNS requests fail to resolve when WARP is turned on.
+- DNS requests fail to resolve when WARP is turned on.
### Cause
@@ -301,11 +298,11 @@ A third-party application or service is intercepting DNS over HTTPS traffic from
Configure the third-party application to exempt the [WARP DoH IPs](/cloudflare-one/team-and-resources/devices/warp/deployment/firewall/#doh-ip).
-## CF\_TLS\_INTERCEPTION\_CHECK
+## CF_TLS_INTERCEPTION_CHECK
### Symptoms
-* Unable to connect WARP
+- Unable to connect WARP
### Cause
@@ -319,7 +316,7 @@ In the third-party security product, disable HTTPS inspection and TLS decryption
### Symptoms
-* Unable to connect WARP
+- Unable to connect WARP
### Cause
@@ -327,4 +324,4 @@ The account administrator has disconnected WARP for all devices registered to th
### Resolution
-The account administrator must turn the [Global WARP override](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#global-warp-override) feature off.
\ No newline at end of file
+The account administrator must turn the [Global WARP override](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#global-warp-override) feature off.
diff --git a/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx b/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx
index e484d91033b2947..e2699da3d17937a 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/application-app-types.mdx
@@ -120,7 +120,7 @@ To turn on the Microsoft 365 integration:
1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings** > **Policy settings**.
2. In **Bypass decryption of Microsoft 365 traffic**, select **Create policy**.
-3. To verify the policy was created, select **View policy**. Alternatively, go to **Gateway** > **Firewall policies** > **HTTP**. A policy named Microsoft 365 Auto Generated will be enabled in your list.
+3. To verify the policy was created, select **View policy**. Alternatively, go to **Traffic policies** > **HTTP policies**. A policy named Microsoft 365 Auto Generated will be enabled in your list.
All future Microsoft 365 traffic will bypass Gateway logging and filtering. To disable this behavior, turn off or delete the policy.
diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx
index e7423636b084be6..1abf9c23aa0f377 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips.mdx
@@ -20,7 +20,7 @@ An account can have any number of additional dedicated egress IPs. To request ad
To start routing traffic through dedicated egress IPs:
1. Contact your account team to obtain a dedicated egress IP.
-2. In [Zero Trust](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**.
+2. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**.
3. Turn on **Allow Secure Web Gateway to proxy traffic**.
4. Select **TCP**.
5. (Optional) Select **UDP**. This will allow HTTP/3 traffic to egress with your dedicated IPs.
@@ -53,10 +53,10 @@ For more information, refer to [Cloudflare BYOIP](/byoip/) or contact your accou
If you do not have your own authority-provided IPv4 and IPv6 addresses, you can use dedicated egress IPs with a Cloudflare IP address.
diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx
index fc8d9bf2c319d4a..fc460fe7f86fa09 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/file-sandboxing.mdx
@@ -49,8 +49,8 @@ flowchart TD
To begin quarantining downloaded files, turn on file sandboxing:
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**.
-2. Turn on **File sandboxing**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**.
+2. In **Policy settings**, turn on **Open previously unseen files in a sandbox environment**.
3. (Optional) To block requests containing [non-scannable files](#non-scannable-files), select **Block requests for files that cannot be scanned**.
You can now create [Quarantine HTTP policies](/cloudflare-one/traffic-policies/http-policies/#quarantine) to determine what files to scan in the sandbox.
diff --git a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx
index dfed0180c7ff166..d8b94e628decb3d 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/initial-setup/dns.mdx
@@ -46,7 +46,7 @@ To filter DNS requests from a location such as an office or data center:
Gateway identifies locations differently depending on the DNS query protocol:
-- **IPv4 queries** match to the source IP address. Under **Gateway** > **DNS locations**, ensure that the **Source IPv4 Address** parameter is correct for the location you want to apply policies to.
+- **IPv4 queries** match to the source IP address. Under **Networks** > **Resolvers & Proxies** > **DNS locations**, ensure that the **Source IPv4 Address** parameter is correct for the location you want to apply policies to.
- **IPv6, DOT, or DOH queries** match to the unique DNS forwarding address assigned to the DNS location. Ensure that your DNS resolver is configured for the location you want to apply policies to.
:::
diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-rules.mdx b/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-rules.mdx
index a17e52888f6b199..ba35a829fe3ddb0 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-rules.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/add-rules.mdx
@@ -3,7 +3,6 @@ title: Add rules
pcx_content_type: how-to
sidebar:
order: 3
-
---
import { DashButton } from "~/components";
@@ -45,14 +44,12 @@ Below, you can find examples of how to use the API to perform certain actions.
:::caution[Warning]
-
The examples on this page all use the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets` endpoint. This endpoint is intended to create rules from scratch and **might overwrite existing rules**.
If you have a ruleset already deployed, consider using the `https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules` endpoint instead.
Refer to [Add rule to ruleset](/ruleset-engine/rulesets-api/add-rule/) and [Create an account ruleset](/api/resources/rulesets/methods/create/) for more information.
-
:::
### Skip action
@@ -111,10 +108,10 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \
Magic Firewall supports [using lists in expressions](/waf/tools/lists/use-in-expressions/) for the `ip.src` and `ip.dst` fields. The supported lists are:
-* `$cf.anonymizer` - Anonymizer proxies
-* `$cf.botnetcc` - Botnet command and control channel
-* `$cf.malware` - Sources of malware
-* `$` - The name of an account-level IP list
+- `$cf.anonymizer` - Anonymizer proxies
+- `$cf.botnetcc` - Botnet command and control channel
+- `$cf.malware` - Sources of malware
+- `$` - The name of an account-level IP list
```bash
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \
@@ -137,4 +134,4 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets \
## Next steps
-Refer to [Form expressions](/cloudflare-one/traffic-policies/packet-filtering/form-expressions/) for more information on how to write rule expressions.
\ No newline at end of file
+Refer to [Form expressions](/cloudflare-one/traffic-policies/packet-filtering/form-expressions/) for more information on how to write rule expressions.
diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset.mdx b/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset.mdx
index 84d5fca78ae5cb7..c756bd578dc1889 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/best-practices/extended-ruleset.mdx
@@ -63,7 +63,7 @@ Rule 10 in the example ruleset below is acting as a catch-all to block all traff
**Action**: Allow
**Rule ID**: 10
-**Description**: Otherwise deny all traffic to IP’s in `$endpoints` list
+**Description**: Otherwise deny all traffic to IP's in `$endpoints` list
**Match**: `ip.dst in $endpoints`
**Action**: Block
@@ -145,4 +145,4 @@ Restrict the source based on whether the server is expecting traffic from the ge
- `IP Destination Address { non-web server } and TCP dst port in \ — Permit`
- `IP Destination Address { non-web server } and UDP dst port in \ — Permit`
-- `IP Destination Address { web server } — Block`
\ No newline at end of file
+- `IP Destination Address { web server } — Block`
diff --git a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets.mdx b/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets.mdx
index a5eb86a40f0114d..4c2627aaea5b550 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/packet-filtering/enable-managed-rulesets.mdx
@@ -17,9 +17,9 @@ To enable or disable a rule, you can specify which properties should be overridd
You have multiple options for enabling rules:
-* Select an individual rule and enable it.
