Gateway
FQDN Filtering For Gateway Egress Policies
Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies.
- Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta.
- During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation.
- For WARP client support, additional configuration is required. For more information, refer to the WARP client configuration documentation.
 
This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path.
HTTP redirect and custom block page redirect
You can now use more flexible redirect capabilities in Cloudflare One with Gateway.
- A new Redirect action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters.
- For Block actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL.
Learn more in our documentation for HTTP Redirect and Block page redirect.
Secure DNS Locations Management User Role
We're excited to introduce the Cloudflare Zero Trust Secure DNS Locations Write role, designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions.
Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions.
Secure DNS Location Requirements:
- 
Mandate usage of Bring your own DNS resolver IP addresses ↗ if available on the account. 
- 
Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint. 
You can assign the new role via Cloudflare Dashboard (Manage Accounts > Members) or via API. For more information, refer to the Secure DNS Locations documentation ↗.
Block files that are password-protected, compressed, or otherwise unscannable.
Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable.
These unscannable files are now matched with the Download and Upload File Types traffic selectors for HTTP policies:
- Password-protected Microsoft Office document
- Password-protected PDF
- Password-protected ZIP archive
- Unscannable ZIP archive
To get started inspecting and modifying behavior based on these and other rules, refer to HTTP filtering.
Upload/Download File Size selectors for HTTP policies
Gateway and DLP users can now create HTTP policies with the Download and Upload File Size (MiB) traffic selectors. This update allows users to block uploads or downloads based on file size.
The default global Cloudflare root certificate expired on 2025-02-02 at 16:05 UTC
If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. Refer to Troubleshooting for instructions and troubleshooting steps.
Bring your own resolver IP (BYOIP) for DNS locations
Enterprise users can now provide an IP address for a private DNS resolver to use with DNS locations. Gateway supports bringing your own IPv4 and IPv6 addresses.
Category filtering in the network policy builder
Gateway users can now create network policies with the Content Categories and Security Risks traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management.
Per-account Cloudflare root certificate
Gateway users can now generate unique root CAs for their Zero Trust account. Both generated certificate and custom certificate users must activate a root certificate to use it for inspection. Per-account certificates replace the default Cloudflare certificate, which is set to expire on 2025-02-02.
Time-based policy duration
Gateway now offers time-based DNS policy duration. With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off.
Expanded Gateway log fields
Gateway now offers new fields in activity logs for DNS, network, and HTTP policies to provide greater insight into your users' traffic routed through Gateway.
File sandboxing
Gateway users on Enterprise plans can create HTTP policies with file sandboxing to quarantine previously unseen files downloaded by your users and scan them for malware.
UK NCSC indicator feed publicly available in Gateway
Gateway users on any plan can now use the PDNS threat intelligence feed provided by the UK National Cyber Security Centre (NCSC) in DNS policies.
Gateway DNS filter non-authenticated queries
Gateway users can now select which endpoints to use for a given DNS location. Available endpoints include IPv4, IPv6, DNS over HTTPS (DoH), and DNS over TLS (DoT). Users can protect each configured endpoint by specifying allowed source networks. Additionally, for the DoH endpoint, users can filter traffic based on source networks and/or authenticate user identity tokens.
Gateway DNS policy setting to ignore CNAME category matches
Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the Ignore CNAME domain categories setting in the policy builder and the ignore_cname_category_matches setting in the API.
Gateway file type control improvements
Gateway now offers a more extensive, categorized list of files to control uploads and downloads.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark