Common policies
The following policies are commonly used to secure network traffic.
Refer to the network policies page for a comprehensive list of other selectors, operators, and actions.
To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:
| Selector | Operator | Value | Action | 
|---|---|---|---|
| Application | in | Artificial Intelligence | Block | 
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{  "name": "Block unauthorized applications",  "description": "Block access to unauthorized AI applications",  "enabled": true,  "action": "block",  "filters": [    "l4"  ],  "traffic": "any(app.type.ids[*] in {25})",  "identity": "",  "device_posture": ""}'Configure access on a per user or group basis by adding identity-based conditions to your policies.
| Selector | Operator | Value | Logic | Action | 
|---|---|---|---|---|
| Application | in | Salesforce | And | Block | 
| User Group Names | in | Contractors | 
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{  "name": "Check user identity",  "description": "Block access to Salesforce by temporary employees and contractors",  "enabled": true,  "action": "block",  "filters": [    "l4"  ],  "traffic": "any(app.ids[*] in {606})",  "identity": "any(identity.groups.name[*] in {\"Contractors\"})",  "device_posture": ""}'Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the device posture section. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
In the following example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:
| Selector | Operator | Value | Logic | Action | 
|---|---|---|---|---|
| SNI Domain | is | internalapp.com | And | Block | 
| Passed Device Posture Checks | not in | Device serial numbers | 
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \  --header "Content-Type: application/json" \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --data '{  "name": "All-NET-ApplicationAccess-Allow",  "description": "Ensure access to the application comes from authorized WARP clients",  "precedence": 70,  "enabled": false,  "action": "block",  "filters": [    "l4"  ],  "traffic": "any(net.sni.domains[*] == \"internalapp.com\")",  "device_posture": "not(any(device_posture.checks.passed[*] in {\"<DEVICE_SERIAL_NUMBERS_LIST_UUID>\"}))"}'To get the UUIDs of your device posture checks, use the List device posture rules endpoint.
resource "cloudflare_zero_trust_gateway_policy" "all_net_applicationaccess_allow" {  account_id  = var.cloudflare_account_id  name        = "All-NET-ApplicationAccess-Allow"  description = "Ensure access to the application comes from authorized WARP clients"  precedence  = 70  enabled     = false  action      = "block"  filters     = ["l4"]  traffic     = "any(net.sni.domains[*] == \"internalapp.com\")"  posture      =  "not(any(device_posture.checks.passed[*] in {\"${"$"}${cloudflare_zero_trust_list.allowed_devices_sn_list.id}\"}))"}To require users to re-authenticate after a certain amount of time has elapsed, configure WARP sessions.
Restrict user access to only the specific sites or applications configured in your HTTP policies.
| Selector | Operator | Value | Logic | Action | 
|---|---|---|---|---|
| Detected Protocol | is | TLS | And | Allow | 
| Destination Port | in | 80,443 | 
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{  "name": "Allow HTTP and HTTPS traffic",  "description": "Restrict traffic to HTTP and HTTPS traffic",  "enabled": true,  "action": "allow",  "filters": [    "l4"  ],  "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}",  "identity": "",  "device_posture": ""}'| Selector | Operator | Value | Action | 
|---|---|---|---|
| Protocol | in | TCP, UDP | Block | 
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{  "name": "Block all other traffic",  "description": "Block all other traffic that is not HTTP or HTTPS",  "enabled": true,  "action": "block",  "filters": [    "l4"  ],  "traffic": "net.protocol in {\"tcp\" \"udp\"}",  "identity": "",  "device_posture": ""}'Restrict access to resources which you have connected through Cloudflare Tunnel.
The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.
| Selector | Operator | Value | Logic | Action | 
|---|---|---|---|---|
| Destination IP | in | 10.0.0.0/8 | And | Allow | 
| User Email | matches regex | .*@example.com | 
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{  "name": "Allow company employees",  "description": "Allow any users with an organization email to reach the application",  "enabled": true,  "action": "allow",  "filters": [    "l4"  ],  "traffic": "net.dst.ip in {10.0.0.0/8}",  "identity": "identity.email matches \".*@example.com\"",  "device_posture": ""}'| Selector | Operator | Value | Action | 
|---|---|---|---|
| Destination IP | in | 10.0.0.0/8 | Block | 
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{  "name": "Block everyone else",  "description": "Block any other users from accessing the application",  "enabled": true,  "action": "block",  "filters": [    "l4"  ],  "traffic": "net.dst.ip in {10.0.0.0/8}",  "identity": "",  "device_posture": ""}'Override traffic directed toward a specific IP address with a different IP address.
| Selector | Operator | Value | Logic | Action | 
|---|---|---|---|---|
| Destination IP | in | 203.0.113.17 | And | Network Override | 
| Destination Port | is | 80 | 
| Override IP | Override Port | 
|---|---|
| 1.1.1.1 | 80 | 
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{  "name": "Override example.com with 1.1.1.1",  "description": "Override a site'\''s IP address with another IP",  "enabled": true,  "action": "l4_override",  "filters": [    "l4"  ],  "traffic": "net.dst.ip in {203.0.113.17} and net.dst.port == 80",  "identity": "",  "device_posture": "",  "rule_settings": {    "l4override": {      "ip": "1.1.1.1",      "port": 80    },    "override_host": "",    "override_ips": null  }}'Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark