HTTP filtering
Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit.
To filter HTTP requests from a device:
- Install the Cloudflare root certificate on your device.
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization's Zero Trust instance.
- Enable the Gateway proxy for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic.
- To inspect HTTPS traffic, enable TLS decryption.
- (Optional) To scan file uploads and downloads for malware, enable anti-virus scanning.
To verify your device is connected to Zero Trust:
- In Zero Trust ↗, go to Settings > Network.
- Under Gateway logging, enable activity logging for all HTTP logs.
- On your device, open a browser and go to any website.
- In Zero Trust, go to Logs > Gateway > HTTP.
- Make sure HTTP requests from your device appear.
To create a new HTTP policy:
-
In Zero Trust ↗, go to Gateway > Firewall policies.
-
In the HTTP tab, select Add a policy.
-
Name the policy.
-
Under Traffic, build a logical expression that defines the traffic you want to allow or block.
-
Choose an Action to take when traffic matches the logical expression. For example, if you have enabled TLS inspection, some applications that use embedded certificates may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:
Selector Operator Value Action Application in Do Not Inspect Do Not Inspect Cloudflare also recommends adding a policy to block known threats such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:
Selector Operator Value Action Security Categories in All security risks Block -
Select Create policy.
For more information, refer to HTTP policies.
Refer to our list of common HTTP policies for other policies you may want to create.