From 7776fb4ac36193d4d1042052eae0e47f8461acbe Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Mon, 14 Jul 2025 18:16:38 +0100 Subject: [PATCH 1/7] [CF1] firewall IPs clarification --- .../connect-devices/warp/deployment/firewall.mdx | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx index 844fa9f9990b6ca..3cb87fae71a9f82 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx @@ -15,6 +15,8 @@ The WARP client connects to Cloudflare via a standard HTTPS connection outside t +Although `zero-trust-client.cloudflareclient.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above. + ## DoH IP :::note @@ -26,6 +28,8 @@ In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure - IPv4 DoH Addresses: `162.159.36.1` and `162.159.46.1` - IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` +Although `.cloudflare-gateway.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above. + ### Android devices If you are deploying the Cloudflare One Agent on Android/ChromeOS, you must also add `cloudflare-dns.com` to your firewall exception list. On Android/ChromeOS devices, WARP uses `cloudflare-dns.com` to resolve domains on your [Split Tunnel list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels). @@ -89,6 +93,8 @@ The client connects to the following destinations to verify general Internet con - `162.159.197.3` - `2606:4700:102::3` +Although `engage.cloudflareclient.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above. + ### Inside tunnel The WARP client connects to the following IPs to verify connectivity inside of the WARP tunnel: @@ -98,7 +104,9 @@ The WARP client connects to the following IPs to verify connectivity inside of t Because this check happens inside of the tunnel, you do not need to add these IPs to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy. -Thought it may be visible in `warp-diag` and other logs, `connectivity.cloudflareclient.com` is used internally by WARP and should not be used in firewall policies. +Although `connectivity.cloudflareclient.com` may appear in `warp-diag` and other logs, it is used internally by WARP and should not be used in firewall policies. + +If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Be aware that this domain can resolve to different IP addresses. However, this domain is hardcoded to the IPs listed above. To avoid connectivity issues, ensure that `162.159.197.4` and `2606:4700:102::4` are permitted through your firewall. ## NEL reporting (optional) From f6ccb3e58cd54aeaa215acd7a5c4233260a85872 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Tue, 15 Jul 2025 10:03:25 +0100 Subject: [PATCH 2/7] Apply suggestions from code review Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com> --- .../connect-devices/warp/deployment/firewall.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx index 3cb87fae71a9f82..66d36710e3cc2aa 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx @@ -15,7 +15,7 @@ The WARP client connects to Cloudflare via a standard HTTPS connection outside t -Although `zero-trust-client.cloudflareclient.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above. +Although `zero-trust-client.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. ## DoH IP @@ -28,7 +28,7 @@ In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure - IPv4 DoH Addresses: `162.159.36.1` and `162.159.46.1` - IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` -Although `.cloudflare-gateway.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above. +Although `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. ### Android devices @@ -93,7 +93,7 @@ The client connects to the following destinations to verify general Internet con - `162.159.197.3` - `2606:4700:102::3` -Although `engage.cloudflareclient.com` may resolve to different IP addresses, this domain is hardcoded to the IPs listed above. +Although `engage.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. ### Inside tunnel From 765e26eb98023b433d44a2915e6c1daefe181bdb Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Tue, 15 Jul 2025 10:07:20 +0100 Subject: [PATCH 3/7] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx --- .../connections/connect-devices/warp/deployment/firewall.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx index 66d36710e3cc2aa..922487f35d64499 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx @@ -106,7 +106,7 @@ Because this check happens inside of the tunnel, you do not need to add these IP Although `connectivity.cloudflareclient.com` may appear in `warp-diag` and other logs, it is used internally by WARP and should not be used in firewall policies. -If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Be aware that this domain can resolve to different IP addresses. However, this domain is hardcoded to the IPs listed above. To avoid connectivity issues, ensure that `162.159.197.4` and `2606:4700:102::4` are permitted through your firewall. +If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Although `connectivity.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. ## NEL reporting (optional) From acd21ce5fedbc8000cd90f99de0e607dd5cbd5cb Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Tue, 15 Jul 2025 10:09:42 +0100 Subject: [PATCH 4/7] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx --- .../connections/connect-devices/warp/deployment/firewall.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx index 922487f35d64499..46096ac4d2a5545 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx @@ -106,7 +106,7 @@ Because this check happens inside of the tunnel, you do not need to add these IP Although `connectivity.cloudflareclient.com` may appear in `warp-diag` and other logs, it is used internally by WARP and should not be used in firewall policies. -If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Although `connectivity.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. +If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Even though `connectivity.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. ## NEL reporting (optional) From 167bd949791ff4a822b8e6b8ff5f4b12db2da22c Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Tue, 15 Jul 2025 18:08:13 +0100 Subject: [PATCH 5/7] Apply suggestions from code review --- .../connect-devices/warp/deployment/firewall.mdx | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx index 46096ac4d2a5545..c7b8d4d7b056535 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx @@ -15,7 +15,7 @@ The WARP client connects to Cloudflare via a standard HTTPS connection outside t -Although `zero-trust-client.