-* Enable multiple rules by enabling by category in the `magic-transit-phase`.
-* Enable an entire ruleset.
+- Select an individual rule and enable it.
+- Enable multiple rules by enabling by category in the `magic-transit-phase`.
+- Enable an entire ruleset.
## API
@@ -27,13 +27,13 @@ You have multiple options for enabling rules:
To create a managed ruleset, you must first build a request with the following:
-* `managed_ruleset_id`: The ID of the Managed phase Managed kind ruleset that contains the rule you want to enable.
-* `managed_rule_id`: The ID of the rule you want to enable.
+- `managed_ruleset_id`: The ID of the Managed phase Managed kind ruleset that contains the rule you want to enable.
+- `managed_rule_id`: The ID of the rule you want to enable.
Additionally, you need the properties you want to override. The properties you can override include:
-* `enabled`: This value can be set to `true` or `false`. When set to `true`, the rule matches packets and applies the rule's default action if the action is not overridden. When set to `false`, the rule is disabled and does not match any packets.
-* `action`: The value can be set to `log` so the rule only produces logs instead of applying the rule's default action.
+- `enabled`: This value can be set to `true` or `false`. When set to `true`, the rule matches packets and applies the rule's default action if the action is not overridden. When set to `false`, the rule is disabled and does not match any packets.
+- `action`: The value can be set to `log` so the rule only produces logs instead of applying the rule's default action.
The `enabled` and `action` properties for a rule are set in the Managed phase Managed kind ruleset. All rules in the Managed phase are currently disabled by default.
@@ -133,29 +133,29 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}{account_id}/rulesets/
To delete a ruleset, refer to [Delete a rule in a ruleset](/ruleset-engine/rulesets-api/delete-rule/).
-## Cloudflare dashboard
+## Cloudflare One dashboard
### Enable rules
You can also use the dashboard to enable managed rulesets:
-1. In the [Cloudflare One](https://one.dash.cloudflare.com) dashboard, go to **Traffic policies** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies**.
2. Select **Packet filtering** and go to **Managed**. This is where the dashboard lists all your managed rules.
3. To enable a rule, turn **Status** on.
-## Edit rules
+### Edit rules
To edit a rule:
-1. In the [Cloudflare One](https://one.dash.cloudflare.com) dashboard, go to **Traffic policies** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies**.
2. Select **Packet filtering** and go to **Managed**. This is where the dashboard lists all your managed rules.
3. Select the three dots > **Edit**.
4. Make the necessary changes, then select **Save**.
-## View rules
+### View rules
To view basic information about your rules:
-1. In the [Cloudflare One](https://one.dash.cloudflare.com) dashboard, go to **Traffic policies** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies**.
2. Select **Packet filtering** and go to **Managed**. This is where the dashboard lists all your managed rules.
-3. Locate your managed rule, select the three dots > **View**.
\ No newline at end of file
+3. Locate your managed rule, select the three dots > **View**.
diff --git a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
index a2c15434dfba0af..9787e246c7ac976 100644
--- a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
@@ -406,7 +406,7 @@ The Worker is now behind an addressable public hostname. Make sure to turn off b
To secure the AI agent wrapper to ensure that only trusted users can access it:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**.
2. Select **Add an application**.
3. Choose **Self-hosted**.
4. Enter a name for your AI agent wrapper application.
@@ -421,16 +421,15 @@ Now your AI wrapper can only be accessed by your users that successfully match y
You can now block access to all unauthorized public AI agents with a Gateway [HTTP policy](/cloudflare-one/traffic-policies/http-policies/).
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
-2. Select **HTTP**.
-3. Select **Add a policy**.
-4. Add the following policy:
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies** > **HTTP**.
+2. Select **Add a policy**.
+3. Add the following policy:
| Selector | Operator | Value | Action |
| ------------------ | -------- | ------------------------- | ------ |
| Content Categories | in | _Artificial Intelligence_ | Block |
-5. Select **Create policy**.
+4. Select **Create policy**.
This ensures that public AI agents are not accessible using a managed endpoint.
@@ -444,7 +443,7 @@ Now that you have full control over access to your AI agent wrapper, you can enf
You can use [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/) to prevent your users from sending sensitive data to the AI agent.
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **DLP profiles**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Data loss prevention** > **Profiles**.
2. Ensure that the [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/) you want to enforce are properly configured.
3. Add an HTTP policy to enforce the DLP profile for the hostname for your wrapper. For example:
@@ -463,7 +462,7 @@ Because you published your wrapper as a self-hosted Access application, you can
-3. Go to **Access** > **Policies**.
+3. Go to **Access controls** > **Policies**.
4. Select **Add a policy**.
5. Set the **Action** to _Allow_.
6. In **Add rules**, add identity rules to define who the application should be isolated for.
@@ -471,7 +470,7 @@ Because you published your wrapper as a self-hosted Access application, you can
Once the Access policy has been created, you can attach it to your wrapper.
-1. Go to **Access** > **Applications**.
+1. Go to **Access controls** > **Applications**.
2. Choose your wrapper application, then select **Configure**.
3. In **Policies**, select **Select existing policies**.
4. Choose the Access policy you previously created.
diff --git a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx
index f6c01e6adf0e028..27c03fc3f9ed452 100644
--- a/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/clientless-access-private-dns.mdx
@@ -54,7 +54,7 @@ To test, open a browser and go to `https://.cloudflareaccess.com/brow
## Create a Gateway resolver policy
-1. Go to **Gateway** > **Resolver policies**.
+1. Go to **Traffic policies** > **Resolver policies**.
2. Select **Add a policy**.
@@ -78,7 +78,7 @@ To test, open a browser and go to `https://.cloudflareaccess.com/brow
## Create a Gateway network policy (recommended)
-1. Go to **Gateway** > **Firewall policies** > **Network**.
+1. Go to **Traffic policies** > **Firewall policies** > **Network**.
2. Add a [network policy](/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address of your application. You can optionally include any ports or protocols relevant for application access. For example,
diff --git a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
index b8fda28eeaa4bf2..433869a7fc890f4 100644
--- a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
@@ -58,16 +58,18 @@ Once the base IdP integration is tested and working, grant permission for Cloudf
To import your Conditional Access policies into Cloudflare Access:
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
-2. Find your Microsoft Entra ID integration and select **Edit**.
-3. Enable **Azure AD Policy Sync**.
-4. Select **Save**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Access controls** > **Access settings**.
+2. In **Manage your App Launcher**, select **Manage**.
+3. Choose **Login methods**.
+4. Find your Microsoft Entra ID integration and select **Edit**.
+5. Enable **Azure AD Policy Sync**.
+6. Select **Save**.
## Create an Access application
To enforce your Conditional Access policies on a Cloudflare Access application:
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Access controls** > **Applications**.
2. Select **Add an application**.
diff --git a/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx
index fd83698f6bc0209..0e1b98e6aca108e 100644
--- a/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx
@@ -32,7 +32,7 @@ Refer to [our IdP setup instructions](/cloudflare-one/integrations/identity-prov
:::note
-- When you configure the IdP in Zero Trust, be sure to select **Enable group membership change reauthentication**.
+- When you configure the IdP in Cloudflare One, be sure to select **Enable group membership change reauthentication**.
