From 9f89da03f33366f75dfc8bdb2d513ce97aaeab00 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 17 Dec 2024 16:25:18 -0600 Subject: [PATCH] [Gateway] Get started with API policies (#18724) --- .../gateway/get-started/create-dns-policy.mdx | 48 ++++++++++++- .../get-started/create-http-policy.mdx | 71 ++++++++++++++++++- .../get-started/create-network-policy.mdx | 48 ++++++++++++- .../policies/enforce-device-posture.mdx | 6 +- 4 files changed, 166 insertions(+), 7 deletions(-) diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx index d64fbee1905192..b76957ec17cf54 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx @@ -2,10 +2,12 @@ {} --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; To create a new DNS policy: + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. 2. In the **DNS** tab, select **Add a policy**. 3. Name the policy. @@ -17,4 +19,48 @@ To create a new DNS policy: /> 6. Select **Create policy**. + + + + +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + + | Type | Item | Permission | + | ------- | ---------- | ---------- | + | Account | Zero Trust | Edit | + +2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token. +3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories): + + ```sh title="curl API DNS policy example" + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer " \ + --data '{ + "name": "Block security risks", + "description": "Block all default Cloudflare DNS security categories", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "dns" + ], + "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "identity": "", + "device_posture": "" + }' + ``` + + ```sh output + { + "success": true, + "errors": [], + "messages": [] + } + ``` + + The API will respond with a summary of the policy and the result of your request. + + + For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx index d146717bc39f97..a4dbb08eccca75 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-http-policy.mdx @@ -2,15 +2,17 @@ {} --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; To create a new HTTP policy: + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. 2. In the **HTTP** tab, select **Add a policy**. 3. Name the policy. 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. -5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: +5. Choose an **Action** to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: + + + +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + + | Type | Item | Permission | + | ------- | ---------- | ---------- | + | Account | Zero Trust | Edit | + +2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token. +3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, if you have configured TLS decryption, some applications that use [embedded certificates](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations) may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: + + ```sh title="curl API HTTP policy example" + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer " \ + --data '{ + "name": "Do not inspect applications", + "description": "Bypass TLS decryption for unsupported applications", + "precedence": 0, + "enabled": true, + "action": "off", + "filters": [ + "http" + ], + "traffic": "any(app.type.ids[*] in {16})", + "identity": "", + "device_posture": "" + }' + ``` + + ```sh output + { + "success": true, + "errors": [], + "messages": [] + } + ``` + + The API will respond with a summary of the policy and the result of your request. + + Cloudflare also recommends adding a policy to block [known threats](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: + + ```bash title="Block known risks HTTP policy" + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer " \ + --data '{ + "name": "Block known risks", + "description": "Block all default Cloudflare HTTP security categories", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "http" + ], + "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", + "identity": "", + "device_posture": "" + }' + ``` + + + For more information, refer to [HTTP policies](/cloudflare-one/policies/gateway/http-policies/). diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx index 93e7cd9acb26c1..fd12c0e93ec03f 100644 --- a/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx +++ b/src/content/partials/cloudflare-one/gateway/get-started/create-network-policy.mdx @@ -2,10 +2,12 @@ {} --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; To create a new network policy: + + 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. 2. In the **Network** tab, select **Add a policy**. 3. Name the policy. @@ -17,4 +19,48 @@ To create a new network policy: /> 6. Select **Create policy**. + + + + +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + + | Type | Item | Permission | + | ------- | ---------- | ---------- | + | Account | Zero Trust | Edit | + +2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/setup/find-account-and-zone-ids/) and API token. +3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: + + ```sh title="curl API network policy example" + curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ + --header "Content-Type: application/json" \ + --header "Authorization: Bearer " \ + --data '{ + "name": "Enforce device posture", + "description": "Ensure only devices in Zero Trust organization can connect to application", + "precedence": 0, + "enabled": true, + "action": "block", + "filters": [ + "l4" + ], + "traffic": "any(net.sni.domains[*] == \"internalapp.com\")", + "identity": "", + "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))" + }' + ``` + + ```sh output + { + "success": true, + "errors": [], + "messages": [] + } + ``` + + The API will respond with a summary of the policy and the result of your request. + + + For more information, refer to [network policies](/cloudflare-one/policies/gateway/network-policies/). diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx index a3d85e1112d6c7..acab3b57200def 100644 --- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx +++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx @@ -2,9 +2,9 @@ {} --- -In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: +For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device: | Selector | Operator | Value | Logic | Action | | ---------------------------- | -------- | ----------------------- | ----- | ------ | -| Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block | -| SNI Domain | is | `internalapp.com` | | | +| SNI Domain | is | `internalapp.com` | And | Block | +| Passed Device Posture Checks | not in | _Device serial numbers_ | | |