Create a Zero Trust Gateway rule — Cloudflare API Documentation

Creates a new Zero Trust Gateway rule.

Path parameters

identifierstringRequired

Request

This endpoint expects an object.

action

enumRequired

The action to preform when the associated traffic, identity, and device posture expressions are either absent or evaluate to true.

name

stringRequired

The name of the rule.

description

stringOptional

The description of the rule.

device_posture

stringOptional

The wirefilter expression used for device posture check matching.

enabled

booleanOptional

True if the rule is enabled.

filters

list of enumsOptional

The protocol or layer to evaluate the traffic, identity, and device posture expressions.

Allowed values: httpdnsl4egress

identity

stringOptional

The wirefilter expression used for identity matching.

precedence

integerOptional

Precedence sets the order of your rules. Lower values indicate higher precedence. At each processing phase, applicable rules are evaluated in ascending order of this value.

rule_settings

objectOptional

Additional settings that modify the rule's action.

schedule

objectOptional

The schedule for activating DNS policies. This does not apply to HTTP or network policies.

traffic

stringOptional

The wirefilter expression used for traffic matching.

Response

This endpoint returns an object

result

objectOptional

1 curl -X POST https://api.cloudflare.com/client/v4/accounts/699d98642c564d2e855e9661899b7252/gateway/rules \ 2 -H "Authorization: Bearer <token>" \ 3 -H "Content-Type: application/json" \ 4 -d '{ 5 "action": "on", 6 "name": "block bad websites", 7 "description": "Block bad websites based on their host name.", 8 "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", 9 "enabled": true, 10 "filters": [ 11 "http" 12 ], 13 "identity": "any(identity.groups.name[*] in {\"finance\"})", 14 "rule_settings": { 15 "allow_child_bypass": false, 16 "audit_ssh": { 17 "command_logging": false 18 }, 19 "biso_admin_controls": { 20 "dcp": false, 21 "dd": false, 22 "dk": false, 23 "dp": false, 24 "du": false 25 }, 26 "block_page_enabled": true, 27 "block_reason": "This website is a security risk", 28 "bypass_parent_rule": false, 29 "check_session": { 30 "duration": "300s", 31 "enforce": true 32 }, 33 "dns_resolvers": { 34 "ipv4": [ 35 { 36 "ip": "2001:DB8::/64", 37 "port": 1, 38 "route_through_private_network": true, 39 "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" 40 } 41 ], 42 "ipv6": [ 43 { 44 "ip": "2001:DB8::/64", 45 "port": 1, 46 "route_through_private_network": true, 47 "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" 48 } 49 ] 50 }, 51 "egress": { 52 "ipv4": "192.0.2.2", 53 "ipv4_fallback": "192.0.2.3", 54 "ipv6": "2001:DB8::/64" 55 }, 56 "insecure_disable_dnssec_validation": false, 57 "ip_categories": true, 58 "ip_indicator_feeds": true, 59 "l4override": { 60 "ip": "1.1.1.1" 61 }, 62 "notification_settings": {}, 63 "override_host": "example.com", 64 "override_ips": [ 65 "1.1.1.1" 66 ], 67 "payload_log": { 68 "enabled": true 69 }, 70 "resolve_dns_through_cloudflare": true, 71 "untrusted_cert": { 72 "action": "pass_through" 73 } 74 }, 75 "schedule": { 76 "fri": "08:00-12:30,13:30-17:00", 77 "mon": "08:00-12:30,13:30-17:00", 78 "sat": "08:00-12:30,13:30-17:00", 79 "sun": "08:00-12:30,13:30-17:00", 80 "thu": "08:00-12:30,13:30-17:00", 81 "time_zone": "America/New York", 82 "tue": "08:00-12:30,13:30-17:00", 83 "wed": "08:00-12:30,13:30-17:00" 84 }, 85 "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10" 86 }'

1 { 2 "result": { 3 "action": "on", 4 "created_at": "2014-01-01T05:20:00.12345Z", 5 "description": "Block bad websites based on their host name.", 6 "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", 7 "enabled": true, 8 "filters": [ 9 "http" 10 ], 11 "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", 12 "identity": "any(identity.groups.name[*] in {\"finance\"})", 13 "name": "block bad websites", 14 "rule_settings": { 15 "allow_child_bypass": false, 16 "audit_ssh": { 17 "command_logging": false 18 }, 19 "biso_admin_controls": { 20 "dcp": false, 21 "dd": false, 22 "dk": false, 23 "dp": false, 24 "du": false 25 }, 26 "block_page_enabled": true, 27 "block_reason": "This website is a security risk", 28 "bypass_parent_rule": false, 29 "check_session": { 30 "duration": "300s", 31 "enforce": true 32 }, 33 "dns_resolvers": { 34 "ipv4": [ 35 { 36 "ip": "2001:DB8::/64", 37 "port": 1, 38 "route_through_private_network": true, 39 "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" 40 } 41 ], 42 "ipv6": [ 43 { 44 "ip": "2001:DB8::/64", 45 "port": 1, 46 "route_through_private_network": true, 47 "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" 48 } 49 ] 50 }, 51 "egress": { 52 "ipv4": "192.0.2.2", 53 "ipv4_fallback": "192.0.2.3", 54 "ipv6": "2001:DB8::/64" 55 }, 56 "insecure_disable_dnssec_validation": false, 57 "ip_categories": true, 58 "ip_indicator_feeds": true, 59 "l4override": { 60 "ip": "1.1.1.1" 61 }, 62 "notification_settings": {}, 63 "override_host": "example.com", 64 "override_ips": [ 65 "1.1.1.1" 66 ], 67 "payload_log": { 68 "enabled": true 69 }, 70 "resolve_dns_through_cloudflare": true, 71 "untrusted_cert": { 72 "action": "pass_through" 73 } 74 }, 75 "schedule": { 76 "fri": "08:00-12:30,13:30-17:00", 77 "mon": "08:00-12:30,13:30-17:00", 78 "sat": "08:00-12:30,13:30-17:00", 79 "sun": "08:00-12:30,13:30-17:00", 80 "thu": "08:00-12:30,13:30-17:00", 81 "time_zone": "America/New York", 82 "tue": "08:00-12:30,13:30-17:00", 83 "wed": "08:00-12:30,13:30-17:00" 84 }, 85 "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", 86 "updated_at": "2014-01-01T05:20:00.12345Z" 87 } 88 }