diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
index 3a1d5437decba7..b822d87d1d2640 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
@@ -54,101 +54,28 @@ To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/z
Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence.
-
-
-
-
-
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer " \
---data '{
- "name": "Block security threats",
- "description": "Block all default Cloudflare DNS security categories",
- "enabled": true,
- "action": "block",
- "filters": [
- "dns"
- ],
- "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
- "identity": ""
-}'
-```
-
-
-
## Block content categories
The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](/cloudflare-one/policies/gateway/domain-categories/).
-
-
-| Selector | Operator | Value | Action |
-| ------------------ | -------- | --------------------------------------------------------- | ------ |
-| Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block |
-
-
-
-
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer " \
---data '{
- "name": "Block content categories",
- "description": "Block common content categories that may pose a risk",
- "enabled": true,
- "action": "block",
- "filters": [
- "dns"
- ],
- "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})",
- "identity": ""
-}'
-```
-
-
+
## Block unauthorized applications
-
-
-| Selector | Operator | Value | Action |
-| ----------- | -------- | ------------------------- | ------ |
-| Application | in | _Artificial Intelligence_ | Block |
-
-
-
-
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer " \
---data '{
- "name": "Block unauthorized applications",
- "description": "Block access to unauthorized AI applications",
- "enabled": true,
- "action": "block",
- "filters": [
- "dns"
- ],
- "traffic": "any(app.type.ids[*] in {25})",
- "identity": ""
-}'
-```
-
-
+
## Block banned countries
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx
index 14ee2c097db031..80b2c161bcb151 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx
@@ -92,69 +92,19 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
Block content categories which go against your organization's acceptable use policy.
-
-
-| Selector | Operator | Value | Action |
-| ------------------ | -------- | -------------------------- | ------ |
-| Content Categories | in | _Adult Themes_, _Gambling_ | Block |
-
-
-
-
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer " \
---data '{
- "name": "Block content categories",
- "description": "Block access to unauthorized adult and gambling applications",
- "enabled": true,
- "action": "block",
- "filters": [
- "http"
- ],
- "traffic": "any(http.request.uri.content_category[*] in {2 67 125 133 99})",
- "identity": "",
- "device_posture": ""
-}'
-```
-
-
+
## Block unauthorized applications
-
-
-| Selector | Operator | Value | Action |
-| ----------- | -------- | ------------------------- | ------ |
-| Application | in | _Artificial Intelligence_ | Block |
-
-
-
-
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer " \
---data '{
- "name": "Block unauthorized applications",
- "description": "Block access to unauthorized AI applications",
- "enabled": true,
- "action": "block",
- "filters": [
- "http"
- ],
- "traffic": "any(app.type.ids[*] in {25})",
- "identity": "",
- "device_posture": ""
-}'
-```
-
-
+
## Check user identity
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
index 2438f96edb5e39..8bd8dbace18aa6 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
@@ -85,7 +85,7 @@ The Allow action allows outbound traffic to reach destinations you specify withi
| Selector | Operator | Value | Action |
| ------------------ | -------- | ----------- | ------ |
-| Content Categories | in | `Education` | Allow |
+| Content Categories | in | _Education_ | Allow |
#### Untrusted certificates
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
index ea81857179db3a..0a59858c0af0b4 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx
@@ -87,35 +87,10 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
-
-
-
-
-
-
-
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer " \
---data '{
- "name": "Enforce device posture",
- "description": "Limit access to an internal application to approved organization devices",
- "enabled": true,
- "action": "block",
- "filters": [
- "l4"
- ],
- "traffic": "any(net.sni.domains[*] == \"example.com\")",
- "identity": "",
- "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))"
-}'
-```
-
-To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint.
-
-
+
## Enforce session duration
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx
index f260f15fbe18bb..6643d886d3ca26 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx
@@ -3,17 +3,66 @@ title: Create an allowlist or blocklist
pcx_content_type: learning-unit
sidebar:
order: 2
-
---
+import { Tabs, TabItem } from "~/components";
+
In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. An allowlist is a list of allowed domains or IP addresses, such as the domains of essential corporate applications.
Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of URLs, hostnames, or other entries to use in your policies.
