diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx
index 6105768e0e1005b..70f425d91a13019 100644
--- a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx
+++ b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 5
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
With Cloudflare Zero Trust, you can deliver actionable feedback to users when they are blocked by a Gateway policy. Custom block messages can reduce user confusion and decrease your IT ticket load.
@@ -35,6 +35,8 @@ The Gateway custom block page is a different concept from [Access custom block p
For DNS policies, you will need to enable the block page on a per-policy basis.
+
+
+
+
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+ - `Zero Trust Write`
+
+2. Choose a DNS policy with a Block action.
+
+3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy.
+
+ ```tf
+ resource "cloudflare_zero_trust_gateway_policy" "dns_block_security_categories" {
+ name = "Block DNS Security Categories"
+ enabled = true
+ account_id = var.cloudflare_account_id
+ description = "Managed by Terraform - Generic security policy based on Cloudflare Threat Intelligence categories."
+ precedence = 101
+ action = "block"
+ filters = ["dns"]
+ /* Categories being enabled here:
+ - 80: "Command and Control & Botnet"
+ - 83: "Cryptomining"
+ - 117: "Malware"
+ - 131: "Phishing"
+ - 153: "Spyware"
+ - 175: "DNS Tunneling"
+ - 176: "DGA Domains"
+ - 178: "Brand Embedding"
+ */
+ traffic = "any(dns.security_category[*] in {80 83 117 131 153 175 176 178})"
+ identity = ""
+
+ rule_settings = {
+ block_page_enabled = true
+ block_reason = "This domain has been flagged as a potential security risk." // Adds an additional message to the custom block page. Requires enabling custom block page in cloudflare_zero_trust_gateway_settings.
+ }
+ }
+ ```
+
+
+
### Customize the block page
diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx
index f07eaecfcd88ede..95d37e862f9caa2 100644
--- a/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx
+++ b/src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx
@@ -77,7 +77,25 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
}'
```
-
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_allow_wiki_domains" {
+ name = "Company Wiki DNS policy"
+ enabled = true
+ account_id = var.cloudflare_account_id
+ description = "Managed by Terraform - Allow employees to access company wiki domains."
+ precedence = 102
+ action = "allow"
+ filters = ["dns"]
+ traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.wiki_domains.id})"
+ identity = "identity.email matches \".*@example.com\""
+}
+```
+
+
+
## Example network policy
@@ -135,7 +153,25 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
}'
```
-
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "network_allow_wiki_IPs" {
+ name = "Company Wiki Network policy"
+ enabled = true
+ account_id = var.cloudflare_account_id
+ description = "Managed by Terraform - Allow employees to access company wiki IPs."
+ precedence = 103
+ action = "allow"
+ filters = ["l4"]
+ traffic = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.wiki_IPs.id}"
+ identity = "identity.email matches \".*@example.com\""
+}
+```
+
+
+
### Catch-all policy
@@ -197,7 +233,24 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
}'
```
-
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "network_catch_all" {
+ name = "Catch-all block policy"
+ enabled = true
+ account_id = var.cloudflare_account_id
+ description = "Managed by Terraform - Block access to private network."
+ precedence = 14002
+ action = "block"
+ filters = ["l4"]
+ traffic = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.private_IPs.id} or any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.private_domains.id})"
+}
+```
+
+
+
Network policies are evaluated in [top-down order](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), so if a user does not match an explicitly defined policy for an application, they will be blocked.
To learn how multiple policies interact, refer to [Order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/).
diff --git a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx
index 902431b8c30818d..0ce7d8282954673 100644
--- a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx
+++ b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx
@@ -2,10 +2,14 @@
{}
---
+import { Tabs, TabItem } from "~/components";
+
You can customize the Cloudflare-hosted block page by making global changes that Gateway will display every time a user reaches your block page. Customizations will apply regardless of the type of policy (DNS or HTTP) that blocks the traffic.
To customize your block page:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages**.
2. Under **Account Gateway block page**, select **Customize**.
3. Choose **Custom Gateway block page**. Gateway will display a preview of your custom block page. Available customizations include:
@@ -17,4 +21,35 @@ To customize your block page:
- Background color
4. Select **Save**.
+
+
+
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+ - `Zero Trust Write`
+
+2. In [`cloudflare_zero_trust_gateway_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_settings), configure the `block_page` argument with your customizations:
+
+ ```tf
+ resource "cloudflare_zero_trust_gateway_settings" "team_name" {
+ account_id = var.cloudflare_account_id
+ settings = {
+ block_page = {
+ enabled = true //do not use the default Gateway block page
+ mode = "customized_block_page" //use a custom block page
+ name = "Cloudflare"
+ logo_path = "https://logos.com/a.png"
+ header_text = "--header--"
+ footer_text = "--footer--"
+ mailto_address = "admin@example.com"
+ mailto_subject = "Blocked Request"
+ background_color = "#ffffff"
+ suppress_footer = false
+ }
+ }
+ }
+ ```
+
+
+
Gateway will now display a custom Gateway block page when your users visit a blocked website.
diff --git a/src/content/partials/cloudflare-one/gateway/lists.mdx b/src/content/partials/cloudflare-one/gateway/lists.mdx
index 7e7308196ff8db9..308ca26f469a8c7 100644
--- a/src/content/partials/cloudflare-one/gateway/lists.mdx
+++ b/src/content/partials/cloudflare-one/gateway/lists.mdx
@@ -25,12 +25,42 @@ When you format a CSV file for upload:
To upload the list to Zero Trust:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **My Team** > **Lists**.
