Cloudflare changelogs | Cloudflare One

Access - SAML assertion encryption for identity providers

Wed, 03 Jun 2026 00:00:00 GMT

Cloudflare Access now supports SAML assertion encryption for identity provider integrations. When turned on, your identity provider encrypts SAML assertions using a Cloudflare-managed certificate before sending them through the user's browser. Only Access can decrypt these assertions, protecting sensitive identity data even after TLS termination.

Without encryption, SAML assertions are transmitted in plaintext and could be visible to browser extensions or client-side malware.

SAML encryption includes built-in certificate lifecycle management:

Automatic certificate generation: Access generates an encryption certificate when you turn on SAML encryption for an identity provider.
Certificate rotation: Rotate certificates without downtime. The previous certificate remains valid until expiration, giving you time to update your IdP.
PEM export: Copy the certificate in PEM format for manual upload to your IdP, or point your IdP to the SAML metadata endpoint for automatic retrieval.

To get started, refer to Encrypt SAML assertions.

Cloudflare WAN, Cloudflare One - Cisco IOS XE

Tue, 02 Jun 2026 00:00:00 GMT

The Cisco IOS XE third-party integration guide for Cloudflare WAN has been updated to include:

Post Quantum Cryptography (PQC)
Policy-Based Routing (PBR)
IP Service Level Agreement (IP SLA)

This link will take you directly to the updated Cisco IOS XE guide.

Cloudflare One Client - Cloudflare One Client for macOS (version 2026.5.1155.1)

Fri, 29 May 2026 00:55:38 GMT

A new Beta release for the macOS Cloudflare One Client is now available on the beta releases downloads page.

This release introduces the new Cloudflare One Client UI for macOS! You can expect a cleaner and more intuitive design as well as easier access to common actions and information. Here are some of the many things we have found our users appreciate:

Right click context menu to access the most common client actions quickly
Built-in captive portal login experience

Additional Changes and improvements

The client now applies DNS search suffixes configured in your device profile / network policy. Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See DNS search suffixes for details.
Administrators can now control which virtual networks (VNETs) are available to which users via WARP device profile settings in the Zero Trust dashboard. Previously, every VNET in the organization was visible to every device; you can now scope the VNET picker per profile so users only see the networks relevant to them. See VNET availability for details.
Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume.
Added new warp-cli debug commands for interactive connection diagnosis. See Extra debug logging for details.
The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client.
Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated Cloudflare One MDM documentation for details.
Client Certificate device-posture checks now support template variables (e.g. ${serial_number}, ${device_uuid}) in the Subject Alternative Name field, matching what the documentation has always claimed. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry.
Fixed the in-client captive-portal browser rendering a blank "Success" page on some airline Wi-Fi networks (United inflight Wi-Fi was the reported case). The browser now reliably loads the airline's real portal page so users can complete sign-in from inside the client instead of having to open a separate browser.
Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests.

Known issues

Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Split tunnel list configuration is not available in the new UI. Management of split tunnel entries is currently only possible via warp-cli tunnel ip and warp-cli tunnel host. UI support will be added in a future release.

Cloudflare One Client - Cloudflare One Client for Windows (version 2026.5.1155.1)

Fri, 29 May 2026 00:55:37 GMT

A new Beta release for the Windows Cloudflare One Client is now available on the beta releases downloads page.

This release introduces the new Cloudflare One Client UI for Windows! You can expect a cleaner and more intuitive design as well as easier access to common actions and information. Here are some of the many things we have found our users appreciate:

Right click context menu to access the most common client actions quickly
Built-in captive portal login experience