- Save the **Application (client) ID**, **Directory (tenant) ID**, and **Client secret** as you will need them again in a later step.
:::
@@ -151,7 +151,7 @@ Cloudflare Access will now synchronize changes in group membership with Entra ID
Finally, create a [Gateway HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to isolate traffic for risky user groups.
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies** > **HTTP**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies** > **HTTP**.
2. Select **Add a policy**.
diff --git a/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx b/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx
index 267d5378d60d3c6..8751f0b50950d53 100644
--- a/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/integrate-microsoft-mcas-teams.mdx
@@ -19,7 +19,7 @@ Microsoft provides an MCAS API endpoint to allow queries to see which applicatio
## Basic configuration
In your Microsoft account, you first need to create an API token and URL endpoint to use to query the URLs blocked by MCAS.
-Follow the guide for [Managing API tokens for Microsoft Cloud App Security](https://docs.microsoft.com/en-us/cloud-app-security/api-authentication) to generate a new API token and a custom API URL for the API endpoint.
+Follow the guide for [Managing API tokens for Microsoft Cloud App Security](https://learn.microsoft.com/defender-cloud-apps/api-authentication) to generate a new API token and a custom API URL for the API endpoint.
## Using the API to query banned applications
@@ -61,11 +61,11 @@ If you would like to get a list of all of the MCAS allowed applications, you can
curl -v "https:///api/discovery_block_scripts/?format=120&type=allowed" -H "Authorization: Token "
```
-## Adding a hostname list in Zero Trust
+## Adding a hostname list in Cloudflare One
-1. In Zero Trust, go to **My Team** > **Lists**
-2. Select **Upload CSV**. Even though the hostname list is not really in CSV format, it will work with no issues.
-3. Add a name for the list, specify "Hostnames" as the list type, and give it a description.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Reusable components** > **Lists**
+2. Select **Upload CSV**. Even though the hostname list is not in CSV format, it will work with no issues.
+3. Add a name for the list, specify _Hostnames_ as the list type, and give it a description.
4. Drag and drop your MCAS output file created via the API call, or you can select **Select a file**.
5. Select **Create**. You will see the list of hostnames that have been added to the list.
6. Save the list.
@@ -74,7 +74,7 @@ Your list is now ready to be referenced by Gateway HTTP policies.
## Creating an HTTP policy
-1. Go to **Gateway** > **Firewall policies**. Select **HTTP**.
+1. Go to **Traffic policies** > **Traffic policies** > **HTTP**.
2. Select **Add a policy**.
3. Create the following policy.
diff --git a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
index 39d5ad141db1376..fd82fdd802d2aae 100644
--- a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
@@ -28,9 +28,9 @@ You can connect to machines over `kubectl` using Cloudflare's Zero Trust platfor
---
-## Create a Zero Trust policy
+## Create an Access policy
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Access controls** > **Applications**.
2. Select **Add an application**.
3. Select **Self-hosted**.
4. Enter a name for your Access application.
diff --git a/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx
index 9a5d0cc2e2cfdde..3f9548310d7d15d 100644
--- a/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/m365-dedicated-egress-ips.mdx
@@ -27,7 +27,7 @@ Make sure you have:
## Create an egress policy in Cloudflare Gateway
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Egress policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Egress policies**.
2. Select **Add a policy**.
diff --git a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
index 4deeeab9d36de8c..740da619ae1f627 100644
--- a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
@@ -31,7 +31,7 @@ In this tutorial, a client running `cloudflared` connects over SSH to a MongoDB
You can build a rule in Cloudflare Access to control who can connect to your MongoDB deployment. Cloudflare Access rules are built around a hostname; even though this deployment will be accessible over SSH, the resource will be represented in Cloudflare as a hostname. For example, if you have the website `app.com` in your Cloudflare account, you can build a rule to secure `mongodb.app.com`.
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**.
2. Select **Add an application**.
diff --git a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx
index 31792128b0bf564..566923d2227a20b 100644
--- a/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/mysql-network-policy.mdx
@@ -40,7 +40,7 @@ The application and (optional) DNS server are now connected to Cloudflare.
## Create a Gateway network policy
-1. Go to **Gateway** > **Firewall policies** > **Network**.
+1. Go to **Traffic policies** > **Network policies**.
2. Add a [network policy](/cloudflare-one/traffic-policies/network-policies/) that targets the private IP address and the port of the MySQL database (port 3306 by default). The following example allows access to the database to the users that enrolled into WARP using an `@example.com` email address. The network policies can also take into consideration [device posture checks](/cloudflare-one/reusable-components/posture-checks/).
| Selector | Operator | Value | Logic | Action |
@@ -57,7 +57,7 @@ Allowed WARP users can now connect to the MySQL server at `10.128.0.175` using t
To allow users to access the MySQL database using an internal hostname instead of the private IP address, configure a Gateway resolver policy.
-1. Go to **Gateway** > **Resolver policies**.
+1. Go to **Traffic policies** > **Resolver policies**.
2. Select **Add a policy**.
diff --git a/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx b/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx
index b46f2321f13de5d..23aa9a4139a1e5a 100644
--- a/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/okta-u2f.mdx
@@ -43,7 +43,10 @@ An Okta administrator in your organization must first [enable U2F support](https
You can begin building U2F policies by testing your Okta integration.
-In [Zero Trust](https://one.dash.cloudflare.com/), go to the **Settings** > **Authentication**. Next, choose the row for Okta and select **Test**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to the **Access controls** > **Access settings**.
+2. In **Manage your App Launcher**, select **Manage**.
+3. Choose **Login methods**.
+4. Choose the row for Okta and select **Test**.
Cloudflare Access will prompt you to login with your Okta account. For the purposes of the test, use a second factor option like an app-based code. Okta will return `amr` values to Cloudflare Access - these are standard indicators of multifactor methods shared between identity control systems.
diff --git a/src/content/docs/cloudflare-one/tutorials/r2-logs.mdx b/src/content/docs/cloudflare-one/tutorials/r2-logs.mdx
index 96594f6ccfef4eb..c04029b174f7e4e 100644
--- a/src/content/docs/cloudflare-one/tutorials/r2-logs.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/r2-logs.mdx
@@ -43,7 +43,7 @@ This tutorial covers how to build a [Cloudflare R2 bucket](/r2/buckets/) to stor
## Connect a Zero Trust Logpush job
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Logs** > **Logpush**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Insights** > **Logs**. Select **Manage Logpush**.
2. Select **Connect a service**.
3. Choose which data sets and fields you want to send to your bucket. Select **Next**.
4. Select **S3 Compatible**.
diff --git a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
index 80a9b59898fd339..40bf3c432cb44ae 100644
--- a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
@@ -96,7 +96,7 @@ A bucket website endpoint will be available at `http://.s3-web
### 4. Add a published application to the Cloudflare Tunnel
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**.
2. Select your Tunnel, then select **Configure**.
3. Go to **Published applications**, then select **Add a public hostname**.
4. Enter a subdomain your organization will use to access the S3 bucket. For example, `s3-bucket..com`.
@@ -108,7 +108,7 @@ Your Cloudflare Tunnel will terminate at the AWS VPC using your public hostname.
### 5. Restrict S3 access with an Access policy
-1. Go to **Access** > **Applications**.