2. Select **Upload CSV**.
3. Next, specify a **List name**, enter an optional description, and choose a **List type**.
4. Drag and drop a file into the **CSV file** window, or select a file.
5. Select **Create**.
+
+
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+ - `Zero Trust Write`
+
+2. Decode the contents of the CSV file and store it as a local value:
+
+ ```tf
+ locals {
+ ip_list = csvdecode(file("${path.module}/list-test.csv"))
+ }
+ ```
+3. Create a list using the [`cloudflare_zero_trust_list`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_list) resource:
+
+ ```tf
+ resource "cloudflare_zero_trust_list" "ips_from_csv" {
+ account_id = var.cloudflare_account_id
+ name = "IPs imported from CSV"
+ description = "Managed by Terraform"
+ type = "IP"
+ items = local.ip_list
+ }
+ ```
+
+
+
+
You can now use this list in the policy builder by choosing the _in list_ operator.
## Create a list manually
@@ -59,6 +89,51 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists \
}'
```
-
+
+
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+ - `Zero Trust Write`
+
+2. Create a list using the [`cloudflare_zero_trust_list`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_list) resource.
+
+ Example list of IPs:
+ ```tf
+ resource "cloudflare_zero_trust_list" "wiki_IPs" {
+ account_id = var.cloudflare_account_id
+ name = "Company Wiki IP addresses"
+ description = "Managed by Terraform"
+ type = "IP"
+ items = [
+ {
+ description = "Example IP address range"
+ value = "192.0.2.0/24",
+ },
+ {
+ value = "198.51.100.0/24"
+ }
+ ]
+ }
+ ```
+
+ Example list of domains:
+ ```tf
+ resource "cloudflare_zero_trust_list" "wiki_domains" {
+ account_id = var.cloudflare_account_id
+ name = "Company Wiki Domains"
+ description = "Managed by Terraform"
+ type = "DOMAIN"
+ items = [
+ {
+ value = "wiki.example.com"
+ },
+ {
+ value = "wiki2.example.com"
+ }]
+ }
+ ```
+
+
+
You can now use this list in the policy builder by choosing the _in list_ operator.
diff --git a/src/content/partials/cloudflare-one/warp/warp-sessions-gateway.mdx b/src/content/partials/cloudflare-one/warp/warp-sessions-gateway.mdx
index c2cef4781b1b690..417fcc8e11b8b26 100644
--- a/src/content/partials/cloudflare-one/warp/warp-sessions-gateway.mdx
+++ b/src/content/partials/cloudflare-one/warp/warp-sessions-gateway.mdx
@@ -3,16 +3,53 @@
---
+import { TabItem, Tabs } from "~/components";
+
You can enforce WARP session timeouts on any Gateway Network and HTTP policy that has an Allow action. If you do not specify a session timeout, the WARP session will be unlimited by default.
Session timeouts have no impact on Gateway DNS policies. DNS policies remain active even when a user needs to re-authenticate.
To configure a session timeout for a Gateway policy:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to either **Gateway** > **Firewall Policies**. Choose either **Network** or **HTTP**.
2. Add a policy and select the *Allow* action. Alternatively, choose any existing *Allow* policy.
3. Under **Step 4 - Configure policy settings**, select **Edit** next to **Enforce WARP client session duration**.
4. Enter a session expiration time in `1h30m0s` format and save.
5. Save the policy.
+
+
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+ - `Zero Trust Write`
+
+2. Choose a Network (`l4`) or HTTP (`http`) policy with an Allow action.
+
+3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), use the `check_session` argument to enable and configure a session timeout:
+
+ ```tf
+ resource "cloudflare_zero_trust_gateway_policy" "network_allow_wiki_IPs" {
+ name = "Company Wiki Network policy"
+ enabled = true
+ account_id = var.cloudflare_account_id
+ description = "Managed by Terraform - Allow employees to access company wiki IPs."
+ precedence = 103
+ action = "allow"
+ filters = ["l4"]
+ traffic = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.wiki_IPs.id}"
+ identity = "identity.email matches \".*@example.com\""
+
+ rule_settings = {
+ check_session = {
+ enforce = true
+ duration = "1h30m0s"
+ }
+ }
+ }
+ ```
+
+
+
Session checks are now enabled for the application protected by this policy. Users can continue to reach applications outside of the policy definition.