Nearly a year ago, we announced Cloudflare for Teams, Cloudflare’s platform for securing users, devices, and data. With Cloudflare for Teams, our global network becomes your team’s network, replacing on-premise appliances and security subscriptions with a single solution delivered closer to your users — wherever they work. Cloudflare for Teams centers around two core products: Cloudflare Access and Cloudflare Gateway.
Cloudflare Gateway protects employees from security threats on the Internet and enforces appropriate use policies. We built Gateway to help customers replace the pain of backhauling user traffic through centralized firewalls. With Gateway, users instead connect to one of Cloudflare’s data centers in 200 cities around the world where our network can apply consistent security policies for all of their Internet traffic.
In March 2020, we launched Gateway’s first feature, a secure DNS filtering solution. With Gateway’s DNS filtering, administrators can click a single button to block known threats, like sources of malware or phishing sites. Policies can also be used to block specific risky categories, like gambling or social media. When users request a filtered site, Gateway stops the DNS query from resolving and prevents the device from connecting to a malicious destination or hostname with blocked material.
More recently, we expanded Gateway’s security filtering with a cloud L7 firewall. The L7 firewall enables admins to apply security and content policies to HTTP traffic. For example, teams can stop files from being uploaded to certain applications or to build rules by URL.
The mundane task of managing firewall settings for cloud apps
Building those rules for a single hostname or URL takes just a few clicks, but applying these policies to entire “applications” can be tedious. We often think of popular applications, like Microsoft Office 365, as a single entity. But behind the scenes, those services rely on hundreds of hostnames and IP addresses that collectively enable the application. If your team wants to build a rule to always allow file uploads to Office 365, you would have to find and input every single destination in their changing list.
For example, Salesforce is more than just salesforce.com. As of today, Salesforce uses 11 unique apex domains (e.g., forceusercontent.com, or sfdcstatic.com), and this list continues to grow.
If an IT administrator wants to ensure that Salesforce functions properly on their network, they will need to make sure that all of Salesforce’s domains are in their allowlist. And, they’ll need to make sure that they update this list whenever Salesforce adds a new network endpoint.
Maintaining a firewall policy for just one application can create enough of a headache. Most organizations need to keep track of hundreds of cloud applications that they want to manage on their network. These allow lists might consist of thousands of hostnames and require hours of time spent on tedious review to make sure that they are up-to-date and comprehensive.
Adding to this complexity is the constantly evolving landscape of cloud applications. An IT administrator might need to limit access to all unapproved file sharing applications on company devices for compliance requirements. To achieve this, they will need to keep track of all file sharing services and all the hostnames associated with each file sharing service.
Gateway policies with Applications and App Types
We want to reduce the burden on IT administrators and streamline the way organizations manage their firewall policies for cloud applications. Starting today, you can skip that chore with Cloudflare Gateway.
Cloudflare does the work of researching and grouping these applications for you. Your team can use those collections to build single Gateway HTTP rules by both application (e.g., Salesforce, Microsoft Office 365) and app type (e.g., File Sharing, Social Media).
Applications consist of a collection of hostnames based on the cloud application they belong to. App Types consist of a collection of applications.
To create a policy using applications or app types, first navigate to the “Policies” tab of the Gateway section of the Teams dashboard. Then select the “HTTP” tab, and click the blue “Add a rule” button on the right hand side to navigate to the rule builder.
For example, let’s create a rule to block all Collaboration & Online Meeting tools except for Slack. In the “Selector” drop down menu, select the “Application” option, and in the “Operator” drop down menu just next to it, select the “in” option. In the “Value” field, start typing “Collaboration & Online Meetings” and you’ll see the rest of the app type auto-populate.
Once you click “Collaboration & Online Meetings”, the full set of apps will populate in the value field. To remove Slack, press the “x” on the right hand side of value “Slack.”
Lastly, navigate to the “Action” drop down at the bottom of the rule builder. Here, select “Block.” Don’t forget to save your rule by clicking the blue “Save” button on the top right hand side of the screen.
Now you’ve created your first Application rule! With one rule, you saved yourself having to bulk upload a list of several hundred hostnames to achieve the same result. You also won’t need to keep an eye on updates to network endpoints for those 20+ apps either — we’ll take care of intelligently updating that list for you.
Today, we support 223 applications across 17 app types. To view the full list of supported applications and their associated app types, check out the Gateway documentation. We’ll be making continuous updates to this list to support additional applications and app types, as well as provide additional controls and visibility into Shadow IT on your network.
Applications and app types are available in the Gateway rule builder today for all customers using the L7 firewall. The L7 firewall is available in Gateway standalone, Teams Standard, and Teams Enterprise plans. If you aren’t using Gateway yet, you can get started by signing up for a Gateway account and following the onboarding directions.