cloudflare · maxvp · Dec 30, 2024 · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024
@@ -46,6 +46,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
 }'
 ```
 
+To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint.
+
 </TabItem> </Tabs>
 
 ## Block security threats

@@ -18,25 +18,105 @@ Refer to the [network policies page](/cloudflare-one/policies/gateway/network-po
 
 <Render file="gateway/policies/block-applications" product="cloudflare-one" />
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 | Selector    | Operator | Value                     | Action |
 | ----------- | -------- | ------------------------- | ------ |
 | Application | in       | _Artificial Intelligence_ | Block  |
 
+</TabItem>
+
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "name": "Block unauthorized applications",
+  "description": "Block access to unauthorized AI applications",
+  "enabled": true,
+  "action": "block",
+  "filters": [
+    "l4"
+  ],
+  "traffic": "any(app.type.ids[*] in {25})",
+  "identity": "",
+  "device_posture": ""
+}'
+```
+
+</TabItem> </Tabs>
+
 ## Check user identity
 
 <Render file="gateway/policies/check-user-identity" />
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 | Selector         | Operator | Value         | Logic | Action |
 | ---------------- | -------- | ------------- | ----- | ------ |
 | Application      | in       | _Salesforce_  | And   | Block  |
 | User Group Names | in       | _Contractors_ |       |        |
 
+</TabItem>
+
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "name": "Check user identity",
+  "description": "Block access to Salesforce by temporary employees and contractors",
+  "enabled": true,
+  "action": "block",
+  "filters": [
+    "l4"
+  ],
+  "traffic": "any(app.ids[*] in {606})",
+  "identity": "any(identity.groups.name[*] in {\"Contractors\"})",
+  "device_posture": ""
+}'
+```
+
+</TabItem> </Tabs>
+
 ## Enforce device posture
 
-Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/).
+Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
 <Render file="gateway/policies/enforce-device-posture" />
 
+</TabItem>
+
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "name": "Enforce device posture",
+  "description": "Limit access to an internal application to approved organization devices",
+  "enabled": true,
+  "action": "block",
+  "filters": [
+    "l4"
+  ],
+  "traffic": "any(net.sni.domains[*] == \"example.com\")",
+  "identity": "",
+  "device_posture": "not(any(device_posture.checks.passed[*] in {\"<POSTURE-CHECK-UUID>\"}))"
+}'
+```
+
+To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint.
+
+</TabItem> </Tabs>
+
 ## Enforce session duration
 
 To require users to re-authenticate after a certain amount of time has elapsed, configure [WARP sessions](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/).
@@ -47,32 +127,136 @@ Restrict user access to only the specific sites or applications configured in yo
 
 ### 1. Allow HTTP and HTTPS traffic
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 | Selector          | Operator | Value       | Logic | Action |
 | ----------------- | -------- | ----------- | ----- | ------ |
 | Detected Protocol | is       | _TLS_       | And   | Allow  |
 | Destination Port  | in       | `80`, `443` |       |        |
 
+</TabItem>
+
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "name": "Allow HTTP and HTTPS traffic",
+  "description": "Restrict traffic to HTTP and HTTPS traffic",
+  "enabled": true,
+  "action": "allow",
+  "filters": [
+    "l4"
+  ],
+  "traffic": "net.detected_protocol == \"tls\" and net.dst.port in {80 443}",
+  "identity": "",
+  "device_posture": ""
+}'
+```
+
+</TabItem> </Tabs>
+
 ### 2. Block all other traffic
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 | Selector | Operator | Value        | Action |
 | -------- | -------- | ------------ | ------ |
-| Protocol | in       | _UDP_, _TCP_ | Block  |
+| Protocol | in       | _TCP_, _UDP_ | Block  |
+
+</TabItem>
+
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "name": "Block all other traffic",
+  "description": "Block all other traffic that is not HTTP or HTTPS",
+  "enabled": true,
+  "action": "block",
+  "filters": [
+    "l4"
+  ],
+  "traffic": "net.protocol in {\"tcp\" \"udp\"}",
+  "identity": "",
+  "device_posture": ""
+}'
+```
+
+</TabItem> </Tabs>
 
 ## Restrict access to private networks
 
 Restrict access to resources which you have connected through [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/).
 
-The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic. Make sure that the Allow policy has higher priority (by positioning it towards the top of the list in the UI).
+The following example consists of two policies: the first allows specific users to reach your application, and the second blocks all other traffic.
 
 ### 1. Allow company employees
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 | Selector       | Operator      | Value            | Logic | Action |
 | -------------- | ------------- | ---------------- | ----- | ------ |
 | Destination IP | in            | `10.0.0.0/8`     | And   | Allow  |
 | User Email     | matches regex | `.*@example.com` |       |        |
 
+</TabItem>
+
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "name": "Allow company employees",
+  "description": "Allow any users with an organization email to reach the application",
+  "enabled": true,
+  "action": "allow",
+  "filters": [
+    "l4"
+  ],
+  "traffic": "net.dst.ip in {10.0.0.0/8}",
+  "identity": "identity.email matches \".*@example.com\"",
+  "device_posture": ""
+}'
+```
+
+</TabItem> </Tabs>
+
 ### 2. Block everyone else
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 | Selector       | Operator | Value        | Action |
 | -------------- | -------- | ------------ | ------ |
 | Destination IP | in       | `10.0.0.0/8` | Block  |
+
+</TabItem>
+
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{
+  "name": "Block everyone else",
+  "description": "Block any other users from accessing the application",
+  "enabled": true,
+  "action": "block",
+  "filters": [
+    "l4"
+  ],
+  "traffic": "net.dst.ip in {10.0.0.0/8}",
+  "identity": "",
+  "device_posture": ""
+}'
+```
+
+</TabItem> </Tabs>
@@ -12,11 +12,13 @@ To create a new network policy:
 2. In the **Network** tab, select **Add a policy**.
 3. Name the policy.
 4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
-5. Choose an **Action** to take when traffic matches the logical expression.
+5. Choose an **Action** to take when traffic matches the logical expression. For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+
    <Render
    	file="gateway/policies/enforce-device-posture"
    	product="cloudflare-one"
    />
+
 6. Select **Create policy**.
 
 </TabItem>

@@ -2,9 +2,7 @@
 {}
 ---
 
-For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
-
 | Selector                     | Operator | Value                   | Logic | Action |
 | ---------------------------- | -------- | ----------------------- | ----- | ------ |
-| SNI Domain                   | is       | `internalapp.com`       | And   | Block  |
+| SNI Domain                   | is       | `example.com`           | And   | Block  |
 | Passed Device Posture Checks | not in   | _Device serial numbers_ |       |        |
-Original file line number
+Diff line change
@@ Expand Up @@
     }'
     ```
+    To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/zero_trust/subresources/gateway/subresources/lists/methods/list/) endpoint.
     </TabItem> </Tabs>
     ## Block security threats
@@ Expand Down @@