From a845405aaafa92994986fdb32ba44b7fd739c56a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 2 Jan 2025 15:13:06 -0600 Subject: [PATCH] [Gateway] Block page and TLS decryption cert limitations (#18977) --- .../user-side-certificates/index.mdx | 4 +-- .../policies/gateway/block-page.mdx | 35 +++++++++++-------- .../http-policies/antivirus-scanning.mdx | 2 ++ .../gateway/http-policies/common-policies.mdx | 2 ++ .../gateway/http-policies/file-sandboxing.mdx | 2 ++ .../policies/gateway/http-policies/http3.mdx | 2 ++ .../policies/gateway/http-policies/index.mdx | 2 ++ .../gateway/http-policies/tenant-control.mdx | 2 ++ .../gateway/http-policies/tls-decryption.mdx | 10 +++++- .../gateway/http-policies/websocket.mdx | 9 ++--- .../gateway-block-pages.mdx | 11 ++++-- .../replace-vpn/build-policies/block-page.mdx | 33 +++++++++-------- .../cloudflare-one/gateway/add-block-page.mdx | 10 +++--- .../gateway/customize-block-page.mdx | 2 +- .../gateway/enable-tls-decryption.mdx | 3 +- 15 files changed, 83 insertions(+), 46 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 65c1e0dd3f7749b..88a19567666b248 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -4,7 +4,7 @@ title: User-side certificates sidebar: order: 2 banner: - content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. @@ -60,4 +60,4 @@ Once you deploy and install your certificate, you can turn it on for use in insp 3. Select the certificate you want to turn on. 4. In **Basic information**, select **Confirm and turn on certificate**. -You can set multiple certificates to **Available**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. +You can set multiple certificates to **Available**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Available** and prevent them from being used for inspection until turned on again. diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 3f46a3380f34ddb..d807c1c686b6ae7 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -3,6 +3,8 @@ pcx_content_type: how-to title: Block page sidebar: order: 11 +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Render } from "~/components"; @@ -25,21 +27,18 @@ In order to display the block page as the URL of the blocked domain, your device ## Turn on the block page -For all HTTP Block policies, Gateway automatically displays a generic Cloudflare block page. For DNS Block policies, you will need to enable the block page on a per-policy basis. +For all HTTP Block policies, Gateway automatically displays a generic Cloudflare block page. For DNS Block policies, you will need to turn on the block page on a per-policy basis. To turn on the block page and specify a custom block message: Firewall Policies > DNS or Gateway > Firewall Policies > HTTP", + firewallPolicyPath: + "**Gateway** > **Firewall policies** > **DNS** or **Gateway** > **Firewall policies** > **HTTP**", }} /> -## Troubleshoot the block page - -If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices. - ## Customize the block page @@ -52,12 +51,20 @@ If your users receive a security risk warning in their browser when visiting a b You can add a Mailto link to your custom block page, which allows users to directly email you about the blocked site. When users select **Contact your Administrator** on your block page, an email template opens with the email address and subject line you configure, as well as the following diagnostic information: -| Field | Description | -| ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Site URL | The URL of the blocked page. | -| Rule ID | The ID of the Gateway policy that blocked the page. | -| Source IP | The public source IP of the user device. | -| Account ID | The Cloudflare account associated with the block policy. | +| Field | Description | +| ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Site URL | The URL of the blocked page. | +| Rule ID | The ID of the Gateway policy that blocked the page. | +| Source IP | The public source IP of the user device. | +| Account ID | The Cloudflare account associated with the block policy. | | User ID | The ID of the user who visited the page. Currently, User IDs are not surfaced in the dashboard and can only be viewed by calling the [API](/api/resources/zero_trust/subresources/access/subresources/users/methods/list/). | -| Device ID | The ID of the device that visited the page. This is generated by the WARP client. | -| Block Reason | Your policy-specific block message. | +| Device ID | The ID of the device that visited the page. This is generated by the WARP client. | +| Block Reason | Your policy-specific block message. | + +## Limitations + +If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed a Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) on their devices. + +If an HTTP request that matches a block policy does not arrive at the same Cloudflare data center as its DNS query, Gateway will display the default block page instead of your custom block page. + +If the HTTP request comes from a different IP address than the DNS request, Gateway may not display the rule ID, custom message, or other fields on the block page. This can happen when a recursive DNS resolver's source IP address differs from the user device's IP address. diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx index 60ad78fef086d4f..bf0972ed9336fca 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/antivirus-scanning.mdx @@ -3,6 +3,8 @@ pcx_content_type: concept title: AV scanning sidebar: order: 5 +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Render, Details } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 167fd22e9e9c027..6ef333cdca71440 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -6,6 +6,8 @@ sidebar: head: - tag: title content: Common HTTP