Set up HTTP filtering
Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit.
1. Connect to Gateway
To filter HTTP requests from a device:
- Install the Cloudflare root certificate on your device .
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization’s Zero Trust instance.
- Enable the Gateway proxy:
- In Zero Trust, navigate to Settings > Network.
- Enable Proxy for TCP.
- (Optional) Enable Proxy for UDP. All port 443 UDP traffic will be inspected by Gateway.
- Enable TLS decryption.
2. Verify device connectivity
- In Zero Trust, navigate to Settings > Network.
- Under Gateway logging, enable activity logging for all HTTP logs.
- On your WARP-enabled device, open a browser and visit any website.
- In Zero Trust, navigate to Logs > Gateway > HTTP. Before building HTTP policies, make sure you see HTTP queries from the email associated with your device.
3. Add recommended policies
To create a new HTTP policy, navigate to Gateway > Firewall Policies > HTTP in Zero Trust. We recommend adding the following policies:
Bypass inspection for incompatible applications
Bypass HTTP inspection for applications which use embedded certificates. This will help avoid any certificate pinning errors that may arise from an initial rollout.
Selector | Operator | Value | Action |
---|---|---|---|
Application | in | Do Not Inspect | Do Not Inspect |
Block all security categories
Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.
Selector | Operator | Value | Action |
---|---|---|---|
Security categories | in | All security risks | Block |
4. Add optional policies
Refer to our list of common HTTP policies for other policies you may want to create.