Additional Changes and improvements

The client now applies DNS search suffixes configured in your device profile / network policy. Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See DNS search suffixes for details.
Administrators can now control which virtual networks (VNETs) are available to which users via WARP device profile settings in the Zero Trust dashboard. Previously, every VNET in the organization was visible to every device; you can now scope the VNET picker per profile so users only see the networks relevant to them. See VNET availability for details.
Added mandatory authentication. When enabled via MDM, the Cloudflare One Client blocks all Internet traffic from the moment the machine boots until the user authenticates, closing the visibility gap on newly deployed devices and during re-authentication. See the announcement blog and documentation for details.
Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume.
Added new warp-cli debug commands for interactive connection diagnosis. See Extra debug logging for details.
The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client.
Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated Cloudflare One MDM documentation for details.
Client Certificate device-posture checks now support template variables (e.g. ${serial_number}, ${device_uuid}) in the Subject Alternative Name field, matching what the documentation has always claimed. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry.
The UseWebView2 registry value (HKLM\SOFTWARE\Cloudflare\CloudflareWARP\UseWebView2 = y) is once again honored by the new GUI for authentication, so administrators who prefer the embedded WebView2 browser for sign-in can opt back in. This setting was effectively ignored in the previous release; the default browser was always used. This key is now also honored for re-authentications.
Fixed a crash in the authentication browser when navigating to a site that prompts for browser permissions (microphone, camera, notifications, etc.). The same fix had previously landed for the captive-portal browser; this extends it to the auth browser.
Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests.

Known issues

An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Split tunnel list configuration is not available in the new UI. Management of Split Tunnel entries is currently only possible via warp-cli tunnel ip and warp-cli tunnel host. UI support will be added in a future release.
Windows ARM may prompt the user to close running applications while trying to install this version. Simply click “Ok” with the default highlighted option.
DNS resolution may be broken when the following conditions are all true:
- The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while the client is connected.
  To work around this issue, please reconnect the client by selecting "disconnect" and then "connect" in the client user interface.

Access - Tool and prompt aliases for MCP server portals

Thu, 28 May 2026 00:00:00 GMT

When you connect third-party MCP servers through MCP server portals, you have no control over how the server author named tools or wrote descriptions. Unclear names make it harder for AI agents to select the right tool and harder for users to understand what is available.

You can now rename tools and prompts and rewrite their descriptions directly on the portal, without modifying the upstream server. For example, a tool named super_cool_tool can become search_customer_records with a description tailored to your organization.

Modified tools display a Modified label in the tools list so administrators can see which tools have been customized at a glance.

Aliases override the metadata that MCP clients receive. You can set them at two levels:

Per portal: Applies only within a specific portal. Takes precedence over server-level aliases.
Per server: Applies across all portals that use the server.

You can reset an alias at any time to restore the original upstream name.

For more information, refer to Tool and prompt aliases.

Cloudflare Mesh, Cloudflare One - High availability replica management for Cloudflare Mesh

Thu, 28 May 2026 00:00:00 GMT

The Cloudflare Mesh dashboard now shows per-replica details for high availability nodes. You can see which replica is active, view each replica's Mesh IP and connection details, and manually trigger failover — all from the node detail page.

What's new

Replica tabs on the node detail page — switch between replicas to see each one's Mesh IP, edge data center, origin IP, platform, version, and uptime.
Active/passive badges identify which replica is currently routing traffic.
Manual failover — promote a passive replica to active with a single click. The previous active replica switches to standby.
HA badge in the overview table identifies nodes running multiple replicas.
Active replica IP shown in the overview table — the dashboard now resolves which replica is active and displays the correct Mesh IP.

Manual failover

To manually promote a passive replica:

In the Cloudflare dashboard, go to Networking > Mesh.
Select an HA-enabled node.
Select the passive replica tab.
Select Promote to active and confirm.

Traffic reroutes to the promoted replica immediately. Refer to High availability for details on failover behavior.

Cloudflare One, Gateway - Write regex using natural language in Cloudflare One

Wed, 27 May 2026 00:00:00 GMT

Cloudflare Gateway policy selectors which support regular expressions can now be authored in the dashboard using natural language. When building a policy with a regex-based selector (like matches regex), you can describe what you want to match in plain English and the Cloudflare Agent will generate and validate a corresponding regular expression.

To get started, select a regex-compatible selector in the Gateway policy builder and select the icon. You'll see an input field for natural language, such as "any URL starting with /api/v1" or ".com, .net, and .app hosts which contain gooogle in the host."

You can also use the tool to explain existing regular expressions. If a policy already contains a regex pattern, you can instantly generate a plain-language description.

A built-in feedback mechanism allows you to rate each interaction to help improve output quality over time.

For more information, refer to Cloudflare One firewall policies and expect to see the same functionality supported soon in Data loss prevention profiles.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Cloudflare Tunnel now runs connectivity pre-checks at startup

Wed, 27 May 2026 00:00:00 GMT

Starting with cloudflared version 2026.5.2, Cloudflare Tunnel automates the entire connectivity pre-checks workflow directly inside the binary. Previously, customers had to install dig and netcat and run those commands by hand to verify their environment. Now cloudflared does it natively at startup — and surfaces actionable remediation when something is blocked.

