From bfe134c86698d9bc644eb8094997c9649785933c Mon Sep 17 00:00:00 2001
From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com>
Date: Thu, 26 Sep 2024 15:31:58 +0100
Subject: [PATCH] [MWAN] WARP Connector breakout traffic (#17138)

* added warp encapsulation partial

* added new warp info to pages

* reworked explainer

* refined text

* refined text
---
 .../breakout-traffic.mdx                      |  4 ++++
 .../docs/magic-wan/zero-trust/warp.mdx        | 22 +++++++++++--------
 .../app-aware-policies/warp-traffic.mdx       | 11 ++++++++++
 3 files changed, 28 insertions(+), 9 deletions(-)
 create mode 100644 src/content/partials/magic-wan/connector/app-aware-policies/warp-traffic.mdx

diff --git a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx
index cac2ac3bcace10..765c4ce00fc88d 100644
--- a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx
+++ b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx
@@ -179,3 +179,7 @@ Take note of the `"id"` value for the application that want to delete.
    ```
 
 </TabItem> </Tabs>
+
+## WARP traffic
+
+<Render file="connector/app-aware-policies/warp-traffic" />
\ No newline at end of file
diff --git a/src/content/docs/magic-wan/zero-trust/warp.mdx b/src/content/docs/magic-wan/zero-trust/warp.mdx
index 5feaa6e733a15d..16de397e0d386b 100644
--- a/src/content/docs/magic-wan/zero-trust/warp.mdx
+++ b/src/content/docs/magic-wan/zero-trust/warp.mdx
@@ -55,6 +55,18 @@ You must log out and log back in with at least one WARP device to ensure the con
 
 <Render file="traceroute" />
 
+## Double encapsulation
+
+When a WARP user goes to a location (like an office) with a Magic WAN tunnel already set up, WARP traffic is doubly encapsulated — first by WARP and then by Magic WAN. This is unnecessary, since each on-ramp method provides full Zero Trust protection.
+
+Since WARP traffic is already protected on its own, Cloudflare recommends that you set up Magic WAN to exclude WARP traffic, sending it to the Internet through regular connections.
+
+To learn which IP addresses and UDP ports you should exclude to accomplish this, refer to [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip).
+
+### WARP and Magic WAN Connector
+
+<Render file="connector/app-aware-policies/warp-traffic" />
+
 ## Test WARP integration
 
 Before testing, be sure to [configure domain fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/#add-a-domain) for the server or service in WARP settings. This is needed because by default Cloudflare Zero Trust excludes common top level domains used for local resolution from being sent to Gateway for processing.
@@ -71,12 +83,4 @@ nslookup <SERVER_BEHIND_MAGIC_WAN>
 
 This DNS lookup should return a valid IP address associated with the server or service you are testing for.
 
-Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.
-
-## Double encapsulation
-
-When a WARP user goes to a location (like an office) with a Magic WAN tunnel already set up, WARP traffic is doubly encapsulated - first by WARP and then by Magic WAN. This is unnecessary, since each on-ramp method provides full Zero Trust protection.
-
-Since WARP traffic is already protected on its own, Cloudflare recommends that you set up Magic WAN to exclude WARP traffic, sending it to the Internet through regular connections.
-
-To learn which IP addresses and UDP ports you should exclude to accomplish this, refer to [WARP ingress IP](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip) and [WARP UDP ports](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#warp-ingress-ip).
+Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.
\ No newline at end of file
diff --git a/src/content/partials/magic-wan/connector/app-aware-policies/warp-traffic.mdx b/src/content/partials/magic-wan/connector/app-aware-policies/warp-traffic.mdx
new file mode 100644
index 00000000000000..0f7c01902904c1
--- /dev/null
+++ b/src/content/partials/magic-wan/connector/app-aware-policies/warp-traffic.mdx
@@ -0,0 +1,11 @@
+---
+{}
+---
+
+If you have Magic WAN Connector and WARP clients deployed in your premises, Magic WAN Connector automatically routes WARP traffic to the Internet rather than Magic WAN IPsec tunnels. This prevents traffic from being encapsulated twice.
+
+You may need to configure your firewall to allow this new traffic. Make sure to allow the following IPs and ports:
+
+- **Destination IPs**: `162.159.193.0/24`, `162.159.197.0/24`
+- **Destination ports**: `443`, `500`, `1701`, `2408`, `4443`, `4500`, `8095`, `844`
+Refer to [WARP with firewall](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/) for more information on this topic.