[Gateway] Network policies content categories (#18436)

cloudflare · Nov 27, 2024 · b4d77e9 · b4d77e9
1 parent 1fe4e58
commit b4d77e9
Show file tree

Hide file tree

Showing 16 changed files with 93 additions and 81 deletions.
diff --git a/src/content/changelogs/gateway.yaml b/src/content/changelogs/gateway.yaml
@@ -6,9 +6,9 @@ productArea: Cloudflare One
 productAreaLink: /cloudflare-one/changelog/
 entries:
   - publish_date: "2024-11-20"
-    title: Category Filtering in the Network Policy Builder
-    description: |- 
-      Gateway users can now create Network Policies with Content Categories and Security Risks traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management.
+    title: Category filtering in the network policy builder
+    description: |-
+      Gateway users can now create network policies with the [Content Categories](/cloudflare-one/policies/gateway/network-policies/#content-categories) and [Security Risks](/cloudflare-one/policies/gateway/network-policies/#security-risks) traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management.
   - publish_date: "2024-10-17"
     title: Per-account Cloudflare root certificate
     description: |-

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx
@@ -33,8 +33,8 @@ To set up Signed AuthN requests:
 
    Cloudflare Access uses a certificate that includes the following 2 distinguished name fields:
 
-   - **Issuer Distinguished Name** – `CN=cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare`
-   - **Subject Distinguished Name** – `CN=*.cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare`
+   - **Issuer Distinguished Name** - `CN=cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare`
+   - **Subject Distinguished Name** - `CN=*.cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare`
 
    Most IdP configurations require 3 components to enforce AuthN signature verification:
 

diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
@@ -286,7 +286,7 @@ Use this selector to match against the IP address of the authoritative nameserve
 
 ### Content Categories
 
-<Render file="gateway/selectors/content-categories" />
+<Render file="gateway/selectors/dns-content-categories" />
 
 <Render file="gateway/selectors/category-options" />
 
@@ -359,14 +359,14 @@ Use this selector to filter DNS responses by their `TXT` records.
 
 Use this selector to filter based on the continent that the query resolves to. Geolocation is determined from the IP address in the response. To specify a continent, enter its two-letter code into the **Value** field:
 
-- AF – Africa
-- AN – Antarctica
-- AS – Asia
-- EU – Europe
-- NA – North America
-- OC – Oceania
-- SA – South America
-- T1 – Tor network
+- AF - Africa
+- AN - Antarctica
+- AS - Asia
+- EU - Europe
+- NA - North America
+- OC - Oceania
+- SA - South America
+- T1 - Tor network
 
 | UI name                           | API example                     | Evaluation phase     |
 | --------------------------------- | ------------------------------- | -------------------- |

diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
@@ -407,11 +407,10 @@ When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspec
 
 ### Content Categories
 
-| UI name            | API example                                      |
-| ------------------ | ------------------------------------------------ |
-| Content Categories | `not(any(http.conn.content_category[*] in {1}))` |
-
-For more information, refer to our list of [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories).
+<Render
+	file="gateway/selectors/net-http-content-categories"
+	params={{ APIendpoint: "http.conn.content_category" }}
+/>
 
 ### Destination Continent
 
@@ -566,11 +565,10 @@ Some hostnames (`example.com`) will invisibly redirect to the www subdomain (`ww
 
 ### Security Risks
 
-| UI name        | API example                                  |
-| -------------- | -------------------------------------------- |
-| Security Risks | `any(http.conn.security_category[*] in {1})` |
-
-For more information, refer to our list of [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories).
+<Render
+	file="gateway/selectors/security-risks"
+	params={{ APIendpoint: "http.conn.security_category" }}
+/>
 
 ### Source Continent
 

diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx
@@ -8,9 +8,7 @@ sidebar:
 import { Details, InlineBadge, Render } from "~/components";
 
 :::note
-
 To enable this feature, download and deploy the [WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices.
-
 :::
 
 With Cloudflare Zero Trust, you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare Zero Trust [integrates with your identity provider](/cloudflare-one/identity/idp-integration/), it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they access that resource from.
@@ -222,7 +220,7 @@ Policies with Network Override actions override traffic directed to, or coming f
 | -------------- | -------- | --------------- | ----- | ---------------- |
 | Destination IP | in       | `95.92.143.151` | And   | Network Override |
 | User Email     | in       | `*@example.com` | And   |                  |
-| Override IP    |          | 10.0.0.1        |       |                  |
+| Override IP    |          | `10.0.0.1`      |       |                  |
 
 ## Selectors
 
@@ -234,11 +232,10 @@ Gateway matches network traffic against the following selectors, or criteria.
 