On every cloudflared tunnel run (and cloudflared tunnel diag), the binary now natively checks:

DNS resolution — region1.v2.argotunnel.com and region2.v2.argotunnel.com resolve to valid Cloudflare IPs.
Transport connectivity — outbound UDP (QUIC) and TCP (HTTP/2) on port 7844.
Management API — outbound TCP/443 to api.cloudflare.com for software updates.

Results are printed in a scannable CLI table with three states:

✅ Pass — the check succeeded.
⚠️ Warn — a non-blocking issue, for example the Management API is unreachable so automatic updates will not work, but the tunnel will still come up.
❌ Fail — a blocking issue, with a specific remediation hint (for example, Allow outbound UDP on port 7844).

If DNS is unresolvable, or both UDP and TCP fail on port 7844, cloudflared exits early with the failure rather than looping on opaque failed to dial errors.

Pre-checks now run automatically on every start, which also catches regressions like overnight firewall policy changes — no need to remember to rerun the troubleshooting guide.

To get the new behavior, upgrade cloudflared to version 2026.5.2 or later. For more details, refer to the Connectivity pre-checks documentation.

Cloudflare One Client - Cloudflare One Client for macOS (version 2026.4.1390.0)

Tue, 26 May 2026 22:26:01 GMT

A new GA release for the macOS Cloudflare One Client is now available on the stable releases downloads page.

Right click context menu to access the most common client actions quickly
Built-in captive portal login experience

Additional Changes and improvements

Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.
Fixed a proxy mode connection stall issue.

Known issues

Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Split tunnel list configuration is not available in the new UI. Management of split tunnel entries is currently only possible via warp-cli tunnel ip and warp-cli tunnel host. UI support will be added in a future release.

Cloudflare One Client - Cloudflare One Client for Windows (version 2026.4.1390.0)

Tue, 26 May 2026 22:26:00 GMT

A new GA release for the Windows Cloudflare One Client is now available on the stable releases downloads page.

Right click context menu to access the most common client actions quickly
Built-in captive portal login experience

Additional Changes and improvements

Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.
Fixed a proxy mode connection stall issue.

Known issues

Registration authentication for devices via the integrated WebView2 browser is unavailable in this version as a temporary measure. As a result, the client will utilize the default browser on the device to complete the authentication process.
An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Split tunnel list configuration is not available in the new UI. Management of Split Tunnel entries is currently only possible via warp-cli tunnel ip and warp-cli tunnel host. UI support will be added in a future release.
Windows ARM may prompt the user to close running applications while trying to install this version. Simply click “Ok” with the default highlighted option.
DNS resolution may be broken when the following conditions are all true:
- The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while the client is connected.
  To work around this issue, please reconnect the client by selecting "disconnect" and then "connect" in the client user interface.

Cloudflare One Client - Cloudflare One Client for Linux (version 2026.4.1390.0)

Tue, 26 May 2026 20:32:41 GMT

A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page.

This release introduces the new Cloudflare One Client UI for Linux! You can expect a cleaner and more intuitive design as well as easier access to common actions and information. Here are some of the many things we have found our users appreciate:

Right click context menu to access the most common client actions quickly
Built-in captive portal login experience

Changes and improvements

Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.
Official support for RHEL 9 has been added for Cloudflare Mesh nodes. To install the RHEL 9 package, the Extra Packages for Enterprise Linux (EPEL) repository must be active, as it contains dependencies required for the tray icon and captive portal webview.
Fixed a proxy mode connection stall issue.

Known issues

Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Split tunnel list configuration is not available in the new UI. Management of split tunnel entries is currently only possible via warp-cli tunnel ip and warp-cli tunnel host. UI support will be added in a future release.

Cloudflare Fundamentals, Cloudflare One, Cloudflare Tunnel for SASE, Cloudflare Tunnel, Cloudflare Mesh - Granular permissions for Cloudflare Tunnel and Cloudflare Mesh

Thu, 21 May 2026 00:00:00 GMT

You can now scope Cloudflare permissions to individual Cloudflare Tunnel instances and Cloudflare Mesh nodes. Administrators can delegate access to specific Tunnels or Mesh nodes without granting account-wide control over private networking.