policies +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Render, Tabs, TabItem } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx index 53d62923820cb2d..2d77ebd503c1b10 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx @@ -3,6 +3,8 @@ pcx_content_type: concept title: File sandboxing sidebar: order: 6 +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Render, Details } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx index ac001f1b980d90e..c6c56ae22f51fa4 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/http3.mdx @@ -3,6 +3,8 @@ pcx_content_type: concept title: HTTP/3 inspection sidebar: order: 3 +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Details } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx index 0b51b5e4115a045..cdf56445d57752c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx @@ -3,6 +3,8 @@ pcx_content_type: configuration title: HTTP policies sidebar: order: 4 +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { Details, InlineBadge, Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx index 07c8170bc888a92..7cdc8100fde09b7 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tenant-control.mdx @@ -3,6 +3,8 @@ pcx_content_type: how-to title: Tenant control sidebar: order: 4 +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- With Gateway tenant control, you can allow your users access to corporate SaaS applications while blocking access to personal applications. This helps prevent the loss of sensitive or confidential data from a corporate network. diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index 6c10475abdcd193..99024250c9deaaa 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -3,6 +3,8 @@ pcx_content_type: concept title: TLS decryption sidebar: order: 2 +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- import { @@ -21,7 +23,13 @@ Cloudflare prevents interference by decrypting, inspecting, and re-encrypting HT Cloudflare supports connections from users to Gateway over TLS 1.1, 1.2, and 1.3. -## Enable TLS decryption +## Turn on TLS decryption + +:::note[Prerequisite] +Before you turn on TLS decryption, ensure you have installed either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) or [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) on your users' devices. +::: + +To turn on TLS decryption: diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx index f371cdfafb8a70d..e22f6d1a06e72fe 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/websocket.mdx @@ -3,11 +3,12 @@ pcx_content_type: how-to title: WebSocket traffic sidebar: order: 7 - +banner: + content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- Gateway does not inspect or log [WebSocket](https://datatracker.ietf.org/doc/html/rfc6455) traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as [network session information](/logs/reference/log-fields/account/zero_trust_network_sessions/). To filter your WebSocket traffic, create a policy with the `101` HTTP response code. -| Selector | Operator | Value | Action | -| ------------- | -------- | ------------------------ | ------ | -| HTTP Response | is | 101 SWITCHING\_PROTOCOLS | Allow | +| Selector | Operator | Value | Action | +| ------------- | -------- | ----------------------- | ------ | +| HTTP Response | is | 101 SWITCHING_PROTOCOLS | Allow | diff --git a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx index 04246984fd2a239..8c3cdb9229956f6 100644 --- a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx +++ b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-block-pages.mdx @@ -3,16 +3,21 @@ title: Block pages pcx_content_type: learning-unit sidebar: order: 7 - --- -import { Render } from "~/components" +import { Render } from "~/components"; ## Enable the block page for DNS policies For DNS policies, you will need to enable the block page on a per-policy basis. - Firewall Policies > DNS" }} /> + **Firewall policies** > **DNS**", + }} +/> ## Customize the block page diff --git a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx index 30a3145ce48171c..fd32374b97a2a6b 100644 --- a/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx +++ b/src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx @@ -3,17 +3,16 @@ title: Gateway block page pcx_content_type: overview sidebar: order: 5 - --- -import { Render } from "~/components" +import { Render } from "~/components"; With Cloudflare Zero Trust, you can deliver actionable feedback to users when they are blocked by a Gateway policy. Custom block messages can reduce user confusion and decrease your IT ticket load. There are two different ways to surface block messages: -* [Custom block page](#custom-block-page) -* [WARP client block notifications](#warp-client-block-notifications) +- [Custom block page](#custom-block-page) +- [WARP client block notifications](#warp-client-block-notifications) ## Custom block page @@ -21,23 +20,29 @@ You can display a custom block page in the browser when users are blocked by a G The custom block page has a few drawbacks: -* To display the block page, you must install a [user-side certificate](/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption/#configure-user-side-certificates) on the end user device. -* You cannot customize the block message for individual DNS policies. -* The block page does not appear when users are blocked by a Gateway network policy. -* The custom block page only displays when the user loads a site in a browser. If, for instance, the user is allowed to visit a site but not allowed to upload a file, the file upload would fail silently and the user would not get a block page. +- To display the block page, you must install a [user-side certificate](/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption/#configure-user-side-certificates) on