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. +If your firewall allows traffic only by domain, you may need to explicitly allow `zero-trust-client.cloudflareclient.com`. Even though `zero-trust-client.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. ## DoH IP @@ -28,7 +28,8 @@ In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure - IPv4 DoH Addresses: `162.159.36.1` and `162.159.46.1` - IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` -Although `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. +If your firewall allows traffic only by domain, you may need to explicitly allow `.cloudflare-gateway.com`. Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + ### Android devices @@ -93,7 +94,7 @@ The client connects to the following destinations to verify general Internet con - `162.159.197.3` - `2606:4700:102::3` -Although `engage.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. +If your firewall allows traffic only by domain, you may need to explicitly allow `engage.cloudflareclient.com`. Even though `engage.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. ### Inside tunnel @@ -104,8 +105,6 @@ The WARP client connects to the following IPs to verify connectivity inside of t Because this check happens inside of the tunnel, you do not need to add these IPs to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy. -Although `connectivity.cloudflareclient.com` may appear in `warp-diag` and other logs, it is used internally by WARP and should not be used in firewall policies. - If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Even though `connectivity.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. ## NEL reporting (optional) From d627e80adb1a0de138881dc440c51d7aa1b4a1d3 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Wed, 16 Jul 2025 10:06:29 +0100 Subject: [PATCH 6/7] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx Co-authored-by: Max Phillips --- .../connections/connect-devices/warp/deployment/firewall.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx index c7b8d4d7b056535..db6e96ce52d477e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx @@ -29,8 +29,6 @@ In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure - IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` If your firewall allows traffic only by domain, you may need to explicitly allow `.cloudflare-gateway.com`. Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. - - ### Android devices If you are deploying the Cloudflare One Agent on Android/ChromeOS, you must also add `cloudflare-dns.com` to your firewall exception list. On Android/ChromeOS devices, WARP uses `cloudflare-dns.com` to resolve domains on your [Split Tunnel list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels). From ad1dd2a9ccdc7c9e71a12f385df7f017a3ed76ed Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Wed, 16 Jul 2025 10:47:29 +0100 Subject: [PATCH 7/7] partial --- .../warp/deployment/firewall.mdx | 30 +++++++++++++++---- .../partials/cloudflare-one/warp/firewall.mdx | 6 ++++ 2 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 src/content/partials/cloudflare-one/warp/firewall.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx index db6e96ce52d477e..6f4296a9a4c998e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx @@ -15,7 +15,12 @@ The WARP client connects to Cloudflare via a standard HTTPS connection outside t -If your firewall allows traffic only by domain, you may need to explicitly allow `zero-trust-client.cloudflareclient.com`. Even though `zero-trust-client.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + ## DoH IP @@ -28,7 +33,13 @@ In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure - IPv4 DoH Addresses: `162.159.36.1` and `162.159.46.1` - IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001` -If your firewall allows traffic only by domain, you may need to explicitly allow `.cloudflare-gateway.com`. Even though `.cloudflare-gateway.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. +.cloudflare-gateway.com", + }} +/> + ### Android devices If you are deploying the Cloudflare One Agent on Android/ChromeOS, you must also add `cloudflare-dns.com` to your firewall exception list. On Android/ChromeOS devices, WARP uses `cloudflare-dns.com` to resolve domains on your [Split Tunnel list](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels). @@ -92,7 +103,12 @@ The client connects to the following destinations to verify general Internet con - `162.159.197.3` - `2606:4700:102::3` -If your firewall allows traffic only by domain, you may need to explicitly allow `engage.cloudflareclient.com`. Even though `engage.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + ### Inside tunnel @@ -103,7 +119,12 @@ The WARP client connects to the following IPs to verify connectivity inside of t Because this check happens inside of the tunnel, you do not need to add these IPs to your firewall allowlist. However, since the requests go through Gateway, ensure that they are not blocked by a Gateway HTTP or Network policy. -If your firewall allows traffic only by domain, you may need to explicitly allow `connectivity.cloudflareclient.com`. Even though `connectivity.cloudflareclient.com` may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall. + ## NEL reporting (optional) @@ -125,7 +146,6 @@ If your organization does not currently allow inbound/outbound communication ove - Windows: `C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe` - macOS: You must explicitly allow both the core networking daemon and GUI component as shown in the following instructions. - 1. Core networking daemon: `/Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP` This binary does not have a Bundle ID and must be allowed via full path. diff --git a/src/content/partials/cloudflare-one/warp/firewall.mdx b/src/content/partials/cloudflare-one/warp/firewall.mdx new file mode 100644 index 000000000000000..f9f7d4c707ace93 --- /dev/null +++ b/src/content/partials/cloudflare-one/warp/firewall.mdx @@ -0,0 +1,6 @@ +--- +params: + - domain +--- + +If your firewall allows traffic only by domain, you may need to explicitly allow {props.domain}. Even though {props.domain} may resolve to different IP addresses, WARP overrides the resolved IPs with the IPs listed above. To avoid connectivity issues, ensure that the above IPs are permitted through your firewall.