What is new

When you add a member or create a permission policy, the resource picker now lists Cloudflare Tunnel instances and Cloudflare Mesh nodes as scopable resource types. You can:

Grant a read-only role on a single Cloudflare Tunnel instance to a support operator for log streaming and diagnostics — without exposing other Tunnels or destructive actions.
Grant a write role on a specific Cloudflare Mesh node to an application team — without giving them access to the rest of your private network.
Scope a single policy to one or many Tunnels and Mesh nodes at once.

How it works

Granular permissions are a parallel layer to existing account-level roles — they do not replace them.

Existing account-level roles continue to work. A member with Cloudflare Access or Cloudflare Zero Trust retains write access to every Tunnel and Mesh node in the account. This ensures backward compatibility for existing automation and tokens.
Granular permissions are additive. For any API request on a specific Tunnel or Mesh node, access is granted if the principal has either the account-level role or a granular permission for that resource.
Resource enumeration is authorization-aware. Listing endpoints (GET /accounts/{id}/cfd_tunnel, GET /accounts/{id}/warp_connector) return only the resources the principal has at least read access to.

Get started

Configure granular permissions for Cloudflare Tunnel.
Configure granular permissions for Cloudflare Tunnel and Cloudflare Mesh in Cloudflare One.
Review the resource-scoped roles on the Cloudflare role reference.

Access - Cloudflare as identity provider and account membership selector

Tue, 19 May 2026 00:00:00 GMT

Cloudflare Access now supports using Cloudflare itself as an identity provider. If you publish an Access application and select Cloudflare as the login method, users can sign in with their existing Cloudflare account — no one-time PINs, no third-party IdP configuration, and no shared email inboxes. Authentication is backed by Cloudflare's own account security (including multi-factor authentication), making it both simpler to set up and more secure than OTP-based login for most use cases.

Cloudflare is now the default identity provider for all newly created Zero Trust accounts, replacing One-time PIN.

This also enables two new capabilities:

Cloudflare Account Member selector — A new policy selector that matches users based on their membership in a Cloudflare account. You can target the current account or specify a different account ID for cross-account access scenarios.
Restrict to account members — An identity provider configuration option that limits authentication to users who are members of your Cloudflare account.

To get started, add Cloudflare as an identity provider in your Zero Trust settings.

CASB - CASB adds support for Claude Compliance API

Tue, 19 May 2026 00:00:00 GMT

Cloudflare CASB now integrates with the Claude Compliance API. This enhancement gives security teams visibility into Claude usage patterns, admin activity, and compliance-relevant events across their organization.

The Claude Compliance API provides structured access to audit logs and administrative actions within Claude Enterprise and Claude Platform. Cloudflare CASB ingests this data to surface security findings that help organizations enhance their security posture and enforce AI governance.

Key capabilities

Starting today, security teams can scan for security findings across the following assets:

Public projects — Projects set to public visibility
Project attachment — Files and documents added to projects that violate DLP policies
Chat files — User-uploaded and provider-generated files that violate DLP policies
Chat messages — User prompts and provider responses that violate DLP policies
Artifacts — Provider-generated documents and files that violate DLP policies

Learn more

This integration is available to all Cloudflare One customers. New Cloudflare customers can sign up and start with their first two integrations for free. Existing customers can enable the integration directly in the dashboard. The integration begins scanning immediately and surfaces findings in the dashboard within minutes.

Cloudflare WAN, Magic Transit - Network Analytics support for Unified Routing

Mon, 18 May 2026 00:00:00 GMT

Network Analytics is now fully supported for accounts using Unified Routing mode. Traffic that traverses Unified Routing onramps and offramps is now visible in Network Analytics with the same dimensions and filters as traffic on the standard data plane.

This closes a parity gap for customers who had moved tunnels onto Unified Routing and lost visibility into their dataplane traffic in the Network Analytics dashboard. No configuration change is required — analytics data is collected automatically for all accounts with Unified Routing enabled.

For the remaining beta limitations, refer to Traffic steering beta limitations.

Cloudflare One, Access - Refreshed Access login page

Tue, 12 May 2026 00:00:00 GMT

The Access login page and one-time password (OTP) page now feature a refreshed design that improves visual consistency, user trust, and mobile responsiveness.

Before:

After:

The updated login experience includes:

Unified authentication card - All sign-in options (identity provider buttons, email input, OTP) now appear in a single card with consistent styling, replacing the previous multi-section layout.
Consistent button styling - Identity provider buttons use a uniform size and layout for easier scanning and selection.
Better mobile experience - Responsive layout improvements ensure the login page renders correctly on phones and tablets.
Dark mode support - The login page now supports dark mode.

Cloudflare WAN, Magic Transit, Cloudflare One - New accounts assigned a single IPv4 anycast address

Tue, 12 May 2026 00:00:00 GMT

New Magic Transit and Cloudflare WAN accounts are now assigned a single IPv4 anycast address by default.

Cloudflare handles failures on its network automatically by advertising your endpoint IP from multiple nodes across many globally distributed data centers. To handle failures on your network, configure two tunnels from separate routers.

To request additional anycast IP addresses for your account, contact your account team.

For tunnel configuration guidance, refer to Configure tunnel endpoints for Cloudflare WAN or Configure tunnel endpoints for Magic Transit.

Gateway - Create Gateway firewall policies with natural language

Tue, 12 May 2026 00:00:00 GMT

Cloudflare Gateway now supports natural language policy creation for DNS, HTTP, and Network firewall policies. Administrators can describe the outcome they want in plain language, and Cloudflare will generate a complete policy rule that populates the policy builder form.

To create a policy with natural language, select Create with AI on any Gateway firewall policy tab. Choose a policy type, describe what the policy should do, and a fully configured rule will appear in the policy builder for review. You can edit any field before saving, or re-generate with a different prompt.

The generated policy incorporates your account context - including lists, DLP profiles, applications, and device posture checks - so that references to your existing resources resolve automatically.

A built-in feedback mechanism allows you to rate each generated policy and provide optional comments, which Cloudflare uses to improve output quality over time.

For more information, refer to Gateway firewall policies.

Cloudflare One Client - Cloudflare One Client for Windows (version 2026.4.1350.0)

Mon, 11 May 2026 17:35:58 GMT

A new GA release for the Windows Cloudflare One Client is now available on the stable releases downloads page.

Right click context menu to access the most common client actions quickly
Built-in captive portal login experience

Additional Changes and improvements

Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.

Known issues

Registration authentication for devices via the integrated WebView2 browser is unavailable in this version as a temporary measure. As a result, the client will utilize the default browser on the device to complete the authentication process.
An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Split tunnel list configuration is not available in the new UI. Management of Split Tunnel entries is currently only possible via warp-cli tunnel ip and warp-cli tunnel host. UI support will be added in a future release.
Windows ARM may prompt the user to close running applications while trying to install this version. Simply click “Ok” with the default highlighted option.
DNS resolution may be broken when the following conditions are all true:
- The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while the client is connected.
  To work around this issue, please reconnect the client by selecting "disconnect" and then "connect" in the client user interface.

Cloudflare One Client - Cloudflare One Client for macOS (version 2026.4.1350.0)

Mon, 11 May 2026 17:35:57 GMT

A new GA release for the macOS Cloudflare One Client is now available on the stable releases downloads page.

Right click context menu to access the most common client actions quickly
Built-in captive portal login experience

Additional Changes and improvements

Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.

Known issues

Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Split tunnel list configuration is not available in the new UI. Management of split tunnel entries is currently only possible via warp-cli tunnel ip and warp-cli tunnel host. UI support will be added in a future release.

Cloudflare One Client - Cloudflare One Client for Linux (version 2026.4.1350.0)

Mon, 11 May 2026 15:17:54 GMT

A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page.

Right click context menu to access the most common client actions quickly
Built-in captive portal login experience

Changes and improvements

Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.
Official support for RHEL 9 has been added for Cloudflare Mesh nodes. To install the RHEL 9 package, the Extra Packages for Enterprise Linux (EPEL) repository must be active, as it contains dependencies required for the tray icon and captive portal webview.

Known issues

Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Split tunnel list configuration is not available in the new UI. Management of split tunnel entries is currently only possible via warp-cli tunnel ip and warp-cli tunnel host. UI support will be added in a future release.

Cloudflare WAN, Magic Transit - NAT-T support for IKE on UDP port 500

Mon, 11 May 2026 00:00:00 GMT

Cloudflare IPsec now supports the standard NAT traversal (NAT-T) flow, where IKE begins on UDP port 500 and switches to UDP port 4500 after NAT is detected.

Previously, devices behind NAT had to be configured to initiate IKE on UDP port 4500 directly. Devices that started on UDP port 500 could not complete the IKE handshake when NAT was in the path. This required custom configuration on devices such as VeloCloud SD-WAN edges, Cisco IOS-XE routers, and Juniper SRX firewalls, and was not possible on every platform.

What changed:

Devices behind NAT can now initiate IKE on either UDP port 500 or UDP port 4500.
Devices that start IKE on UDP port 500 and switch to UDP port 4500 after NAT detection now complete the handshake successfully.
No configuration change is required on Cloudflare. The change is available for all IPsec tunnels on Cloudflare WAN and Magic Transit.

This change does not affect existing tunnels:

Tunnels using UDP port 500 with no NAT detected continue to operate as before.
Tunnels configured to start IKE on UDP port 4500 continue to operate as before.
NAT detection logic is unchanged.

For configuration details, refer to GRE and IPsec tunnels.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Custom DHCP options on Cloudflare One Appliance

Thu, 07 May 2026 00:00:00 GMT

When the Cloudflare One Appliance is acting as the DHCP server for a LAN, you can now configure custom DHCP options on the leases it issues. This unlocks workflows such as PXE / iPXE boot, VoIP phone provisioning, and vendor-specific client configuration.

Each option is defined by option_number, value, and one of four value types: text, integer, hex, or ip. Configurations are validated on the appliance before being applied — invalid configurations are rejected and the underlying error is returned to the API caller, so a bad option will not disrupt the live DHCP service.

For details, refer to DHCP server options.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Source-based breakout and prioritization on Cloudflare One Appliance

Thu, 07 May 2026 00:00:00 GMT

Breakout and traffic prioritization rules on the Cloudflare One Appliance can now match by source in addition to destination application. You can pin breakout or priority behavior to:

A source LAN interface — VLANs attached to that LAN are included automatically.
A source IP address, range, or CIDR block.

This is the natural way to break out a guest VLAN to the local Internet, or to prioritize traffic from a specific subnet, without enumerating destination applications.

For details, refer to Breakout traffic.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Self-serve provisioning of Cloudflare One Virtual Appliance via API

Thu, 07 May 2026 00:00:00 GMT

You can now create, rotate, and delete Cloudflare One Virtual Appliance instances and their license keys directly via the API and Terraform.

Create a virtual appliance and receive a license key: POST /accounts/{account_id}/magic/connectors with device.provision_license: true.
Rotate the license key for an existing virtual appliance: PATCH /accounts/{account_id}/magic/connectors/{connector_id} with provision_license: true. The previous key is immediately and irrevocably revoked.
Delete a virtual appliance to release the associated licensed device.

The license key is returned in the response only once, at create or rotate time. Copy and store it securely.

For details, refer to Configure a Cloudflare One Virtual Appliance.

Email security - Cloudy Summaries in PhishNet O365

Wed, 06 May 2026 18:15:13 GMT

PhishNet users can now access Cloudy summaries directly within the email investigation experience. When reviewing a message in PhishNet, users will see an AI-generated summary that provides additional context and key details about the email.

These summaries help users quickly understand the nature of a message without needing to manually parse through headers, body content, and detection signals. Cloudy surfaces the most relevant information so users can make faster, more informed decisions about suspicious emails.

These summaries are not trained on customer data. They are generated using the outputs of our existing detection models and analysis systems.

This feature is available for PhishNet with Office 365. Support for Gmail will be available by the end of the quarter.

Cloudflare One - IPv6 CIDR routes for Cloudflare Mesh

Wed, 06 May 2026 00:00:00 GMT

Cloudflare Mesh nodes now support IPv6 CIDR routes. You can advertise both IPv4 and IPv6 subnets through your Mesh nodes, making IPv6-only or dual-stack private networks reachable from any enrolled device.

To add an IPv6 route, follow the same steps as adding an IPv4 route — enter the IPv6 CIDR (for example, fd00::/64) when configuring the route in the dashboard or via the API.

Cloudflare One, Cloudflare WAN - Post-quantum IPsec interoperability with third-party devices

Thu, 30 Apr 2026 00:00:00 GMT

Cloudflare IPsec now supports post-quantum key agreement with compatible third-party devices. Cisco and Fortinet are the first third-party vendors validated to interoperate with Cloudflare IPsec using ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism).

