Set up network filtering
Secure Web Gateway allows you to apply policies at the network level (Layers 3 and 4) to control which websites and non-HTTP applications users can access.
1. Connect to Gateway
Connect devices
To filter network traffic from a device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization’s Zero Trust instance.
- (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .
- Enable the Gateway proxy:
- In Zero Trust, navigate to Settings > Network.
- Enable Proxy for TCP.
- (Optional) Enable Proxy for UDP. All port 443 UDP traffic will be inspected by Gateway.
Connect private networks
To filter traffic from private networks, refer to the Cloudflare Tunnel guide.
2. Verify device connectivity
- In Zero Trust, navigate to Settings > Network.
- Under Gateway logging, enable activity logging for all Network logs.
- On your WARP-enabled device, open a browser and visit any website.
- Determine the Source IP for your device:
- Open the WARP client settings.
- Navigate to Preferences > General.
- Note the Public IP.
- In Zero Trust, navigate to Logs > Gateway > Network. Before building Network policies, make sure you see Network logs from the Source IP assigned to your device.
3. Add policies
To create a new network policy, navigate to Gateway > Firewall Policies > Network in Zero Trust. Refer to our list of common network policies for policies you may want to create.