Network filtering
Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access.
To filter network traffic from a device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization’s Zero Trust instance.
- (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .
- Enable the Gateway proxy for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic.
To filter traffic from private networks, refer to the Cloudflare Tunnel guide.
- In Zero Trust ↗, go to Settings > Network.
- Under Gateway logging, enable activity logging for all Network logs.
- On your WARP-enabled device, open a browser and visit any website.
- Determine the Source IP for your device:
- Open the WARP client settings.
- Go to Preferences > General.
- Note the Public IP.
- In Zero Trust, go to Logs > Gateway > Network. Before building Network policies, make sure you see Network logs from the Source IP assigned to your device.
To create a new network policy, go to Gateway > Firewall Policies > Network in Zero Trust. Refer to our list of common network policies for policies you may want to create.