+1. Go to **Access controls** > **Applications**.
2. Select **Add an application**.
3. Select **Self-hosted**.
4. Enter a name for the application.
@@ -186,7 +186,7 @@ A bucket website endpoint will be available at `http://.s3-web
### 3. Setup a dedicated egress IP policy
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Egress policies**. Select **Add a policy**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Egress policies**. Select **Add a policy**.
2. Create a policy that specifies which proxied traffic Gateway should assign a [dedicated egress IP](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/) to. For more information, refer to [Egress policies](/cloudflare-one/traffic-policies/egress-policies/).
3. In **Select an egress IP**, choose _Use dedicated Cloudflare egress IPs_. Select the dedicated egress IP defined in your bucket policy.
4. Select **Create policy**.
diff --git a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx
index 29c360336856a42..bd8f81ccbeab962 100644
--- a/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/user-selectable-egress-ips.mdx
@@ -37,12 +37,11 @@ First, create [virtual networks](/cloudflare-one/networks/connectors/cloudflare-
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
-2. In **Network locations**, go to **Virtual networks** and select **Manage**.
-3. Select **Create virtual network**.
-4. Name your virtual network. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network `vnet-AMER`.
-5. Select **Save**.
-6. Repeat Steps 3-5 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called `vnet-EMEA` for egress from Europe, the Middle East, and Africa.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Routes**.
+2. In **Virtual networks**, select **Create virtual network**.
+3. Name your virtual network. We recommend using a name related to the location of the corresponding dedicated egress IP. For example, if your users will egress from the Americas, you can name the virtual network `vnet-AMER`.
+4. Select **Save**.
+5. Repeat Steps 2-4 for each dedicated egress IP you want users to switch between. For example, you can create another virtual network called `vnet-EMEA` for egress from Europe, the Middle East, and Africa.
@@ -72,7 +71,7 @@ After creating your virtual networks, route your private network CIDRs over each
-1. Go to **Networks** > **Tunnels**.
+1. Go to **Networks** > **Connectors** > **Cloudflare Tunnels**.
2. Select your tunnel routing `10.0.0.0/8`, then select **Configure**.
3. Go to **Private Networks**. Select the `10.0.0.0/8` route.
4. In **Additional settings**, choose your first virtual network. For example, `vnet-AMER`.
@@ -132,7 +131,7 @@ Next, assign your dedicated egress IPs to each virtual network using Gateway egr
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Egress policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Egress policies**.
2. Select **Add a policy**.
diff --git a/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx b/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx
index 99d799151124921..0f1ee360fd411da 100644
--- a/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/vnc-client-in-browser.mdx
@@ -141,11 +141,11 @@ At this point, you have a VNC server ready to test with browser-based VNC. We re
At this point you have a running VNC server and a Cloudflare Tunnel on your machine ready to accept inbound VNC requests.
-## Create a Zero Trust VNC application
+## Create a Cloudflare Access VNC application
-The last step is to create a Zero Trust application to run your VNC server in the Browser.
+The last step is to create a Cloudflare Access application to run your VNC server in the Browser.
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Access controls** > **Applications**.
2. Select **Add an application**.
diff --git a/src/content/docs/cloudflare-one/tutorials/warp-on-headless-linux.mdx b/src/content/docs/cloudflare-one/tutorials/warp-on-headless-linux.mdx
index d3cd13004cb28cd..b5474ac28bdc4c2 100644
--- a/src/content/docs/cloudflare-one/tutorials/warp-on-headless-linux.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/warp-on-headless-linux.mdx
@@ -34,7 +34,7 @@ Device enrollment permissions determine the users and devices that can register
To allow devices to enroll using a service token:
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Team & Resources** > **Devices**. Select the **Management** tab.
2. In **Device enrollment permissions**, select **Manage**.
3. In the **Policies** tab, select **Create new policy**. A new tab will open with the policy creation page.
4. For **Action**, select _Service Auth_.
@@ -120,4 +120,4 @@ To install WARP using the example script:
sudo ./install_warp.sh
```
-WARP is now deployed with the configuration parameters stored in `/var/lib/cloudflare-warp/mdm.xml`. Assuming [`auto_connect`](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/#auto_connect) is configured, WARP will automatically connect to your Zero Trust organization. Once connected, the device will appear in [Zero Trust](https://one.dash.cloudflare.com) under **My Team** > **Devices** with the email `non_identity@.cloudflareaccess.com`.
+WARP is now deployed with the configuration parameters stored in `/var/lib/cloudflare-warp/mdm.xml`. Assuming [`auto_connect`](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/#auto_connect) is configured, WARP will automatically connect to your Zero Trust organization. Once connected, the device will appear in [Cloudflare One](https://one.dash.cloudflare.com) under **Team & Resources** > **Devices** with the email `non_identity@.cloudflareaccess.com`.
diff --git a/src/content/docs/dns/internal-dns/get-started.mdx b/src/content/docs/dns/internal-dns/get-started.mdx
index c2cc2a2c53272e0..78e7d10ed7f9d64 100644
--- a/src/content/docs/dns/internal-dns/get-started.mdx
+++ b/src/content/docs/dns/internal-dns/get-started.mdx
@@ -138,11 +138,11 @@ Besides selecting an internal DNS view when setting up your resolver policies, y
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Resolver policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies** > **Resolver policies**.
2. Select **Add a policy** and enter a name and description.
-3. Create an expression for the traffic you wish to route. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/traffic-policies/resolver-policies/#selectors).
+3. Create an expression for the traffic you wish to route. For guidance about selectors, operators, and values, refer to [Gateway resolver policies](/cloudflare-one/traffic-policies/resolver-policies/#selectors).
4. Select **Use Internal DNS**. Choose the view that queries matching the expression should be sent to.
-5. (Optional) Adjust the option to **fallback through public DNS** according to your use case.
+5. (Optional) Adjust the option to **Fallback through public DNS** according to your use case.
- Off: Gateway DNS resolver returns the response as-is to the client.
- On: In case the response from the internal zone is REFUSED, NXDOMAIN, or a response with a CNAME type, Gateway DNS resolver sends the query to Cloudflare 1.1.1.1 public resolver and tries to resolve the query via public DNS.
diff --git a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
index 7058c18ad77984f..cf6bedcf4c036e0 100644
--- a/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
+++ b/src/content/docs/hyperdrive/configuration/connect-to-private-database.mdx
@@ -88,7 +88,7 @@ The service token will be used to restrict requests to the tunnel, and is needed
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Service auth** > **Service Tokens**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Access controls** > **Service credentials** > **Service Tokens**.
2. Select **Create Service Token**.
@@ -111,7 +111,7 @@ The service token will be used to restrict requests to the tunnel, and is needed
[Cloudflare Access](/cloudflare-one/access-controls/policies/) will be used to verify that requests to the tunnel originate from Hyperdrive using the service token created above.
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Access controls** > **Applications**.
2. Select **Add an application**.
diff --git a/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx b/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx
index 12498387cbada88..1a1e488aef38763 100644
--- a/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx
+++ b/src/content/docs/learning-paths/clientless-access/terraform/publish-apps-with-terraform.mdx
@@ -27,7 +27,7 @@ Create a `.tf` file and copy-paste the following example. Fill in your API token
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Connectors** > **Cloudflare Tunnels**.