## Example list policy
+
+
+
+
The following DNS policy will allow access to all approved corporate domains included in a list called **Corporate Domains**.
| Selector | Operator | Value | Action |
| -------- | -------- | ------------------- | ------ |
-| Domain | in list | *Corporate Domains* | Allow |
+| Domain | in list | _Corporate Domains_ | Allow |
+
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+ --header 'Content-Type: application/json' \
+ --header "Authorization: Bearer " \
+ --data '{
+ "name": "All-DNS-CorporateDomain-AllowList",
+ "description": "Allow access to the corporate domains defined under the Corporate Domains list",
+ "precedence": 1,
+ "enabled": true,
+ "action": "allow",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.domains[*] in $)"
+}'
+```
+
+
+
+
+
+To create a new DNS policy using **Terraform** to allow access to all approved corporate domains included in a list called **Corporate Domains**.
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "allow_corporate_domain_access" {
+ account_id = var.account_id
+ name = "All-DNS-CorporateDomain-AllowList"
+ description = "Allow access to the corporate domains defined under the Corporate Domains list"
+ precedence = 1
+ enabled = false
+ action = "allow"
+ filters = ["dns"]
+ traffic = "any(dns.domains[*] in $)"
+}
+```
+
+
+
+
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
index 984d2120868d74..2ddfdf3ece0791 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
@@ -5,10 +5,81 @@ sidebar:
order: 1
---
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP.
You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/).
-
+To create a new DNS policy:
+
+
+
+
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. In the **DNS** tab, select **Add a policy**.
+3. Name the policy.
+4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
+5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
+
+6. Select **Create policy**.
+
+For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
+
+
+
+
+
+To create a new DNS policy using cURL:
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+ --header 'Content-Type: application/json' \
+ --header "Authorization: Bearer " \
+ --data '{
+ "name": "All-DNS-SecurityCategories-Blocklist",
+ "description": "Block known security risks based on Cloudflare's threat intelligence",
+ "precedence": 0,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+ "rule_settings": {
+ "block_page_enabled": true,
+ "block_reason": "This domain was blocked due to being classified as a security risk to your organization"
+ }
+ }'
+```
+
+
+
+
+
+To create a new DNS policy using **Terraform**:
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "security_risks_dns_policy" {
+ account_id = var.account_id
+ name = "All-DNS-SecurityCategories-Blocklist"
+ description = "Block known security risks based on Cloudflare's threat intelligence"
+ precedence = 0
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+ rule_settings {
+ block_page_enabled = true
+ block_page_reason = "This domain was blocked due to being classified as a security risk to your organization"
+ }
+}
+```
+
+
+
+
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx
index 38a74a1629b71d..2d7395440321ef 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx
@@ -3,121 +3,422 @@ title: Recommended DNS policies
pcx_content_type: learning-unit
sidebar:
order: 3
-
---
-import { Details, Render } from "~/components"
+import { Render, Tabs, TabItem } from "~/components";
We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization.
-
-
+## All-DNS-Domain-Allowlist
Allowlist any known domains and hostnames. With this policy, you ensure that your users can access your organization's domains even if the domains fall under a blocked category, such as **Newly Seen Domains** or **Login Screens**.
-| Selector | Operator | Value | Logic | Action |
-| -------- | -------- | --------------- | ----- | ------ |
-| Domain | in list | *Known Domains* | Or | Allow |
-| Host | in list | *Known Domains* | | |
-
+
-
+
-
-
+| Selector | Operator | Value | Logic | Action |
+| -------- | -------- | --------------- | ----- | ------ |
+| Domain | in list | _Known Domains_ | Or | Allow |
+| Host | in list | _Known Domains_ | | |
+
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-DNS-Domain-Allowlist",
+ "description": "Allowlist any known domains and hostnames",
+ "precedence": 0,
+ "enabled": true,
+ "action": "allow",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.domains[*] in $) or dns.fqdn in $"
+}'
+```
+
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" {
+ account_id = var.account_id
+ name = "All-DNS-Domain-Allowlist"
+ description = "Allowlist any known domains and hostnames"
+ precedence = 0
+ enabled = true
+ action = "allow"
+ filters = ["dns"]
+ traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}) or dns.fqdn in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}"
+}
+```
+
+
+
+
+## Quarantined-Users-DNS-Restricted-Access
-| Selector | Operator | Value | Logic | Action |
-| ---------------- | -------- | ------------------- | ----- | ------ |
-| Domain | in list | *Known Domains* | Or | Block |
-| Host | in list | *Known Domains* | And | |
-| User Group Names | in | *Quarantined Users* | | |
-
-
-
-
-
-
+
+
+
+
+| Selector | Operator | Value | Logic | Action |
+| ---------------- | ----------- | ----------------------------- | ----- | ------ |
+| Domain | not in list | _Allowed Remediation Domains_ | Or | Block |
+| Host | not in list | _Allowed Remediation Domains_ | And | |
+| User Group Names | in | _Quarantined Users_ | | |
+
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "Quarantined-Users-DNS-Restricted-Access",
+ "description": "Restrict access for users included in an identity provider (IdP) user group for risky users",
+ "precedence": 10,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "not(any(dns.domains[*] in $)) or not(any(dns.domains[*] in $))",
+ "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})"
+}'
+```
+
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" {
+ account_id = var.account_id
+ name = "Quarantined-Users-DNS-Restricted-Access"
+ description = "Restrict access for users included in an identity provider (IdP) user group for risky users"
+ precedence = 10
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id})) or not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id}))"
+ identity = "any(identity.groups.name[*] in {\"Quarantined Users\"})"
+}
+```
+
+
+
+
+## All-DNS-SecurityCategories-Blocklist
-
-
-
-
-
+
-
+## All-DNS-ContentCategories-Blocklist
-
+
+
-
-
-
-
+## All-DNS-Application-Blocklist
+
-
+## All-DNS-GeoCountryIP-Blocklist
+Block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's users or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries).
