Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Gateway] DNS common policy API examples #18903

Open
wants to merge 10 commits into
base: production
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ head:
content: Common HTTP policies
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

The following policies are commonly used to secure HTTP traffic.

Expand Down Expand Up @@ -36,9 +36,22 @@ Block a section of a site without blocking the entire site. For example, you can

<Render file="gateway/policies/content-categories" />

<Render file="gateway/policies/block-applications" />
## Block unauthorized applications

<Render file="gateway/policies/policies-optional" />
<Render file="gateway/policies/block-applications" product="cloudflare-one" />

| Selector | Operator | Value | Action |
| ----------- | -------- | ------------------------- | ------ |
| Application | in | _Artificial Intelligence_ | Block |

## Check user identity

<Render file="gateway/policies/check-user-identity" />

| Selector | Operator | Value | Logic | Action |
| ---------------- | -------- | ------------- | ----- | ------ |
| Application | in | _Salesforce_ | And | Block |
| User Group Names | in | _Contractors_ | | |

## Skip inspection for groups of applications

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,28 @@ head:
content: Common network policies
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

The following policies are commonly used to secure network traffic.

Refer to the [network policies page](/cloudflare-one/policies/gateway/network-policies/) for a comprehensive list of other selectors, operators, and actions.

<Render file="gateway/policies/block-applications" />
## Block unauthorized applications

<Render file="gateway/policies/policies-optional" />
<Render file="gateway/policies/block-applications" product="cloudflare-one" />

| Selector | Operator | Value | Action |
| ----------- | -------- | ------------------------- | ------ |
| Application | in | _Artificial Intelligence_ | Block |

## Check user identity

<Render file="gateway/policies/check-user-identity" />

| Selector | Operator | Value | Logic | Action |
| ---------------- | -------- | ------------- | ----- | ------ |
| Application | in | _Salesforce_ | And | Block |
| User Group Names | in | _Contractors_ | | |

## Enforce device posture

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ To create a new DNS policy:
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"name": "Block security risks",
"name": "Block security threats",
"description": "Block all default Cloudflare DNS security categories",
"precedence": 0,
"enabled": true,
Expand All @@ -47,7 +47,6 @@ To create a new DNS policy:
],
"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
"identity": "",
"device_posture": ""
}'
```

Expand Down
Original file line number Diff line number Diff line change
@@ -1,19 +1,11 @@
---
{}

---

import { GlossaryTooltip } from "~/components"

## Block unauthorized applications

To minimize the risk of <GlossaryTooltip term="shadow IT" link="https://www.cloudflare.com/learning/access-management/what-is-shadow-it/">shadow IT</GlossaryTooltip>, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks AI assistants:

| Selector | Operator | Value | Action |
| ----------- | -------- | ----------------------------------------------- | ------ |
| Application | in | *Microsoft Copilot*, *ChatGPT*, *Google Gemini* | Block |
import { GlossaryTooltip, Tabs, TabItem } from "~/components";

:::note

After seven days, view your [shadow IT analytics](/cloudflare-one/insights/analytics/access/) and block additional applications based on what your users are accessing.
After seven days, view your [shadow IT analytics](/cloudflare-one/insights/analytics/access/) and block additional applications based on what your users are accessing.
:::

To minimize the risk of <GlossaryTooltip term="shadow IT" link="https://www.cloudflare.com/learning/access-management/what-is-shadow-it/">shadow IT</GlossaryTooltip>, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
---
{}

---

| Selector | Operator | Value | Action |
| ------------------- | -------- | -------------------- | ------ |
| Security Categories | in | *All security risks* | Block |
| Security Categories | in | _All security risks_ | Block |
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
{}
---

Configure access on a per user or group basis by adding [identity-based conditions](/cloudflare-one/policies/gateway/identity-selectors/) to your policies.

This file was deleted.

This file was deleted.

Loading