Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Gateway] DNS API procedure #18724

Draft
wants to merge 4 commits into
base: production
Choose a base branch
from
Draft

[Gateway] DNS API procedure #18724

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4844691
Add API procedure
maxvp Dec 12, 2024
82ffb32
Add DNS API example
maxvp Dec 13, 2024
4f9de6a
Add network API example
maxvp Dec 13, 2024
e0ad3cd
Add HTTP API example
maxvp Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 37 additions & 1 deletion src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
{}
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

To create a new DNS policy:

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **DNS** tab, select **Add a policy**.
3. Name the policy.
Expand All @@ -17,4 +19,38 @@ To create a new DNS policy:
/>
6. Select **Create policy**.

</TabItem>

<TabItem label="API">

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ---------- | ---------- |
| Account | Zero Trust | Edit |

2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/), email address, and API token.
3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):

```bash title="curl API example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--data '{
"name": "Block security risks",
"description": "Block all default Cloudflare DNS security categories",
"precedence": 0,
"enabled": true,
"action": "block",
"filters": [
"dns"
],
"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
"identity": "",
"device_posture": ""
}'
```

</TabItem> </Tabs>

For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
61 changes: 59 additions & 2 deletions src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,17 @@
{}
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

To create a new HTTP policy:

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **HTTP** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:

<Render
file="gateway/policies/do-not-inspect-applications"
Expand All @@ -26,4 +28,59 @@ To create a new HTTP policy:

6. Select **Create policy**.

</TabItem>

<TabItem label="API">

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ---------- | ---------- |
| Account | Zero Trust | Edit |

2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/), email address, and API token.
3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) endpoint. For example, if you have enabled TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:

```bash title="curl API example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--data '{
"name": "Do not inspect applications",
"description": "Bypass TLS decryption for unsupported applications",
"precedence": 0,
"enabled": true,
"action": "off",
"filters": [
"http"
],
"traffic": "any(app.type.ids[*] in {16})",
"identity": "",
"device_posture": ""
}'
```

Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:
Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:

Issues:

  • Style Guide - (Terms-error) Use 'Cloudflare' instead of 'cloudflare'.

Fix Explanation:

Corrected the capitalization of 'cloudflare' to 'Cloudflare' as per the style guide recommendation. This is a simple capitalization fix and does not involve any code references or URLs.


```bash title="curl API example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--data '{
"name": "Block security categories",
"description": "Block all default Cloudflare HTTP security categories",
"precedence": 0,
"enabled": true,
"action": "block",
"filters": [
"http"
],
"traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
"identity": "",
"device_posture": ""
}'
```

</TabItem> </Tabs>

For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/).
38 changes: 37 additions & 1 deletion src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
{}
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

To create a new network policy:

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **Network** tab, select **Add a policy**.
3. Name the policy.
Expand All @@ -17,4 +19,38 @@ To create a new network policy:
/>
6. Select **Create policy**.

</TabItem>

<TabItem label="API">

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ---------- | ---------- |
| Account | Zero Trust | Edit |

2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/), email address, and API token.
3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/operations/zero-trust-gateway-rules-create-zero-trust-gateway-rule) endpoint. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:

```bash title="curl API example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--data '{
"name": "Enforce device posture",
"description": "Ensure only devices in Zero Trust organization can connect to application",
"precedence": 0,
"enabled": true,
"action": "block",
"filters": [
"l4"
],
"traffic": "any(net.sni.domains[*] == \"internalapp.com\")",
"identity": "",
"device_posture": "not(any(device_posture.checks.passed[*] in {\"<LIST_UUID>\"}))"
}'
```

</TabItem> </Tabs>

For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/).
6 changes: 3 additions & 3 deletions src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
{}
---

In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:

| Selector | Operator | Value | Logic | Action |
| ---------------------------- | -------- | ----------------------- | ----- | ------ |
| Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block |
| SNI Domain | is | `internalapp.com` | | |
| SNI Domain | is | `internalapp.com` | And | Block |
| Passed Device Posture Checks | not in | _Device serial numbers_ | | |
Loading