diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
index d64fbee1905192..f80db42ff06490 100644
--- a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
+++ b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
@@ -2,10 +2,12 @@
{}
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
To create a new DNS policy:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **DNS** tab, select **Add a policy**.
3. Name the policy.
@@ -17,4 +19,38 @@ To create a new DNS policy:
/>
6. Select **Create policy**.
+
+
+
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+ | Type | Item | Permission |
+ | ------- | ---------- | ---------- |
+ | Account | Zero Trust | Edit |
+
+2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/), email address, and API token.
+3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
+
+ ```bash title="curl API example"
+ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+ --header "X-Auth-Email: " \
+ --header "X-Auth-Key: " \
+ --data '{
+ "name": "Block security risks",
+ "description": "Block all default Cloudflare DNS security categories",
+ "precedence": 0,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+ "identity": "",
+ "device_posture": ""
+ }'
+ ```
+
+
+
For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx
index d146717bc39f97..9344149cc6f411 100644
--- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx
+++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx
@@ -2,15 +2,17 @@
{}
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
To create a new HTTP policy:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **HTTP** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
-5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
+5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
+
+
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+ | Type | Item | Permission |
+ | ------- | ---------- | ---------- |
+ | Account | Zero Trust | Edit |
+
+2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/), email address, and API token.
+3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) endpoint. For example, if you have enabled TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
+
+ ```bash title="curl API example"
+ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+ --header "X-Auth-Email: " \
+ --header "X-Auth-Key: " \
+ --data '{
+ "name": "Do not inspect applications",
+ "description": "Bypass TLS decryption for unsupported applications",
+ "precedence": 0,
+ "enabled": true,
+ "action": "off",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(app.type.ids[*] in {16})",
+ "identity": "",
+ "device_posture": ""
+ }'
+ ```
+
+ Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:
+
+ ```bash title="curl API example"
+ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+ --header "X-Auth-Email: " \
+ --header "X-Auth-Key: " \
+ --data '{
+ "name": "Block security categories",
+ "description": "Block all default Cloudflare HTTP security categories",
+ "precedence": 0,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+ "identity": "",
+ "device_posture": ""
+ }'
+ ```
+
+
+
For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/).
diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
index 93e7cd9acb26c1..1d00da8dc3f43f 100644
--- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
+++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
@@ -2,10 +2,12 @@
{}
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
To create a new network policy:
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **Network** tab, select **Add a policy**.
3. Name the policy.
@@ -17,4 +19,38 @@ To create a new network policy:
/>
6. Select **Create policy**.
+
+
+
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+ | Type | Item | Permission |
+ | ------- | ---------- | ---------- |
+ | Account | Zero Trust | Edit |
+
+2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/), email address, and API token.
+3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) endpoint. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+
+ ```bash title="curl API example"
+ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+ --header "X-Auth-Email: " \
+ --header "X-Auth-Key: " \
+ --data '{
+ "name": "Enforce device posture",
+ "description": "Ensure only devices in Zero Trust organization can connect to application",
+ "precedence": 0,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "any(net.sni.domains[*] == \"internalapp.com\")",
+ "identity": "",
+ "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))"
+ }'
+ ```
+
+
+
For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/).
diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
index a3d85e1112d6c7..acab3b57200def 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
@@ -2,9 +2,9 @@
{}
---
-In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
| Selector | Operator | Value | Logic | Action |
| ---------------------------- | -------- | ----------------------- | ----- | ------ |
-| Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block |
-| SNI Domain | is | `internalapp.com` | | |
+| SNI Domain | is | `internalapp.com` | And | Block |
+| Passed Device Posture Checks | not in | _Device serial numbers_ | | |