-
+
-Block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's users or through the implementation of regulations including [EAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries), [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries), and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries).
+
| Selector | Operator | Value | Action |
| ------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| Resolved Country IP Geolocation | in | *Afghanistan*, *Belarus*, *Congo (Kinshasa)*, *Cuba*, *Iran*, *Iraq*, *Korea (North)*, *Myanmar*, *Russian Federation*, *Sudan*, *Syria*, *Ukraine*, *Zimbabwe* | Block |
+| Resolved Country IP Geolocation | in | _Afghanistan_, _Belarus_, _Congo (Kinshasa)_, _Cuba_, _Iran_, _Iraq_, _Korea (North)_, _Myanmar_, _Russian Federation_, _Sudan_, _Syria_, _Ukraine_, _Zimbabwe_ | Block |
+
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-DNS-GeoCountryIP-Blocklist",
+ "description": "Block traffic hosted in countries categorized as high security risks",
+ "precedence": 50,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})"
+}'
+```
+
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" {
+ account_id = var.account_id
+ name = "All-DNS-GeoCountryIP-Blocklist"
+ description = "Block traffic hosted in countries categorized as high security risks"
+ precedence = 50
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})"
+}
+```
+
+
+
+
+## All-DNS-DomainTopLevel-Blocklist
+Block frequently misused top-level domains (TLDs) to reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations such as [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries) and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries).
-
-
+
-
-
-Block frequently misused top-level domains (TLDs) to reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations such as [OFAC](https://orpa.princeton.edu/export-controls/sanctioned-countries) and [ITAR](https://www.tradecompliance.pitt.edu/embargoed-and-sanctioned-countries).
+
| Selector | Operator | Value | Action |
| -------- | ------------- | -------------------------------------------------------------------------------------------------------- | ------ |
| Domain | matches regex | `[.](cn\|ru)$ or [.](rest\|hair\|top\|live\|cfd\|boats\|beauty\|mom\|skin\|okinawa)$ or [.](zip\|mobi)$` | Block |
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-DNS-DomainTopLevel-Blocklist",
+ "description": "Block DNS queries of known risky TLDs",
+ "precedence": 60,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")"
+}'
+```
+
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" {
+ account_id = var.account_id
+ name = "All-DNS-DomainTopLevel-Blocklist"
+ description = "Block DNS queries of known risky TLDs"
+ precedence = 60
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")"
+}
+```
+
+
+
+
+## All-DNS-DomainPhishing-Blocklist
-
-
+Block misused domains to protect your users against sophisticated phishing attacks, such as domains that specifically target your organization. For example, the following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` and `sso`) while still allowing access to known domains.
-
+
-Block misused domains to protect your users against sophisticated phishing attacks, such as domains that specifically target your organization. For example, the following policy blocks specific keywords associated with an organization or its authentication services (such as `okta`, `2fa`, `cloudflare` and `sso`) while still allowing access to known domains.
+
| Selector | Operator | Value | Logic | Action |
| -------- | ------------- | ------------------------------------------- | ----- | ------ |
-| Domain | not in list | *Known Domains* | And | Block |
+| Domain | not in list | _Known Domains_ | And | Block |
| Domain | matches regex | `.*okta.*\|.*cloudflare.*\|.*mfa.*\|.sso.*` | | |
-
-
-
-
-
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-DNS-DomainPhishing-Blocklist",
+ "description": "Block misused domains used in phishing campaigns",
+ "precedence": 70,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in $))"
+}'
+```
+
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" {
+ account_id = var.account_id
+ name = "All-DNS-DomainPhishing-Blocklist"
+ description = "Block misused domains used in phishing campaigns"
+ precedence = 70
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.known_phishing_domains_list.id}))"
+}
+```
+
+
+
+
+## All-DNS-ResolvedIP-Blocklist
Block specific IP addresses that are malicious or pose a threat to your organization.
