[Gateway] Block page and TLS decryption cert limitations (#18977)

cloudflare · Jan 2, 2025 · a845405 · a845405
1 parent b4f4666
commit a845405
Show file tree

Hide file tree

Showing 15 changed files with 83 additions and 46 deletions.
diff --git a/...ocs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/...ocs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx
@@ -4,7 +4,7 @@ title: User-side certificates
 sidebar:
   order: 2
 banner:
-  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare.
@@ -60,4 +60,4 @@ Once you deploy and install your certificate, you can turn it on for use in insp
 3. Select the certificate you want to turn on.
 4. In **Basic information**, select **Confirm and turn on certificate**.
 
-You can set multiple certificates to **Available**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again.
+You can set multiple certificates to **Available**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Available** and prevent them from being used for inspection until turned on again.
diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx
@@ -3,6 +3,8 @@ pcx_content_type: how-to
 title: Block page
 sidebar:
   order: 11
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 import { Render } from "~/components";
@@ -25,21 +27,18 @@ In order to display the block page as the URL of the blocked domain, your device
 
 ## Turn on the block page
 
-For all HTTP Block policies, Gateway automatically displays a generic Cloudflare block page. For DNS Block policies, you will need to enable the block page on a per-policy basis.
+For all HTTP Block policies, Gateway automatically displays a generic Cloudflare block page. For DNS Block policies, you will need to turn on the block page on a per-policy basis.
 
 To turn on the block page and specify a custom block message:
 
 <Render
 	file="gateway/add-block-page"
 	params={{
-		one: "Gateway > Firewall Policies > DNS or Gateway > Firewall Policies > HTTP",
+		firewallPolicyPath:
+			"**Gateway** > **Firewall policies** > **DNS** or **Gateway** > **Firewall policies** > **HTTP**",
 	}}
 />
 
-## Troubleshoot the block page
-
-If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices.
-
 ## Customize the block page
 
 <Render file="gateway/customize-block-page" />
@@ -52,12 +51,20 @@ If your users receive a security risk warning in their browser when visiting a b
 
 You can add a Mailto link to your custom block page, which allows users to directly email you about the blocked site. When users select **Contact your Administrator** on your block page, an email template opens with the email address and subject line you configure, as well as the following diagnostic information:
 
-| Field        | Description                                                                                                                                                                             |
-| ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Site URL     | The URL of the blocked page.                                                                                                                                                            |
-| Rule ID      | The ID of the Gateway policy that blocked the page.                                                                                                                                     |
-| Source IP    | The public source IP of the user device.                                                                                                                                                |
-| Account ID   | The Cloudflare account associated with the block policy.                                                                                                                                |
+| Field        | Description                                                                                                                                                                                                                 |
+| ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Site URL     | The URL of the blocked page.                                                                                                                                                                                                |
+| Rule ID      | The ID of the Gateway policy that blocked the page.                                                                                                                                                                         |
+| Source IP    | The public source IP of the user device.                                                                                                                                                                                    |
+| Account ID   | The Cloudflare account associated with the block policy.                                                                                                                                                                    |
 | User ID      | The ID of the user who visited the page. Currently, User IDs are not surfaced in the dashboard and can only be viewed by calling the [API](/api/resources/zero_trust/subresources/access/subresources/users/methods/list/). |
-| Device ID    | The ID of the device that visited the page. This is generated by the WARP client.                                                                                                       |
-| Block Reason | Your policy-specific block message.                                                                                                                                                     |
+| Device ID    | The ID of the device that visited the page. This is generated by the WARP client.                                                                                                                                           |
+| Block Reason | Your policy-specific block message.                                                                                                                                                                                         |
+
+## Limitations
+
+If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices.
+
+If an HTTP request that matches a block policy does not arrive at the same Cloudflare data center as its DNS query, Gateway will display the default block page instead of your custom block page.
+
+If the HTTP request comes from a different IP address than the DNS request, Gateway may not display the rule ID, custom message, or other fields on the block page. This can happen when a recursive DNS resolver's source IP address differs from the user device's IP address.
diff --git a/...ntent/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx b/...ntent/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx
@@ -3,6 +3,8 @@ pcx_content_type: concept
 title: AV scanning
 sidebar:
   order: 5
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 import { Render, Details } from "~/components";

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx
@@ -6,6 +6,8 @@ sidebar:
 head:
   - tag: title
     content: Common HTTP policies
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 import { Render, Tabs, TabItem } from "~/components";

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx
@@ -3,6 +3,8 @@ pcx_content_type: concept
 title: File sandboxing
 sidebar:
   order: 6
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 import { Render, Details } from "~/components";

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx
@@ -3,6 +3,8 @@ pcx_content_type: concept
 title: HTTP/3 inspection
 sidebar:
   order: 3
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 import { Details } from "~/components";

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
@@ -3,6 +3,8 @@ pcx_content_type: configuration
 title: HTTP policies
 sidebar:
   order: 4
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 import { Details, InlineBadge, Render } from "~/components";

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx
@@ -3,6 +3,8 @@ pcx_content_type: how-to
 title: Tenant control
 sidebar:
   order: 4
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 With Gateway tenant control, you can allow your users access to corporate SaaS applications while blocking access to personal applications. This helps prevent the loss of sensitive or confidential data from a corporate network.

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
@@ -3,6 +3,8 @@ pcx_content_type: concept
 title: TLS decryption
 sidebar:
   order: 2
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 import {
@@ -21,7 +23,13 @@ Cloudflare prevents interference by decrypting, inspecting, and re-encrypting HT
 
 Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3.
 
-## Enable TLS decryption
+## Turn on TLS decryption
+
+:::note[Prerequisite]
+Before you turn on TLS decryption, ensure you have installed either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) or [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) on your users' devices.
+:::
+
+To turn on TLS decryption:
 
 <Render file="gateway/enable-tls-decryption" product="cloudflare-one" />
 

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx
@@ -3,11 +3,12 @@ pcx_content_type: how-to
 title: WebSocket traffic
 sidebar:
   order: 7
-
+banner:
+  content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](/logs/reference/log-fields/account/zero_trust_network_sessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code.
 
-| Selector      | Operator | Value                    | Action |
-| ------------- | -------- | ------------------------ | ------ |
-| HTTP Response | is       | 101 SWITCHING\_PROTOCOLS | Allow  |
+| Selector      | Operator | Value                   | Action |
+| ------------- | -------- | ----------------------- | ------ |
+| HTTP Response | is       | 101 SWITCHING_PROTOCOLS | Allow  |
diff --git a/...ontent/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx b/...ontent/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx
@@ -3,16 +3,21 @@ title: Block pages
 pcx_content_type: learning-unit
 sidebar:
   order: 7
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 ## Enable the block page for DNS policies
 
 For DNS policies, you will need to enable the block page on a per-policy basis.
 
-<Render file="gateway/add-block-page" product="cloudflare-one" params={{ one: "Gateway > Firewall Policies > DNS" }} />
+<Render
+	file="gateway/add-block-page"
+	product="cloudflare-one"
+	params={{
+		firewallPolicyPath: "**Gateway** > **Firewall policies** > **DNS**",
+	}}
+/>
 
 ## Customize the block page