 ### Content Categories
 
-| UI name            | API example                                      |
-| ------------------ | ------------------------------------------------ |
-| Content Categories | `not(any(net.fqdn.content_category[*] in {1}))` |
-
-For more information, refer to our list of [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories).
+<Render
+	file="gateway/selectors/net-http-content-categories"
+	params={{ APIendpoint: "net.fqdn.content_category" }}
+/>
 
 ### Destination Continent
 
@@ -286,11 +283,10 @@ To enable Gateway filtering on TCP and UDP, go to **Settings** > **Network** > *
 
 ### Security Risks
 
-| UI name        | API example                                  |
-| -------------- | -------------------------------------------- |
-| Security Risks | `any(net.fqdn.security_category[*] in {1})` |
-
-For more information, refer to our list of [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories).
+<Render
+	file="gateway/selectors/security-risks"
+	params={{ APIendpoint: "net.fqdn.security_category" }}
+/>
 
 ### SNI
 

diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx
@@ -83,7 +83,7 @@ For more information on creating a DNS policy, refer to [DNS policies](/cloudfla
 
 ### Content Categories
 
-<Render file="gateway/selectors/content-categories" />
+<Render file="gateway/selectors/dns-content-categories" />
 
 ### DNS Resolver IP
 

diff --git a/src/content/partials/cloudflare-one/access/app-launcher.mdx b/src/content/partials/cloudflare-one/access/app-launcher.mdx
@@ -1,15 +1,14 @@
 ---
 {}
-
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip } from "~/components";
 
 With the Access App Launcher, users can open all applications that they have access to from a single dashboard.
 
 The App Launcher is available at a <GlossaryTooltip term="team domain">team domain</GlossaryTooltip> unique to your Cloudflare Zero Trust account, for example `mycompany.cloudflareaccess.com`.
 
-Users log in using one of the identity providers configured for the account. Once Access authenticates the user, the App Launcher displays applications they are authorized to use, in the form of application tiles. Selecting an application tile launches the application’s hostname, sending the user to that tool as part of their SSO flow.
+Users log in using one of the identity providers configured for the account. Once Access authenticates the user, the App Launcher displays applications they are authorized to use, in the form of application tiles. Selecting an application tile launches the application's hostname, sending the user to that tool as part of their SSO flow.
 
 ![App Launcher portal](~/assets/images/cloudflare-one/applications/app-launcher.png)
 
@@ -43,7 +42,7 @@ To show an Access application in the App Launcher:
 
 :::note
 
-This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application. 
+This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application.
 :::
 
 4. Choose a domain to use for the App Launcher link.
@@ -52,14 +51,14 @@ This toggle does not impact the user's ability to reach the application. Allowed
 
 :::note
 
-If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. 
+If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will.
 :::
 
 ## Customize App Launcher appearance
 
 :::note
 
-Only available on Pay-as-you-go and Enterprise plans. 
+Only available on Pay-as-you-go and Enterprise plans.
 :::
 
 You can display your own branding, messages, and links to users when they open the App Launcher.
@@ -69,24 +68,24 @@ To customize the App Launcher appearance:
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**.
 2. Find the **Customize App Launcher** setting and select **Customize**.
 3. Give the App Launcher the look and feel of your organization by adding:
-   * Your organization's name
-   * A logo
-   * A preferred background color for the header
-   * A preferred background color for the page
-   * A custom footer with links to your organization's help desk or other internal resources.
+   - Your organization's name
+   - A logo
+   - A preferred background color for the header
+   - A preferred background color for the page
+   - A custom footer with links to your organization's help desk or other internal resources.
 
 :::note
 
-We recommend lighter background colors because the font defaults to black. 
+We recommend lighter background colors because the font defaults to black.
 :::
 
 4. Next, customize the landing page that users will see when they login to the App Launcher. Available properties include:
 
-   * A custom title
-   * A custom subtitle
-   * An image
-   * A preferred color for the **Log in** button
-   * A preferred color for the **Log in** button text
+   - A custom title
+   - A custom subtitle
+   - An image
+   - A preferred color for the **Log in** button
+   - A preferred color for the **Log in** button text
 
    All of the properties configured in Step 3 will also apply to the landing page.
 

diff --git a/src/content/partials/cloudflare-one/gateway/policies/content-categories.mdx b/src/content/partials/cloudflare-one/gateway/policies/content-categories.mdx
@@ -1,11 +1,10 @@
 ---
 {}
-
 ---
 
 ## Block content categories
 
-Block content categories which go against your organization’s acceptable use policy.
+Block content categories which go against your organization's acceptable use policy.
 
 | Selector           | Operator | Value                  | Action |
 | ------------------ | -------- | ---------------------- | ------ |

diff --git a/src/content/partials/cloudflare-one/gateway/policies/recommended-dns-policies.mdx b/src/content/partials/cloudflare-one/gateway/policies/recommended-dns-policies.mdx
@@ -1,9 +1,8 @@
 ---
 {}
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 ## Allow corporate domains
 
@@ -15,7 +14,7 @@ This policy allows users to access official corporate domains. By deploying the
 
 ## Block security threats
 
-Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence. <Render file="gateway/policies/block-security-categories" product="cloudflare-one" />
+Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence. <Render file="gateway/policies/block-security-categories" product="cloudflare-one" />
 