2. Select the tunnel name.
3. Copy the **Tunnel ID**.
@@ -147,7 +147,7 @@ resource "cloudflare_access_policy" "example_policy" {
-Users can now access the private application by going to the public URL and authenticating with Cloudflare Access. You can view your new tunnel route, Access application, and Access policy in [Zero Trust](https://one.dash.cloudflare.com). The new DNS record is shown in the [Cloudflare dashboard](https://dash.cloudflare.com).
+Users can now access the private application by going to the public URL and authenticating with Cloudflare Access. You can view your new tunnel route, Access application, and Access policy in [Cloudflare One](https://one.dash.cloudflare.com). The new DNS record is shown in the [Cloudflare dashboard](https://dash.cloudflare.com).
:::note
diff --git a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx
index 711fc9fe2dd67ff..a15a6739c89ee7b 100644
--- a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx
+++ b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx
@@ -15,7 +15,8 @@ For DNS policies, you will need to enable the block page on a per-policy basis.
file="gateway/add-block-page"
product="cloudflare-one"
params={{
- firewallPolicyPath: "**Gateway** > **Firewall policies** > **DNS**",
+ firewallPolicyPath:
+ "**Traffic policies** > **Firewall policies** > **DNS**",
blockBehaviorAction: "turn on",
}}
/>
diff --git a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx
index 1171209e7e8d50f..fc52ccd066bef66 100644
--- a/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx
+++ b/src/content/docs/learning-paths/holistic-ai-security/build-security-policies/set-policy-approval.mdx
@@ -10,7 +10,7 @@ If you use specific AI tools within your organization, you may want to create po
## Create a Gateway policy for monitoring and evaluating all AI tool usage
-1. In [**Zero Trust**](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **HTTP** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow for AI at your organization.
@@ -34,7 +34,7 @@ Cloudflare Workers are an easy method to stand up custom user coaching pages. Th
## Redirect users towards approved AI tools
-1. In [**Zero Trust**](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies**.
2. In the **HTTP** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow for AI at your organization.
@@ -59,7 +59,7 @@ For more information, refer to [Configure policy block behavior](/cloudflare-one
You can build policies that enable Prompt Capture for AI applications in specific, complex scenarios. This gives you the flexibility to apply advanced functionality to certain applications, tool types, or user groups, such as contractors or new employees, especially if they pose a higher risk for using unsanctioned applications due to lack of awareness or training.
-1. In [**Zero Trust**](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies**.
2. In the **HTTP** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow for AI at your organization.
@@ -83,7 +83,7 @@ If your organization uses [ChatGPT Business](https://chatgpt.com/business/), you
To create this policy, you will add a custom HTTP header to your Gateway policy. This header, `Chatgpt-Allowed-Workspace-Id`, ensures that only requests with your organization's unique workspace ID are permitted.
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies**.
2. In the **HTTP** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow.
diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx
index 90fe0b45b0e7412..4491d071708390a 100644
--- a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx
+++ b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx
@@ -41,10 +41,10 @@ For DNS policies, you will need to enable the block page on a per-policy basis.
file="gateway/add-block-page"
product="cloudflare-one"
params={{
- firewallPolicyPath: "**Gateway** > **Firewall policies** > **DNS**",
+ firewallPolicyPath:
+ "**Traffic policies** > **Firewall policies** > **DNS**",
blockBehaviorAction: "turn on",
- }}
-
+ }}
/>
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
index d5a27c73d10cdb2..a4e422acf510800 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
@@ -17,7 +17,7 @@ To create a new DNS policy:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies**.
2. In the **DNS** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx
index 2f9c750232873e4..2a349d9b6520b0a 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-egress-policies/egress-policies.mdx
@@ -16,7 +16,7 @@ Egress policies allow you to determine whether your organization's traffic egres
To create a new egress policy:
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Egress policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Gateway** > **Egress policies**.
2. Select **Add a policy**.
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/browser-isolation.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/browser-isolation.mdx
index 13f12d2d540690c..e545ff9d1346dd7 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/browser-isolation.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/browser-isolation.mdx
@@ -25,7 +25,7 @@ You can control potential risk and shape user behavior without applying heavy-ha
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies**.
2. In the **HTTP** tab, select **Add a policy**.
diff --git a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx
index ac9df3279cb0874..aa45c58aa557c54 100644
--- a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx
+++ b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx
@@ -77,7 +77,7 @@ To create a pool using the dashboard, refer to the [Create a pool](/load-balanci
- All endpoints with private IPs must have a [virtual network (VNET)](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/tunnel-virtual-networks/) specified. If you did not select a VNET when adding a Cloudflare Tunnel route, the endpoint will be assigned to the `default` VNET.
- A pool cannot have multiple endpoints with the same IP address, even when using different virtual networks. You can assign endpoints with overlapping IPs to different pools, as shown in the [example diagram](#_top).
-:::
+ :::
@@ -117,8 +117,8 @@ The following example adds a Cloudflare Tunnel endpoint to an existing Load Bala
2. Select **Create a Load Balancer**.
3. Select **Private Load Balancer**.
4. On the next step you can choose to associate this load balancer with either:
- - A Cloudflare-assigned IP from the `100.112.0.0/16` range
- - A custom `/32` IP in an [RFC 1918 range](https://datatracker.ietf.org/doc/html/rfc1918)
+ - A Cloudflare-assigned IP from the `100.112.0.0/16` range
+ - A custom `/32` IP in an [RFC 1918 range](https://datatracker.ietf.org/doc/html/rfc1918)
5. Add a descriptive name to identify your load balancer.
6. Proceed through the setup.
@@ -128,14 +128,14 @@ After completing the setup, you will be redirected to the Load Balancing dashboa
In order for WARP clients to connect to your load balancer, the load balancer's IP address must route through the WARP tunnel in your [Split Tunnel settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/).
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
-2. Under **Device settings**, find the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to modify and select **Edit**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Team & Resources** > **Device profiles**.
+2. Find the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to modify and select **Edit**.
3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**.
4. Select **Manage**. Depending on the mode:
- **Exclude mode**: Delete the IP range that contains your load balancer IP. For example, if your load balancer has a Cloudflare-assigned CGNAT IP, delete `100.64.0.0/10`. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used by your load balancer.
:::note
Some IPs in the `100.64.0.0/10` range may be reserved for other Zero Trust services such as Gateway initial resolved IPs or WARP CGNAT IPs. These IPs should remain deleted from the Exclude list.
- :::
+ :::
- **Include mode**: Add your load balancer IP.
WARP traffic can now reach your private load balancer. For example, if your load balancer points to a web application, you can test by running `curl ` from the WARP device. This traffic will be distributed over Cloudflare Tunnel to your private endpoints according to your configured steering method.
@@ -144,8 +144,8 @@ WARP traffic can now reach your private load balancer. For example, if your load
If you want your load balancer and its endpoints to be transparently accessible to users via a hostname, you can create a Gateway DNS [Override policy](/cloudflare-one/traffic-policies/dns-policies/#override) that maps the hostname to the load balancer's IP address. This ensures that traffic destined for the hostname resolves to the correct IP.
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **Firewall policies**> **DNS**.
-2. Select **Add DNS policy**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies**> **DNS**.