-| Selector | Operator | Value | Action |
-| ----------- | -------- | -------------- | ------ |
-| Resolved IP | in list | *IP Blocklist* | Block |
-
-
-
-
+
-
+
-
-
-
-
+| Selector | Operator | Value | Action |
+| ----------- | -------- | -------------- | ------ |
+| Resolved IP | in list | _IP Blocklist_ | Block |
+
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-DNS-ResolvedIP-Blocklist",
+ "description": "Block specific IP addresses deemed to be a risk to the Organization",
+ "precedence": 80,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.resolved_ips[*] in $)"
+}'
+```
+
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" {
+ account_id = var.account_id
+ name = "All-DNS-ResolvedIP-Blocklist"
+ description = "Block specific IP addresses deemed to be a risk to the Organization"
+ precedence = 80
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(dns.resolved_ips[*] in ${"$"}${cloudflare_zero_trust_list.ip_blocklist.id}"
+}
+```
+
+
+
+
+## All-DNS-DomainHost-Blocklist
+
+
+
+
+
+
+
+| Selector | Operator | Value | Logic | Action |
+| -------- | ------------- | ------------------ | ----- | ------ |
+| Domain | in list | _Domain Blocklist_ | Or | Block |
+| Host | in list | _Host Blocklist_ | Or | |
+| Host | matches regex | `.*example\.com` | | |
+
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \
+--data '{
+ "name": "All-DNS-DomainHost-Blocklist",
+ "description": "Block specific domains or hosts that are malicious or pose a threat to your organization.",
+ "precedence": 90,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.domains[*] in $) and dns.fqdn in $ and dns.fqdn matches \".*example\\.com\""
+}'
+```
+
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "block_dns_domain_host" {
+ account_id = var.account_id
+ name = "All-DNS-DomainHost-Blocklist"
+ description = "Block specific domains or hosts that are malicious or pose a threat to your organization."
+ precedence = 90
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_blocklist.id}) and dns.fqdn in ${"$"}${cloudflare_zero_trust_list.host_blocklist.id} and dns.fqdn matches \".*example\\.com\""
+}
+```
+
+
+
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx
index f82377bc71b8a7..46bdd5bc69507d 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/recommended-http-policies.mdx
@@ -3,87 +3,79 @@ title: Recommended HTTP policies
pcx_content_type: learning-unit
sidebar:
order: 5
-
---
-import { Details, Render } from "~/components"
+import { Render } from "~/components";
We recommend you add the following HTTP policies to build an Internet and SaaS app security strategy for your organization.
-
-
+## All-HTTP-Application-InspectBypass
Bypass HTTP inspection for applications that use embedded certificates. This will help avoid any certificate pinning errors that may arise from an initial rollout.
-
-
-
-
+
-
-
+## Android-HTTP-Application-InspectionBypass
Bypass HTTPS inspection for Android applications (such as Google Drive) that use certificate pinning, which is incompatible with Gateway inspection.
| Selector | Operator | Value | Logic | Action |
| ---------------------------- | -------- | --------------------------------- | ----- | -------------- |
-| Application | in | *Google Drive* | And | Do Not Inspect |
-| Passed Device Posture Checks | in | *OS Version Android (OS version)* | | |
-
-
-
+| Application | in | _Google Drive_ | And | Do Not Inspect |
+| Passed Device Posture Checks | in | _OS Version Android (OS version)_ | | |
-
-
+## All-HTTP-Domain-Inspection-Bypass
Bypass HTTP inspection for a custom list of domains identified as incompatible with TLS inspection.
| Selector | Operator | Value | Logic | Action |
| -------- | -------- | ------------------------ | ----- | -------------- |
-| Domain | in list | *DomainInspectionBypass* | Or | Do Not Inspect |
-| Domain | in list | *Known Domains* | | |
-
-
-
-
+| Domain | in list | _DomainInspectionBypass_ | Or | Do Not Inspect |
+| Domain | in list | _Known Domains_ | | |
-
+## All-HTTP-SecurityRisks-Blocklist
| Selector | Operator | Value | Action |
| -------------- | -------- | -------------------- | ------ |
-| Security Risks | in | *All security risks* | Block |
-
-
-
-
+| Security Risks | in | _All security risks_ | Block |
-
+## All-HTTP-ContentCategories-Blocklist
-
+
+
-
-
-
-
+## All-HTTP-DomainHost-Blocklist
+| Selector | Operator | Value | Logic | Action |
+| -------- | ------------- | ------------------ | ----- | ------ |
+| Domain | in list | _Domain Blocklist_ | Or | Block |
+| Host | in list | _Host Blocklist_ | Or | |
+| Host | matches regex | `.*example\.com` | | |
-
-
-
-
+## All-HTTP-Application-Blocklist
+
-
-
-
-
+## PrivilegedUsers-HTTP-Any-Isolate
Isolate traffic for privileged users who regularly access critical systems or execute actions such as threat analysis and malware testing.