 ## Block content categories
 

diff --git a/src/content/partials/cloudflare-one/gateway/selectors/destination-continent.mdx b/src/content/partials/cloudflare-one/gateway/selectors/destination-continent.mdx
@@ -1,21 +1,22 @@
 ---
 inputParameters: param1
-
 ---
 
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
 
 The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the **Value** field:
 
-* AF – Africa
-* AN – Antarctica
-* AS – Asia
-* EU – Europe
-* NA – North America
-* OC – Oceania
-* SA – South America
-* T1 – Tor network
+| Continent     | Code |
+| ------------- | ---- |
+| Africa        | `AF` |
+| Antarctica    | `AN` |
+| Asia          | `AS` |
+| Europe        | `EU` |
+| North America | `NA` |
+| Oceania       | `OC` |
+| South America | `SA` |
+| Tor network   | `T1` |
 
-| UI name                              | API example                |
-| ------------------------------------ | -------------------------- |
+| UI name                              | API example                                    |
+| ------------------------------------ | ---------------------------------------------- |
 | Destination Continent IP Geolocation | <code>{props.one}.geo.continent == "EU"</code> |
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/destination-port.mdx b/src/content/partials/cloudflare-one/gateway/selectors/destination-port.mdx
@@ -1,9 +1,8 @@
 ---
 {}
-
 ---
 
-The port number of the request’s target.
+The port number of the request's target.
 
 | UI name          | API example              |
 | ---------------- | ------------------------ |

diff --git a/.../gateway/selectors/content-categories.mdx → ...eway/selectors/dns-content-categories.mdx b/.../gateway/selectors/content-categories.mdx → ...eway/selectors/dns-content-categories.mdx
@@ -1,6 +1,5 @@
 ---
 {}
-
 ---
 
 Use this selector to filter domains belonging to specific [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories).

diff --git a/...ntent/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx b/...ntent/partials/cloudflare-one/gateway/selectors/net-http-content-categories.mdx
@@ -0,0 +1,12 @@
+---
+params:
+  - APIendpoint
+---
+
+import { Markdown } from "~/components";
+
+| UI name            | API example                                            |
+| ------------------ | ------------------------------------------------------ |
+| Content Categories | <code>not(any({props.APIendpoint}[*] in \{1\}))</code> |
+
+For more information, refer to the list of [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories).
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/security-risks.mdx b/src/content/partials/cloudflare-one/gateway/selectors/security-risks.mdx
@@ -0,0 +1,12 @@
+---
+params:
+  - APIendpoint
+---
+
+import { Markdown } from "~/components";
+
+| UI name        | API example                                       |
+| -------------- | ------------------------------------------------- |
+| Security Risks | <code>any({props.APIendpoint}[*] in \{1\})</code> |
+
+For more information, refer to the list of [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories).
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/source-continent.mdx b/src/content/partials/cloudflare-one/gateway/selectors/source-continent.mdx
@@ -1,9 +1,8 @@
 ---
 inputParameters: param1
-
 ---
 
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
 
 Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the **Value** field:
 
@@ -18,6 +17,6 @@ Geolocation is determined from the device's public IP address (typically assigne
 | South America | `SA` |
 | Tor network   | `T1` |
 
-| UI name                         | API example                           | Evaluation phase      |
-| ------------------------------- | ------------------------------------- | --------------------- |
+| UI name                         | API example                                               | Evaluation phase      |
+| ------------------------------- | --------------------------------------------------------- | --------------------- |
 | Source Continent IP Geolocation | <code>{props.one}.geo.continent == "North America"</code> | Before DNS resolution |
diff --git a/src/content/partials/cloudflare-one/tunnel/virtual-networks-intro.mdx b/src/content/partials/cloudflare-one/tunnel/virtual-networks-intro.mdx
@@ -1,6 +1,5 @@
 ---
 {}
-
 ---
 
-Virtual networks allow you to connect private networks that have overlapping IP ranges without creating conflicts for users or services. For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be “production” and “staging”. However, if the two private networks happened to receive the same RFC 1918 IP assignment, there may be two different resources with the same IP address. By creating two separate virtual networks, you can deterministically route traffic to duplicative private addresses like `10.128.0.1/32` staging and `10.128.0.1/32` production. These virtual networks will appear as user-selectable options within the WARP client GUI.
+Virtual networks allow you to connect private networks that have overlapping IP ranges without creating conflicts for users or services. For example, an organization may want to expose two distinct virtual private cloud (VPC) networks which they consider to be "production" and "staging". However, if the two private networks happened to receive the same RFC 1918 IP assignment, there may be two different resources with the same IP address. By creating two separate virtual networks, you can deterministically route traffic to duplicative private addresses like `10.128.0.1/32` staging and `10.128.0.1/32` production. These virtual networks will appear as user-selectable options within the WARP client GUI.
-Original file line number
+Diff line change
@@ -1,6 +1,5 @@
     ---
     {}
     ---
     Use this selector to filter domains belonging to specific [content categories](/cloudflare-one/policies/gateway/domain-categories/#content-categories).
@@ Expand Down @@