+2. Select **Add a policy**.
3. In **Traffic**, create an expression where the **Selector** equals `Host`, the **Operator** equals `is`, and **Value** is the hostname you wish to associate with your load balancer. For example,
| Selector | Operator | Value |
diff --git a/src/content/docs/security-center/indicator-feeds.mdx b/src/content/docs/security-center/indicator-feeds.mdx
index 1bd1c68c6c0b50b..be24b917fe61cf3 100644
--- a/src/content/docs/security-center/indicator-feeds.mdx
+++ b/src/content/docs/security-center/indicator-feeds.mdx
@@ -132,7 +132,7 @@ Providers can create and manage a Custom Indicator Feed with the [Custom Indicat
Once an account is granted access to a feed, it will be available to match traffic as a [selector in Gateway DNS policies](/cloudflare-one/traffic-policies/dns-policies/#indicator-feeds).
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. Select **DNS**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Firewall policies**. Select **DNS**.
2. To create a new DNS policy, select **Add a policy**.
3. Name your policy.
4. In **Traffic**, add a condition with the **Indicator Feeds** selector. If your account has been granted access to a Custom Indicator Feed, Gateway will list the feed in **Value**. For example, you can block sites that appear in a feed:
diff --git a/src/content/partials/cloudflare-one/access/block-page.mdx b/src/content/partials/cloudflare-one/access/block-page.mdx
index 248ac753b4aa950..451aad660bb3db1 100644
--- a/src/content/partials/cloudflare-one/access/block-page.mdx
+++ b/src/content/partials/cloudflare-one/access/block-page.mdx
@@ -31,7 +31,7 @@ Only available on Pay-as-you-go and Enterprise plans.
To create a custom block page for Access:
-1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Reusable components** > **Custom Pages**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Reusable components** > **Custom pages**.
2. Find the **Access Custom Pages** setting and select **Manage**.
diff --git a/src/content/partials/cloudflare-one/access/login-page.mdx b/src/content/partials/cloudflare-one/access/login-page.mdx
index 7ff9f79d06b17b0..08bbebc719cbe99 100644
--- a/src/content/partials/cloudflare-one/access/login-page.mdx
+++ b/src/content/partials/cloudflare-one/access/login-page.mdx
@@ -1,6 +1,5 @@
---
{}
-
---
To change the appearance of your login page:
@@ -10,11 +9,10 @@ To change the appearance of your login page:
2. Find the **Access login page** setting and select **Manage**.
3. Give the login page the look and feel of your organization by adding:
-
- * Your organization's name
- * A logo
- * A custom header and footer
- * A preferred background color
+ - Your organization's name
+ - A logo
+ - A custom header and footer
+ - A preferred background color
Any changes you make will be reflected in real time in the **Preview** card.
diff --git a/src/content/partials/cloudflare-one/access/okta-zt-steps.mdx b/src/content/partials/cloudflare-one/access/okta-zt-steps.mdx
index 920528585f499f5..3a4c76a6a09fb32 100644
--- a/src/content/partials/cloudflare-one/access/okta-zt-steps.mdx
+++ b/src/content/partials/cloudflare-one/access/okta-zt-steps.mdx
@@ -2,7 +2,7 @@
{}
---
-import {} from "~/components"
+import {} from "~/components";
11. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Integrations** > **Identity providers**.
@@ -14,11 +14,11 @@ import {} from "~/components"
- **Client secret**: Enter your Okta client secret.
- **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`.
-14. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
+14. (Optional) Create an Okta API token and enter it in [Cloudflare One](https://one.dash.cloudflare.com/) (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
15. (Optional) To configure [custom OIDC claims](/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims):
1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled.
- 2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta.
+ 2. In [Cloudflare One](https://one.dash.cloudflare.com/), enter the **Authorization Server ID** obtained from Okta.
3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity.
16. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
diff --git a/src/content/partials/cloudflare-one/dex/pcaps-download.mdx b/src/content/partials/cloudflare-one/dex/pcaps-download.mdx
index 1dc1b862e6683be..d12598c747619ed 100644
--- a/src/content/partials/cloudflare-one/dex/pcaps-download.mdx
+++ b/src/content/partials/cloudflare-one/dex/pcaps-download.mdx
@@ -2,7 +2,7 @@
{}
---
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Remote captures**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **DEX** > **Remote captures**.
2. Find a successful capture.
3. Select the three-dot menu and select **Download**.
diff --git a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx
index c46e948134e5405..3b4555375dcf57d 100644
--- a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx
+++ b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx
@@ -6,7 +6,7 @@ params:
import { Markdown } from "~/components";
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to .
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to .
2. Select **Add a policy** to create a new policy, or choose the policy you want to customize and select **Edit**. You can only edit the block page for policies with a Block action.
3. Under **Configure policy settings**, {props.blockBehaviorAction} **Modify Gateway block behavior**.
4. Choose your block behavior:
diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx
index f932182e5a816a9..14767ee105fa542 100644
--- a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx
+++ b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx
@@ -222,7 +222,7 @@ Therefore, the user is able to connect to `https://test.example.com`.
## Precedence calculations
-When arranging policies in Zero Trust, Gateway automatically calculates the precedence for rearranged policies.
+When arranging policies in [Cloudflare One](https://one.dash.cloudflare.com/), Gateway automatically calculates the precedence for rearranged policies.
When using the API to create a policy, unless the precedence is explicitly defined in the policy, Gateway will assign precedence to policies starting at `1000`. Every time a new policy is added to the bottom of the order, Gateway will calculate the current highest precedence in the account and add a random integer between 1 and 100 to `1000` so that it now claims the maximum precedence in the account. To manually update a policy's precedence, use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint. You can set a policy's precedence to any value that is not already in use.
diff --git a/src/content/partials/cloudflare-one/gateway/verify-connectivity.mdx b/src/content/partials/cloudflare-one/gateway/verify-connectivity.mdx
index f574b845015cabe..ef193ea801332d6 100644
--- a/src/content/partials/cloudflare-one/gateway/verify-connectivity.mdx
+++ b/src/content/partials/cloudflare-one/gateway/verify-connectivity.mdx
@@ -1,12 +1,11 @@
---
inputParameters: GatewayLogType;;trafficTypePlural
-
---
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Traffic settings**.
2. Under **Log traffic activity**, enable activity logging for all {props.one} logs.
3. On your device, open a browser and go to any website.
-4. In Cloudflare One, go to **Insights** > **Logs** > **Gateway** > **{props.one}**.
+4. In Cloudflare One, go to **Insights** > **Logs** > **{props.one}**.
5. Make sure {props.one} {props.two} from your device appear.
diff --git a/src/content/partials/cloudflare-one/posture/add-service-provider.mdx b/src/content/partials/cloudflare-one/posture/add-service-provider.mdx
index 9c4d69d30475ab4..e9f9057f81cb520 100644
--- a/src/content/partials/cloudflare-one/posture/add-service-provider.mdx
+++ b/src/content/partials/cloudflare-one/posture/add-service-provider.mdx
@@ -3,9 +3,9 @@ params:
- provider
---
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
-2. Scroll down to **Third-party service provider integrations** and select **Add new**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Integrations** > **Service providers**.
+2. Select **Add new**.