@@ -91,33 +83,22 @@ Security teams often need to perform threat analysis or malware testing that cou
| Selector | Operator | Value | Action |
| ---------------- | -------- | ------------------ | ------- |
-| User Group Names | in | *Privileged Users* | Isolate |
-
+| User Group Names | in | _Privileged Users_ | Isolate |
-
-
-
-
+## Quarantined-Users-HTTP-Restricted-Access
| Selector | Operator | Value | Logic | Action |
| ---------------- | ----------- | ------------------------------- | ----- | ------ |
-| Destination IP | not in list | *Quarantined-Users-IPAllowlist* | And | Block |
-| User Group Names | in | *Quarantined Users* | | |
-
-
-
+| Destination IP | not in list | _Quarantined-Users-IPAllowlist_ | And | Block |
+| User Group Names | in | _Quarantined Users_ | | |
-
-
+## All-HTTP-Domain-Isolate
Isolate high risk domains or create a custom list of known risky domains to avoid data exfiltration or malware infection. Ideally, your incident response teams can update the blocklist with an [API automation](/security-center/intel-apis/) to provide real-time threat protection.
| Selector | Operator | Value | Logic | Action |
| ------------------ | -------- | ---------------------------------- | ----- | ------- |
-| Content Categories | in | *New Domain*, *Newly Seen Domains* | Or | Isolate |
-| Domain | in list | *Domain Isolation* | | |
-
-
-
+| Content Categories | in | _New Domain_, _Newly Seen Domains_ | Or | Isolate |
+| Domain | in list | _Domain Isolation_ | | |
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx
index 2c8d587b0d40ff..547f210fbc4504 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/build-network-policies/recommended-network-policies.mdx
@@ -5,13 +5,13 @@ sidebar:
order: 2
---
-import { Details, GlossaryTooltip, Render } from "~/components";
+import { GlossaryTooltip, Render } from "~/components";
We recommend you add the following network policies to build an Internet and SaaS app security strategy for your organization.
For more information on building network policies, refer to [Network policies](/cloudflare-one/policies/gateway/network-policies/).
-
+## Quarantined-Users-NET-Restricted-Access
@@ -22,9 +22,7 @@ For more information on building network policies, refer to [Network policies](/
| Domain SNI | not in list | _Quarantined-Users-DomainAllowlist_ | And | |
| User Group Names | in | _Quarantined Users_ | | |
-
-
-
+## Posture-Fail-NET-Restricted-Access
Restrict access for devices where baseline posture checks have not passed. If posture checks are integrated with service providers such as Crowdstrike or Intune via the API, this policy dynamically blocks access for devices that do not meet predetermined security requirements.
@@ -37,9 +35,7 @@ Restrict access for devices where baseline posture checks have not passed. If po
You can add a number of WARP client device posture checks as needed, such as [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/) and [Domain joined](/cloudflare-one/identity/devices/warp-client-checks/domain-joined/). For more information on device posture checks, refer to [Enforce device posture](/cloudflare-one/identity/devices/).
-
-
-
+## FinanceUsers-NET-HTTPS-FinanceServers (example)
Allow HTTPS access for user groups. For example, the following policy gives finance users access to any known financial applications:
@@ -48,9 +44,7 @@ Allow HTTPS access for user groups. For example, the following policy gives fina
| Destination IP | in list | _Finance Servers_ | And | Allow |
| User Group Names | in | _Finance Users_ | | |
-
-
-
+## All-NET-Internet-Blocklist
Block traffic to destination IPs, SNIs, and domain SNIs that are malicious or pose a threat to your organization.
@@ -66,9 +60,7 @@ Block traffic to destination IPs,
+## All-NET-SSH-Internet-Allowlist
Allow SSH traffic to specific endpoints on the Internet for specific users. You can create a similar policy for other non-web endpoints that required access.
