Add HTTP API example

cloudflare · Dec 13, 2024 · e0ad3cd · e0ad3cd
1 parent 4f9de6a
commit e0ad3cd
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 5 deletions.
diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
@@ -38,14 +38,16 @@ To create a new DNS policy:
    --header "X-Auth-Key: <API_KEY>" \
    --data '{
    "name": "Block security risks",
-   "description": "Block all default Cloudflare security categories",
+   "description": "Block all default Cloudflare DNS security categories",
    "precedence": 0,
    "enabled": true,
    "action": "block",
    "filters": [
    	"dns"
    ],
    "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+   "identity": "",
+   "device_posture": ""
    }'
    ```
 

diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx
@@ -2,15 +2,17 @@
 {}
 ---
 
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
 
 To create a new HTTP policy:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
 2. In the **HTTP** tab, select **Add a policy**.
 3. Name the policy.
 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
-5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
+5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
 
    <Render
    	file="gateway/policies/do-not-inspect-applications"
@@ -26,4 +28,59 @@ To create a new HTTP policy:
 
 6. Select **Create policy**.
 
+</TabItem>
+
+<TabItem label="API">
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+   | Type    | Item       | Permission |
+   | ------- | ---------- | ---------- |
+   | Account | Zero Trust | Edit       |
+
+2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/), email address, and API token.
+3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) endpoint. For example, if you have enabled TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
+
+   ```bash title="curl API example"
+   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+   --header "X-Auth-Email: <EMAIL>" \
+   --header "X-Auth-Key: <API_KEY>" \
+   --data '{
+   "name": "Do not inspect applications",
+   "description": "Bypass TLS decryption for unsupported applications",
+   "precedence": 0,
+   "enabled": true,
+   "action": "off",
+   "filters": [
+   	"http"
+   ],
+   "traffic": "any(app.type.ids[*] in {16})",
+   "identity": "",
+   "device_posture": ""
+   }'
+   ```
+
+   Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:
+
+   ```bash title="curl API example"
+   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+   --header "X-Auth-Email: <EMAIL>" \
+   --header "X-Auth-Key: <API_KEY>" \
+   --data '{
+   "name": "Block security categories",
+   "description": "Block all default Cloudflare HTTP security categories",
+   "precedence": 0,
+   "enabled": true,
+   "action": "block",
+   "filters": [
+   	"http"
+   ],
+   "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+   "identity": "",
+   "device_posture": ""
+   }'
+   ```
+
+</TabItem> </Tabs>
+
 For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/).
diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
@@ -4,10 +4,10 @@
 
 import { Render, Tabs, TabItem } from "~/components";
 
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
 To create a new network policy:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
 2. In the **Network** tab, select **Add a policy**.
 3. Name the policy.
@@ -46,6 +46,7 @@ To create a new network policy:
    	"l4"
    ],
    "traffic": "any(net.sni.domains[*] == \"internalapp.com\")",
+   "identity": "",
    "device_posture": "not(any(device_posture.checks.passed[*] in {\"<LIST_UUID>\"}))"
    }'
    ```