3. Select **{props.provider}**.
-4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection.
\ No newline at end of file
+4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection.
diff --git a/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx b/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx
index 78a7780865aaf4f..8a394e1e1951afb 100644
--- a/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx
+++ b/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx
@@ -7,144 +7,147 @@ import SubtractIPCalculator from "~/components/SubtractIPCalculator.tsx";
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
-2. Under **Device settings**, locate the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
-3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**.
-4. Select **Manage**.
-5. You can exclude or include routes based on either their IP address or domain. When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to [Domain-based Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels).
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Devices** > **Device profiles**.
+2. Locate the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
+3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**.
+4. Select **Manage**.
+5. You can exclude or include routes based on either their IP address or domain. When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to [Domain-based Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels).
-
+
- To add an IP address to Split Tunnels:
+ To add an IP address to Split Tunnels:
- 1. Select _IP Address_.
- 2. Enter the IP address or CIDR you want to exclude or include.
- 3. Select **Save destination**.
+ 1. Select _IP Address_.
+ 2. Enter the IP address or CIDR you want to exclude or include.
+ 3. Select **Save destination**.
- Traffic to this IP address is now excluded or included from the WARP tunnel.
+ Traffic to this IP address is now excluded or included from the WARP tunnel.
+
+ :::note
- :::note
If you would like to exclude a specific IP range from a larger IP range, you can use this calculator:
-
- :::
-
-
+
+ :::
+
+
- To add a domain to Split Tunnels:
+ To add a domain to Split Tunnels:
- 1. Select _Domain_.
- 2. Enter a [valid domain](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#valid-domains) to exclude or include.
- 3. Select **Save destination**.
- 4. (Optional) If your domain does not have a public DNS record, create a [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) entry to allow a private DNS server to handle domain resolution.
+ 1. Select _Domain_.
+ 2. Enter a [valid domain](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#valid-domains) to exclude or include.
+ 3. Select **Save destination**.
+ 4. (Optional) If your domain does not have a public DNS record, create a [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/local-domains/) entry to allow a private DNS server to handle domain resolution.
- When a user goes to the domain, the domain gets resolved according to your Local Domain Fallback configuration (either by Gateway or by your private DNS server). WARP Split Tunnels will then dynamically include or exclude the IP address returned in the DNS lookup.
+ When a user goes to the domain, the domain gets resolved according to your Local Domain Fallback configuration (either by Gateway or by your private DNS server). WARP Split Tunnels will then dynamically include or exclude the IP address returned in the DNS lookup.
-
+
1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
- - `Zero Trust Write`
+ - `Zero Trust Write`
2. Choose a [`cloudflare_zero_trust_device_default_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_default_profile) or [`cloudflare_zero_trust_device_custom_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile) resource to modify, or [create a new device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/#create-a-new-profile).
3. (Optional) Create a list of split tunnel routes that you can reuse across multiple device profiles. For example, you can declare a local value in the same module as your device profiles:
- ```tf title="split-tunnels.local.tf"
- locals {
- global_exclude_list = [
- # Default Split Tunnel entries recommended by Cloudflare
- {
- address = "ff05::/16"
- },
- {
- address = "ff04::/16"
- },
- {
- address = "ff03::/16"
- },
- {
- address = "ff02::/16"
- },
- {
- address = "ff01::/16"
- },
- {
- address = "fe80::/10"
- description = "IPv6 Link Local"
- },
- {
- address = "fd00::/8"
- },
- {
- address = "255.255.255.255/32"
- description = "DHCP Broadcast"
- },
- {
- address = "240.0.0.0/4"
- },
- {
- address = "224.0.0.0/24"
- },
- {
- address = "192.168.0.0/16"
- },
- {
- address = "192.0.0.0/24"
- },
- {
- address = "172.16.0.0/12"
- },
- {
- address = "169.254.0.0/16"
- description = "DHCP Unspecified"
- },
- {
- address = "100.64.0.0/10"
- },
- {
- address = "10.0.0.0/8"
- }
- ]
- }
- ```
+ ```tf title="split-tunnels.local.tf"
+ locals {
+ global_exclude_list = [
+ # Default Split Tunnel entries recommended by Cloudflare
+ {
+ address = "ff05::/16"
+ },
+ {
+ address = "ff04::/16"
+ },
+ {
+ address = "ff03::/16"
+ },
+ {
+ address = "ff02::/16"
+ },
+ {
+ address = "ff01::/16"
+ },
+ {
+ address = "fe80::/10"
+ description = "IPv6 Link Local"
+ },
+ {
+ address = "fd00::/8"
+ },
+ {
+ address = "255.255.255.255/32"
+ description = "DHCP Broadcast"
+ },
+ {
+ address = "240.0.0.0/4"
+ },
+ {
+ address = "224.0.0.0/24"
+ },
+ {
+ address = "192.168.0.0/16"
+ },
+ {
+ address = "192.0.0.0/24"
+ },
+ {
+ address = "172.16.0.0/12"
+ },
+ {
+ address = "169.254.0.0/16"
+ description = "DHCP Unspecified"
+ },
+ {
+ address = "100.64.0.0/10"
+ },
+ {
+ address = "10.0.0.0/8"
+ }
+ ]
+ }
+ ```
+
4. In the device profile, exclude or include routes based on either their IP address or domain:
- ```tf title="device-profiles.tf"
- resource "cloudflare_zero_trust_device_custom_profile" "example" {
- account_id = var.cloudflare_account_id
- name = "Example custom profile with split tunnels"
- enabled = true
- precedence = 101
- service_mode_v2 = {mode = "warp"}
- match = "identity.email == \"test@cloudflare.com\""
-
- exclude = concat(
- # Global entries
- local.global_exclude_list,
-
- # Profile-specific entries
- [
- {
- address = "192.0.2.0/24"
- description = "Example IP to exclude from WARP"
- },
- {
- host = "example.com"
- description = "Example domain to exclude from WARP"
- }
- ]
- )
- }
- ```
- When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to [Domain-based Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels).
+ ```tf title="device-profiles.tf"
+ resource "cloudflare_zero_trust_device_custom_profile" "example" {
+ account_id = var.cloudflare_account_id
+ name = "Example custom profile with split tunnels"
+ enabled = true
+ precedence = 101
+ service_mode_v2 = {mode = "warp"}
+ match = "identity.email == \"test@cloudflare.com\""
+
+ exclude = concat(
+ # Global entries
+ local.global_exclude_list,
+
+ # Profile-specific entries
+ [
+ {
+ address = "192.0.2.0/24"
+ description = "Example IP to exclude from WARP"
+ },
+ {
+ host = "example.com"
+ description = "Example domain to exclude from WARP"
+ }
+ ]
+ )
+ }
+ ```
+
+ When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to [Domain-based Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels).
diff --git a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx
index 22b4a63dfb5a1ca..8359d5176eadad9 100644
--- a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx
+++ b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx
@@ -2,12 +2,12 @@
{}
---
-import { Tabs, TabItem } from '~/components';
+import { Tabs, TabItem } from "~/components";
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
-2. Under **Device settings**, locate the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Devices** > **Device profiles**.