@@ -81,9 +73,7 @@ Optionally, you can include a selector to filter by source IP or IdP group.
| Detected Protocol | is | _SSH_ | And | |
| User Group Names | in | _SSH-Allowed-Users_ | | |
-
-
-
+## All-NET-NO-HTTP-HTTPS-Internet-Deny
Block all non-web traffic towards the Internet. By using the **Detected Protocol** selector, you will ensure alternative ports for HTTP and HTTPS are allowed.
@@ -92,9 +82,7 @@ Block all non-web traffic towards the Internet. By using the **Detected Protocol
| Destination IP | not in list | _InternalNetwork_ | And | Block |
| Detected Protocol | not in | _HTTP_, _HTTP2_ | | |
-
-
-
+## All-NET-InternalNetwork-ImplicitDeny
Implicitly deny all of your internal IP ranges included in a list. We recommend you place this policy at the [bottom of your policy list](/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#order-of-precedence) to ensure you explicitly approve traffic defined in the above policies.
@@ -102,4 +90,11 @@ Implicitly deny all of your internal IP ranges included in a list. We recommend
| -------------- | -------- | ---------------------- | ------ |
| Destination IP | in list | _Internal Network IPs_ | Block |
-
+## All-NET-ApplicationAccess-Allow
+
+Only allow network traffic from known and approved devices.
+
+
diff --git a/src/content/docs/pages/configuration/debugging-pages.mdx b/src/content/docs/pages/configuration/debugging-pages.mdx
index d5ecaec0fccd71..afc86858ac2c0b 100644
--- a/src/content/docs/pages/configuration/debugging-pages.mdx
+++ b/src/content/docs/pages/configuration/debugging-pages.mdx
@@ -26,7 +26,7 @@ To fix this in GitHub:
1. Log in to your GitHub account.
2. Go to **Settings** from your user icon > find **Applications** under Integrations.
3. Find **Cloudflare Pages** > **Configure** > scroll down and select **Uninstall**.
-4. Re-authorize your GitHub user/organisation on the Cloudflare dashboard.
+4. Re-authorize your GitHub user/organization on the Cloudflare dashboard.
To fix this in GitLab:
@@ -70,10 +70,8 @@ Possible errors in this step could be caused by faulty setup in your Pages proje
:::note
-
Make sure there are no emojis or special characters as part of your commit message in a Pages project that is integrated with GitHub or GitLab as it can potentially cause issues when building the project.
-
:::
### Deploying to Cloudflare's global network
diff --git a/src/content/partials/cloudflare-one/gateway/lists.mdx b/src/content/partials/cloudflare-one/gateway/lists.mdx
index 675d41ae077b9d..610a30da0509c4 100644
--- a/src/content/partials/cloudflare-one/gateway/lists.mdx
+++ b/src/content/partials/cloudflare-one/gateway/lists.mdx
@@ -49,9 +49,8 @@ You can now use this list in the policy builder by choosing the _in list_ operat
```bash
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/lists \
---header "X-Auth-Email: " \
---header "X-Auth-Key: " \
--header "Content-Type: application/json" \
+--header "Authorization: Bearer " \
--data '{
"description": "Private application IPs",
"items": [{"value": "10.226.0.177/32"},{"value": "10.226.1.177/32"}],
diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx
index 0ae917f3535c1c..44ca8d1db1a76d 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/block-applications.mdx
@@ -2,7 +2,7 @@
{}
---
-import { GlossaryTooltip, Tabs, TabItem } from "~/components";
+import { GlossaryTooltip } from "~/components";
:::note
After seven days, view your [shadow IT analytics](/cloudflare-one/insights/analytics/shadow-it-discovery/) and block additional applications based on what your users are accessing.
diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx
index b83b301e0ad152..e4763c549421e6 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx
@@ -1,8 +1,7 @@
---
{}
-
---
| Selector | Operator | Value | Action |
| ------------------ | -------- | ------------- | ------ |
-| Content categories | in | `CIPA Filter` | Block |
+| Content Categories | in | _CIPA Filter_ | Block |
diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx
index 5fca4c2e41b791..872da260edc6f8 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/block-file-types.mdx
@@ -18,9 +18,9 @@ Block the upload or download of files based on their type.
