Network filtering
Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access.
To filter network traffic from a device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization's Zero Trust instance.
- (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .
- Enable the Gateway proxy for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic.
To filter traffic from private networks, refer to the Cloudflare Tunnel guide.
To verify your device is connected to Zero Trust:
- In Zero Trust ↗, go to Settings > Network.
- Under Gateway logging, enable activity logging for all Network logs.
- On your WARP-enabled device, open a browser and visit any website.
- Determine the Source IP for your device:
- Open the WARP client settings.
- Go to Preferences > General.
- Note the Public IP.
 
- In Zero Trust, go to Logs > Gateway > Network. Before building Network policies, make sure you see Network logs from the Source IP assigned to your device.
To create a new network policy:
- 
In Zero Trust ↗, go to Gateway > Firewall policies. 
- 
In the Network tab, select Add a policy. 
- 
Name the policy. 
- 
Under Traffic, build a logical expression that defines the traffic you want to allow or block. 
- 
Choose an Action to take when traffic matches the logical expression. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device: Selector Operator Value Logic Action SNI Domain is internalapp.comAnd Block Passed Device Posture Checks not in Device serial numbers 
- 
Select Create policy. 
- 
Create an API token with the following permissions: Type Item Permission Account Zero Trust Edit 
- 
(Optional) Configure your API environment variables to include your account ID and API token. 
- 
Send a POSTrequest to the Create a Zero Trust Gateway rule endpoint. For example, you can use a list of device serial numbers to ensure users can only access an application if they connect with the WARP client from a company device:curl API network policy example curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{"name": "Enforce device posture","description": "Ensure only devices in Zero Trust organization can connect to application","precedence": 0,"enabled": true,"action": "block","filters": ["l4"],"traffic": "any(net.sni.domains[*] == \"internalapp.com\")","identity": "","device_posture": "not(any(device_posture.checks.passed[*] in {\"<LIST_UUID>\"}))"}'{"success": true,"errors": [],"messages": []}The API will respond with a summary of the policy and the result of your request. 
For more information, refer to network policies.
Refer to our list of common network policies for policies you may want to create.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark