Create your first network policy
You can control network-level traffic by filtering requests by selectors such as IP addresses and ports. You can also integrate network policies with an identity provider to apply identity-based filtering.
To create a new network policy:
-
In Zero Trust ↗, go to Gateway > Firewall policies.
-
In the Network tab, select Add a policy.
-
Name the policy.
-
Under Traffic, build a logical expression that defines the traffic you want to allow or block.
-
Choose an Action to take when traffic matches the logical expression. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
In the following example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
Selector Operator Value Logic Action Passed Device Posture Checks not in Device serial numbers And Block SNI Domain is internalapp.comTerminal window curl --request POST \--url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \--header 'Content-Type: application/json' \--header "Authorization: Bearer <API TOKEN>" \--data '{"name": "All-NET-ApplicationAccess-Allow","description": "Ensure access to the application comes from authorized WARP clients","precedence": 5000,"enabled": false,"action": "block","filters": ["l4"],"traffic": "any(net.sni.domains[*] == \"internalapp.com\")","device_posture": "not(any(device_posture.checks.passed[*] in {\"<Device Serial Numbers List UUID>\"}))","rule_settings": {"block_page_enabled": true,"block_reason": "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance"}}'resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" {account_id = var.account_idname = "All-NET-ApplicationAccess-Allow"description = "Ensure access to the application comes from authorized WARP clients"precedence = 5000enabled = falseaction = "block"filters = ["l4"]traffic = "any(net.sni.domains[*] == \"internalapp.com\")"posture = "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))"rule_settings {block_page_enabled = trueblock_page_reason = "This domain/IP was explicitly blocked by your network administrator. Please reach out to your helpdesk for assistance"}} -
Select Create policy.
-
Create an API token with the following permissions:
Type Item Permission Account Zero Trust Edit -
(Optional) Configure your API environment variables to include your account ID and API token.
-
Send a
POSTrequest to the Create a Zero Trust Gateway rule endpoint. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:curl API network policy example curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{"name": "Enforce device posture","description": "Ensure only devices in Zero Trust organization can connect to application","precedence": 0,"enabled": true,"action": "block","filters": ["l4"],"traffic": "any(net.sni.domains[*] == \"internalapp.com\")","identity": "","device_posture": "not(any(device_posture.checks.passed[*] in {\"<LIST_UUID>\"}))"}'{"success": true,"errors": [],"messages": []}The API will respond with a summary of the policy and the result of your request.
For more information, refer to network policies.