```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
--header "Content-Type: application/json" \
---header "Authorization: Bearer " \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--data '{
"name": "Block file types",
"description": "Block the upload or download of files based on their type",
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx
new file mode 100644
index 00000000000000..4ca90e736203a9
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-applications.mdx
@@ -0,0 +1,51 @@
+---
+{}
+---
+
+import { Tabs, TabItem } from "~/components";
+
+
+
+| Selector | Operator | Value | Action |
+| ----------- | -------- | ------------------------- | ------ |
+| Application | in | _Artificial Intelligence_ | Block |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \
+--data '{
+ "name": "All-DNS-Application-Blocklist",
+ "description": "Block access to unauthorized AI applications",
+ "precedence": 40,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(app.type.ids[*] in {25})",
+ "identity": ""
+}'
+```
+
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" {
+ account_id = var.account_id
+ name = "All-DNS-Application-Blocklist"
+ description = "Block access to unauthorized AI applications"
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(app.type.ids[*] in {25})"
+ identity = ""
+}
+```
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx
new file mode 100644
index 00000000000000..550127c3806d34
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-content-categories.mdx
@@ -0,0 +1,50 @@
+---
+{}
+---
+
+import { Tabs, TabItem } from "~/components";
+
+
+
+| Selector | Operator | Value | Action |
+| ------------------ | -------- | --------------------------------------------------------- | ------ |
+| Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-DNS-ContentCategories-Blocklist",
+ "description": "Block common content categories that may pose a risk",
+ "precedence": 30,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})",
+ "identity": ""
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" {
+ account_id = var.account_id
+ name = "All-DNS-ContentCategories-Blocklist"
+ description = "Block common content categories that may pose a risk"
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})"
+ identity = ""
+}
+```
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx
new file mode 100644
index 00000000000000..0a27fb3feea382
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/dns/block-security-categories.mdx
@@ -0,0 +1,51 @@
+---
+{}
+---
+
+import { Tabs, TabItem, Render } from "~/components";
+
+
+
+
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-DNS-SecurityCategories-Blocklist",
+ "description": "Block security categories based on Cloudflare's threat intelligence",
+ "precedence": 20,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+ "identity": ""
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" {
+ account_id = var.account_id
+ name = "All-DNS-SecurityCategories-Blocklist"
+ description = "Block security categories based on Cloudflare's threat intelligence"
+ precedence = 20
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+}
+```
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx
new file mode 100644
index 00000000000000..d24e0141de39f3
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-applications.mdx
@@ -0,0 +1,35 @@
+---
+{}
+---
+
+import { Tabs, TabItem } from "~/components";
+
+
+
+| Selector | Operator | Value | Action |
+| ----------- | -------- | ------------------------- | ------ |
+| Application | in | _Artificial Intelligence_ | Block |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "Block content categories",
+ "description": "Block access to unauthorized AI applications",
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(app.type.ids[*] in {25})",
+ "identity": "",
+ "device_posture": ""
+}'
+```
+
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx
new file mode 100644
index 00000000000000..14a795238d0326
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/http/block-content-categories.mdx
@@ -0,0 +1,50 @@
+---
+{}
+---
+
+import { Tabs, TabItem } from "~/components";
+
+
+
+| Selector | Operator | Value | Action |
+| ------------------ | -------- | ------------------------------------------------------------------------------------- | ------ |
+| Content Categories | in | _Questionable Content_, _Security Risks_, _Miscellaneous_, _Adult Themes_, _Gambling_ | Block |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "Block content categories",
+ "description": "Block access to unauthorized applications",
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "http"
+ ],
+ "traffic": "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})",
+ "identity": "",
+ "device_posture": ""
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" {
+ account_id = var.account_id
+ name = "All-HTTP-Application-Blocklist"
+ description = "Block access to unauthorized AI applications"
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "any(app.type.ids[*] in {25})"
+ identity = ""
+}
+```
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx
new file mode 100644
index 00000000000000..ee34601b650aec
--- /dev/null
+++ b/src/content/partials/cloudflare-one/gateway/policies/dash-plus-api/network/enforce-device-posture.mdx
@@ -0,0 +1,58 @@
+---
+{}
+---
+
+import { Tabs, TabItem, Render } from "~/components";
+
+In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+
+
+
+
+
+
+
+
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+ --header "Content-Type: application/json" \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+ --data '{
+ "name": "All-NET-ApplicationAccess-Allow",
+ "description": "Ensure access to the application comes from authorized WARP clients",
+ "precedence": 5000,
+ "enabled": false,
+ "action": "block",
+ "filters": [
+ "l4"
+ ],
+ "traffic": "any(net.sni.domains[*] == \"internalapp.com\")",
+ "device_posture": "not(any(device_posture.checks.passed[*] in {\"\"}))"
+}'
+```
+
+To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint.
