Skip to content

Commit

Permalink
[Gateway] Get started with API policies (#18724)
Browse files Browse the repository at this point in the history
  • Loading branch information
@maxvp
maxvp authored Dec 17, 2024
1 parent c0cd39b commit 9f89da0
Show file tree
Hide file tree
Showing 4 changed files with 166 additions and 7 deletions.
48 changes: 47 additions & 1 deletion src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
{}
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

To create a new DNS policy:

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **DNS** tab, select **Add a policy**.
3. Name the policy.
Expand All @@ -17,4 +19,48 @@ To create a new DNS policy:
/>
6. Select **Create policy**.

</TabItem>

<TabItem label="API">

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ---------- | ---------- |
| Account | Zero Trust | Edit |

2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token.
3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):

```sh title="curl API DNS policy example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"name": "Block security risks",
"description": "Block all default Cloudflare DNS security categories",
"precedence": 0,
"enabled": true,
"action": "block",
"filters": [
"dns"
],
"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
"identity": "",
"device_posture": ""
}'
```

```sh output
{
"success": true,
"errors": [],
"messages": []
}
```

The API will respond with a summary of the policy and the result of your request.

</TabItem> </Tabs>

For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
71 changes: 69 additions & 2 deletions src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,17 @@
{}
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

To create a new HTTP policy:

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **HTTP** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:

<Render
file="gateway/policies/do-not-inspect-applications"
Expand All @@ -26,4 +28,69 @@ To create a new HTTP policy:

6. Select **Create policy**.

</TabItem>

<TabItem label="API">

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ---------- | ---------- |
| Account | Zero Trust | Edit |

2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token.
3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:

```sh title="curl API HTTP policy example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"name": "Do not inspect applications",
"description": "Bypass TLS decryption for unsupported applications",
"precedence": 0,
"enabled": true,
"action": "off",
"filters": [
"http"
],
"traffic": "any(app.type.ids[*] in {16})",
"identity": "",
"device_posture": ""
}'
```

```sh output
{
"success": true,
"errors": [],
"messages": []
}
```

The API will respond with a summary of the policy and the result of your request.

Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:

```bash title="Block known risks HTTP policy"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"name": "Block known risks",
"description": "Block all default Cloudflare HTTP security categories",
"precedence": 0,
"enabled": true,
"action": "block",
"filters": [
"http"
],
"traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
"identity": "",
"device_posture": ""
}'
```

</TabItem> </Tabs>

For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/).
48 changes: 47 additions & 1 deletion src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
{}
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

To create a new network policy:

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **Network** tab, select **Add a policy**.
3. Name the policy.
Expand All @@ -17,4 +19,48 @@ To create a new network policy:
/>
6. Select **Create policy**.

</TabItem>

<TabItem label="API">

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ---------- | ---------- |
| Account | Zero Trust | Edit |

2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token.
3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:

```sh title="curl API network policy example"
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"name": "Enforce device posture",
"description": "Ensure only devices in Zero Trust organization can connect to application",
"precedence": 0,
"enabled": true,
"action": "block",
"filters": [
"l4"
],
"traffic": "any(net.sni.domains[*] == \"internalapp.com\")",
"identity": "",
"device_posture": "not(any(device_posture.checks.passed[*] in {\"<LIST_UUID>\"}))"
}'
```

```sh output
{
"success": true,
"errors": [],
"messages": []
}
```

The API will respond with a summary of the policy and the result of your request.

</TabItem> </Tabs>

For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/).
6 changes: 3 additions & 3 deletions src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
{}
---

In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:

| Selector | Operator | Value | Logic | Action |
| ---------------------------- | -------- | ----------------------- | ----- | ------ |
| Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block |
| SNI Domain | is | `internalapp.com` | | |
| SNI Domain | is | `internalapp.com` | And | Block |
| Passed Device Posture Checks | not in | _Device serial numbers_ | | |

0 comments on commit 9f89da0

Please sign in to comment.