the end user device. +- You cannot customize the block message for individual DNS policies. +- The block page does not appear when users are blocked by a Gateway network policy. +- The custom block page only displays when the user loads a site in a browser. If, for instance, the user is allowed to visit a site but not allowed to upload a file, the file upload would fail silently and the user would not get a block page. To work around these limitations, we recommend using [WARP client block notifications](#warp-client-block-notifications). :::note -The Gateway custom block page is a different concept from [Access custom block pages](/cloudflare-one/applications/block-page/), which are used in conjunction with Cloudflare Access policies. +The Gateway custom block page is a different concept from [Access custom block pages](/cloudflare-one/applications/block-page/), which are used in conjunction with Cloudflare Access policies. ::: ### Enable the block page for DNS policies For DNS policies, you will need to enable the block page on a per-policy basis. - Firewall Policies > DNS" }} /> + **Firewall policies** > **DNS**", + }} +/> ### Customize the block page @@ -47,13 +52,13 @@ For DNS policies, you will need to enable the block page on a per-policy basis. :::note -Only available on Enterprise plans. +Only available on Enterprise plans. ::: -For more granular user feedback, you can enable WARP client block notifications on any Gateway DNS or Network *Block* policy. Blocked users will receive an operating system notification from the WARP client with a custom message you set. +For more granular user feedback, you can enable WARP client block notifications on any Gateway DNS or Network _Block_ policy. Blocked users will receive an operating system notification from the WARP client with a custom message you set. Client notifications provide additional functionality over the [custom block page](#custom-block-page): -* Client notifications work with network policies, which means you can surface feedback for all partial actions on user traffic including blocking a specific port, file upload, or protocol. +- Client notifications work with network policies, which means you can surface feedback for all partial actions on user traffic including blocking a specific port, file upload, or protocol. -* Client notifications allow you to direct users to a unique link per individual policy. For example, you could link users to your organization's acceptable use policy, data protection policy, or any existing IT troubleshooting infrastructure. If no infrastructure for this exists within your organization, you can quickly deploy an HTML site on [Cloudflare Pages](/pages/), put the site behind a [Cloudflare Access policy](/cloudflare-one/policies/access/), and provide dynamic feedback based on the identity and device posture values found in the user's [Access JWT](/cloudflare-one/identity/authorization-cookie/application-token/). +- Client notifications allow you to direct users to a unique link per individual policy. For example, you could link users to your organization's acceptable use policy, data protection policy, or any existing IT troubleshooting infrastructure. If no infrastructure for this exists within your organization, you can quickly deploy an HTML site on [Cloudflare Pages](/pages/), put the site behind a [Cloudflare Access policy](/cloudflare-one/policies/access/), and provide dynamic feedback based on the identity and device posture values found in the user's [Access JWT](/cloudflare-one/identity/authorization-cookie/application-token/). diff --git a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx index 917e0c212883b38..d79eed131196332 100644 --- a/src/content/partials/cloudflare-one/gateway/add-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/add-block-page.mdx @@ -1,13 +1,13 @@ --- -inputParameters: firewallPolicyPath - +params: + - firewallPolicyPath --- -import { Markdown } from "~/components" +import { Markdown } from "~/components"; -1. In [Zero Trust](https://one.dash.cloudflare.com), go to {props.one}. +1. In [Zero Trust](https://one.dash.cloudflare.com), go to . 2. Find the policy you want to customize and select **Edit**. You can only edit the block page for policies with a Block action. -3. Under **Configure policy settings**, go to **Display block page**. Choose *Show a custom message*. +3. Under **Configure policy settings**, go to **Display block page**. Choose _Show a custom message_. 4. In **Custom message**, enter a block message to show users. 5. Select **Save policy**. diff --git a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx index a9e74eec96a0bb4..19b16fd1b0c7cfb 100644 --- a/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx +++ b/src/content/partials/cloudflare-one/gateway/customize-block-page.mdx @@ -8,7 +8,7 @@ To apply customizations to your block page: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages**. -2. Under **Block page**, enable the custom block page feature. +2. Under **Block page**, turn on **Use the customized block page over Cloudflare's default**. 3. Select **Customize**. Available global customizations include: diff --git a/src/content/partials/cloudflare-one/gateway/enable-tls-decryption.mdx b/src/content/partials/cloudflare-one/gateway/enable-tls-decryption.mdx index 2921eb256336a57..5082be539d8992e 100644 --- a/src/content/partials/cloudflare-one/gateway/enable-tls-decryption.mdx +++ b/src/content/partials/cloudflare-one/gateway/enable-tls-decryption.mdx @@ -1,7 +1,6 @@ --- {} - --- 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network**. -2. Turn on **TLS decryption**. +2. In **Firewall**, turn on **TLS decryption**.