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" {
+ account_id = var.account_id
+ name = "All-NET-ApplicationAccess-Allow"
+ description = "Ensure access to the application comes from authorized WARP clients"
+ precedence = 5000
+ enabled = false
+ action = "block"
+ filters = ["l4"]
+ traffic = "any(net.sni.domains[*] == \"internalapp.com\")"
+ posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))"
+}
+```
+
+
+
diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
index 202570afec22e7..dd827e6d97bc19 100644
--- a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
+++ b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
@@ -4,5 +4,5 @@
| Selector | Operator | Value | Logic | Action |
| ---------------------------- | -------- | ----------------------- | ----- | ------ |
-| SNI Domain | is | `example.com` | And | Block |
-| Passed Device Posture Checks | not in | _Device serial numbers_ | | |
+| Passed Device Posture Checks | not in | _Device serial numbers_ | And | Block |
+| SNI Domain | is | `internalapp.com` | | |
diff --git a/src/content/partials/learning-paths/zero-trust/blocklist-application.mdx b/src/content/partials/learning-paths/zero-trust/blocklist-application.mdx
index 98640024e6b857..485694bcd2ad7c 100644
--- a/src/content/partials/learning-paths/zero-trust/blocklist-application.mdx
+++ b/src/content/partials/learning-paths/zero-trust/blocklist-application.mdx
@@ -1,12 +1,7 @@
---
{}
-
---
-import { GlossaryTooltip } from "~/components"
-
-Block unauthorized applications to limit your users' access to certain web-based tools and minimize the risk of shadow IT. For example, the following policy blocks popular AI chatbots.
+import { GlossaryTooltip } from "~/components";
-| Selector | Operator | Value | Action |
-| ----------- | -------- | ----------------------------------------------- | ------ |
-| Application | in | *Microsoft Copilot*, *ChatGPT*, *Google Gemini* | Block |
+Block unauthorized applications to limit your users' access to certain web-based tools and minimize the risk of shadow IT. For example, the following policy blocks known AI tools:
diff --git a/src/content/partials/learning-paths/zero-trust/blocklist-domain-host.mdx b/src/content/partials/learning-paths/zero-trust/blocklist-domain-host.mdx
index a3d5e0ba8335ff..6f45050582ad44 100644
--- a/src/content/partials/learning-paths/zero-trust/blocklist-domain-host.mdx
+++ b/src/content/partials/learning-paths/zero-trust/blocklist-domain-host.mdx
@@ -1,14 +1,6 @@
---
-inputParameters: blocklistPolicyType
-
+params:
+ - blocklistPolicyType
---
-import { Markdown } from "~/components"
-
-Block specific domains or hosts that are malicious or pose a threat to your organization. Like **All-{props.one}-ResolvedIP-Blocklist**, this blocklist can be updated manually or via API automation.
-
-| Selector | Operator | Value | Logic | Action |
-| -------- | ------------- | ------------------ | ----- | ------ |
-| Domain | in list | *Domain Blocklist* | Or | Block |
-| Host | in list | *Host Blocklist* | Or | |
-| Host | matches regex | `.*example\.com` | | |
+Block specific domains or hosts that are malicious or pose a threat to your organization. Like **All-{props.blocklistPolicyType}-ResolvedIP-Blocklist**, this blocklist can be updated manually or via API automation.
diff --git a/src/content/partials/learning-paths/zero-trust/blocklist-content-categories.mdx b/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx
similarity index 55%
rename from src/content/partials/learning-paths/zero-trust/blocklist-content-categories.mdx
rename to src/content/partials/learning-paths/zero-trust/content-categories-description.mdx
index c16cf0157551e2..6634f356d9ceb7 100644
--- a/src/content/partials/learning-paths/zero-trust/blocklist-content-categories.mdx
+++ b/src/content/partials/learning-paths/zero-trust/content-categories-description.mdx
@@ -1,14 +1,8 @@
---
-inputParameters: blocklistPolicyType;;blockedContentCategories
-
+params:
+ - policyType
---
-import { Markdown } from "~/components"
-
-Entries in the [security risk content subcategory](/cloudflare-one/policies/gateway/domain-categories/#security-risk-subcategories), such as **New Domains**, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your **Trusted Domains** list used in **All-{props.one}-Domain-Allowlist**.
+Entries in the [security risk content subcategory](/cloudflare-one/policies/gateway/domain-categories/#security-risk-subcategories), such as **New Domains**, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your **Trusted Domains** list used in **All-{props.policyType}-Domain-Allowlist**.
After your test is complete, we recommend you change the action to Block to minimize risk to your organization.
-
-| Selector | Operator | Value | Action |
-| ------------------ | -------- | ----- | ------ |
-| Content Categories | in | {props.two} | Allow |