+2. Locate the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
3. Scroll down to **Split Tunnels**.
4. (Optional) To view your existing Split Tunnel configuration, select **Manage**. You will see a list of the IPs and domains Cloudflare Zero Trust excludes or includes, depending on the mode you have selected. We recommend making a copy of your Split Tunnel entries, as they will revert to the default upon switching modes.
5. Under **Split Tunnels**, choose a mode:
@@ -16,52 +16,52 @@ import { Tabs, TabItem } from '~/components';
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
- - `Zero Trust Write`
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+ - `Zero Trust Write`
-2. Choose a [`cloudflare_zero_trust_device_default_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_default_profile) or [`cloudflare_zero_trust_device_custom_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile) resource to modify, or [create a new device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/#create-a-new-profile).
+2. Choose a [`cloudflare_zero_trust_device_default_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_default_profile) or [`cloudflare_zero_trust_device_custom_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile) resource to modify, or [create a new device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/#create-a-new-profile).
-3. In your device profile, configure either the `exclude` or `include` argument. You cannot set both `exclude` and `include` in a given device profile.
+3. In your device profile, configure either the `exclude` or `include` argument. You cannot set both `exclude` and `include` in a given device profile.
- a. To manage Split Tunnel routes in **Exclude** mode, use the `exclude` argument:
+ a. To manage Split Tunnel routes in **Exclude** mode, use the `exclude` argument:
- ```tf
- resource "cloudflare_zero_trust_device_custom_profile" "exclude_example" {
- account_id = var.cloudflare_account_id
- name = "Custom profile in Split Tunnels Exclude mode"
- enabled = true
- precedence = 101
- service_mode_v2 = {mode = "warp"}
- match = "identity.email == \"test@cloudflare.com\""
+ ```tf
+ resource "cloudflare_zero_trust_device_custom_profile" "exclude_example" {
+ account_id = var.cloudflare_account_id
+ name = "Custom profile in Split Tunnels Exclude mode"
+ enabled = true
+ precedence = 101
+ service_mode_v2 = {mode = "warp"}
+ match = "identity.email == \"test@cloudflare.com\""
- exclude = [{
- address = "10.0.0.0/8"
- description = "Example route to exclude from WARP tunnel"
- }]
- }
- ```
+ exclude = [{
+ address = "10.0.0.0/8"
+ description = "Example route to exclude from WARP tunnel"
+ }]
+ }
+ ```
- In this example, all traffic will be sent to Cloudflare Gateway except for traffic destined to `10.0.0.0/8`. To exclude the default IPs and domains recommended by Cloudflare, refer to [Add a route](#add-a-route).
+ In this example, all traffic will be sent to Cloudflare Gateway except for traffic destined to `10.0.0.0/8`. To exclude the default IPs and domains recommended by Cloudflare, refer to [Add a route](#add-a-route).
- b. To manage Split Tunnel routes in **Include** mode, use the `include` argument:
+ b. To manage Split Tunnel routes in **Include** mode, use the `include` argument:
- ```tf
- resource "cloudflare_zero_trust_device_custom_profile" "include_example" {
- account_id = var.cloudflare_account_id
- name = "Custom profile in Split Tunnels Include mode"
- enabled = true
- precedence = 101
- service_mode_v2 = {mode = "warp"}
- match = "identity.email == \"test@cloudflare.com\""
+ ```tf
+ resource "cloudflare_zero_trust_device_custom_profile" "include_example" {
+ account_id = var.cloudflare_account_id
+ name = "Custom profile in Split Tunnels Include mode"
+ enabled = true
+ precedence = 101
+ service_mode_v2 = {mode = "warp"}
+ match = "identity.email == \"test@cloudflare.com\""
- include = [{
- address = "10.0.0.0/8"
- description = "Example route to include in WARP tunnel"
- }]
- }
- ```
+ include = [{
+ address = "10.0.0.0/8"
+ description = "Example route to include in WARP tunnel"
+ }]
+ }
+ ```
- In this example, only traffic destined to `10.0.0.0/8` will be sent to Cloudflare Gateway.
+ In this example, only traffic destined to `10.0.0.0/8` will be sent to Cloudflare Gateway.
diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx
index 8aac443c13fbb1f..8f1025c123f07af 100644
--- a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx
+++ b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx
@@ -6,15 +6,15 @@ import { Tabs, TabItem } from "~/components";
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
-2. In **Device enrollment permissions**, select **Manage**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Devices** > **Device profiles** > **Management**.
+2. In **Device enrollment** > **Device enrollment permissions**, select **Manage**.
3. In the **Policies** tab, configure one or more [Access policies](/cloudflare-one/access-controls/policies/) to define who can join their device. For example, you could allow all users with a company email address:
- | Rule type | Selector | Value |
- | --------- | ---------| ------ |
- | Include | Emails ending in | `@company.com` |
-:::note
+ | Rule type | Selector | Value |
+ | --------- | ---------------- | -------------- |
+ | Include | Emails ending in | `@company.com` |
+:::note
Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled.
:::
@@ -68,4 +68,4 @@ Device posture checks are not supported in device enrollment policies. WARP can
```
-
+
diff --git a/src/content/partials/cloudflare-one/warp/edit-profile-settings.mdx b/src/content/partials/cloudflare-one/warp/edit-profile-settings.mdx
index 3c139b3b7b1738e..2adf1e6e33c2a8e 100644
--- a/src/content/partials/cloudflare-one/warp/edit-profile-settings.mdx
+++ b/src/content/partials/cloudflare-one/warp/edit-profile-settings.mdx
@@ -4,8 +4,8 @@
import { Render } from "~/components";
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
-2. In the **Profile settings** card, find the profile you want to update and select **Configure**.
+1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Devices** > **Device profiles**.
+2. Locate the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to update and select **Configure**.
3. Use [selectors](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/#selectors) to add or adjust match rules, and modify [WARP settings](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-settings/#device-settings) for this profile as needed.
:::note
diff --git a/src/content/partials/cloudflare-one/warp/view-local-domains.mdx b/src/content/partials/cloudflare-one/warp/view-local-domains.mdx
index 260ebb65e0af084..430725d5193b720 100644
--- a/src/content/partials/cloudflare-one/warp/view-local-domains.mdx
+++ b/src/content/partials/cloudflare-one/warp/view-local-domains.mdx
@@ -1,10 +1,7 @@
---
{}
-
---
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
-
-2. Under **Device settings**, locate the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to view or modify and select **Configure**.
-
-3. Scroll down to **Local Domain Fallback** and select **Manage**.
\ No newline at end of file
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Devices** > **Device profiles**.
+2. Locate the [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/) you would like to view or modify and select **Configure**.
+3. Scroll down to **Local Domain Fallback** and select **Manage**.
diff --git a/src/content/partials/learning-paths/zero-trust/create-zero-trust-org.mdx b/src/content/partials/learning-paths/zero-trust/create-zero-trust-org.mdx
index 2d2c8b44b7fb15f..755d7b2f869d5de 100644
--- a/src/content/partials/learning-paths/zero-trust/create-zero-trust-org.mdx
+++ b/src/content/partials/learning-paths/zero-trust/create-zero-trust-org.mdx
@@ -33,7 +33,7 @@ To add Zero Trust to your Terraform configuration:
}
```
- Replace ` **Custom Pages**.
+ Replace ` **Team name and domain**.
You can now update Zero Trust organization settings using Terraform.