Post-quantum IPsec uses RFC 9370 and draft-ietf-ipsecme-ikev2-mlkem to negotiate hybrid key agreement during the IKEv2 IKE_INTERMEDIATE phase. This combines classical Diffie-Hellman (Group 20) with ML-KEM-768 or ML-KEM-1024 to protect against harvest-now, decrypt-later attacks.

Key details:

Compatible with Cisco 8000 Series Secure Routers with IOS XR Release 26.1.1 and Fortinet FortiOS 7.6.6 and later.
Uses ML-KEM-768 or ML-KEM-1024 as an additional Key Exchange to DH Group 20.
Follows RFC 9370 and draft-ietf-ipsecme-ikev2-mlkem standards.
No additional licensing required.

Post-quantum IPsec with third-party devices is now generally available with confirmed interoperability for the platforms listed above. Cloudflare intends to support interoperability with more vendors as they build out support for draft-ietf-ipsecme-ikev2-mlkem. Contact your account team to discuss support for additional vendors.

For supported key exchange methods and the list of validated platforms, refer to GRE and IPsec tunnels.

Data Loss Prevention - Classify sensitive content with Data Classification

Thu, 30 Apr 2026 00:00:00 GMT

Cloudflare DLP now includes Data Classification, which lets administrators organize and label sensitive content using labels, templates, and reusable data classes.

With Data Classification, administrators can define labels such as sensitivity schemas and levels, and data tag groups and tags. Administrators can also build from Cloudflare-managed templates and create reusable data classes that combine detection entries, other data classes, sensitivity levels, and data tags.

You can then use those classifications in custom DLP profiles to identify the severity of sensitive content, understand where it exists, and apply that logic consistently across DLP profiles.

For more information, refer to Data Classification.

Data Loss Prevention - New predefined detection entries are available

Thu, 30 Apr 2026 00:00:00 GMT

Cloudflare DLP now includes new predefined detection entries.

The expanded catalog includes detections for specific credential types, webhooks, addresses, tax identifiers, national IDs, financial data, and crypto wallets.

Examples include GitHub PAT, OpenAI API Key, Slack Webhook, Discord Webhook, US Physical Address, and Bitcoin Wallet.

For the full list, refer to Predefined detection entries.

Digital Experience Monitoring - Digital experience tests to authenticated resources and enhanced configuration

Wed, 29 Apr 2026 00:00:00 GMT

Digital experience tests now support testing applications protected by Cloudflare Access or third-party authentication. All authentication secrets are managed via Cloudflare Secret Store.

Digital experience tests also have enhanced configuration options including:

New HTTP methods (DELETE, PATCH, POST, PUT)
Secret Store headers, custom plain text headers, and custom request bodies
Advanced settings: follow redirects, response bodies, response headers, and allow untrusted certificates

Gateway - Gateway Authorization Proxy and hosted PAC files are now generally available

Wed, 29 Apr 2026 00:00:00 GMT

The Gateway Authorization Proxy and hosted PAC files are now generally available for all plan types.

Authorization proxy endpoints add an identity-aware option alongside the existing source IP proxy endpoints, using Cloudflare Access authentication to verify who a user is before applying Gateway filtering — without installing the Cloudflare One Client. Cloudflare-hosted PAC files let you create and distribute PAC files directly from Cloudflare One on Cloudflare's global network.

These features are ideal for environments where deploying a device client is not an option, such as virtual desktops (VDI) or compliance-restricted endpoints.

To get started, refer to the proxy endpoints documentation.

Digital Experience Monitoring - Internet outage notifications for devices

Tue, 28 Apr 2026 00:00:00 GMT

Digital Experience will display a dashboard notification when an Internet outage or traffic anomaly may impact a Cloudflare One Client device based on its geographic location or network connection.

This Internet outage and traffic anomaly data is pulled from Cloudflare Radar. All Internet outage and traffic anomaly observations can be viewed in the Radar Outage Center.

Digital Experience Monitoring - Cloudflare One Client speed tests

Tue, 28 Apr 2026 00:00:00 GMT

IT teams can now remotely run speed tests from the Cloudflare One Client to Cloudflare's network edge.

Each speed test includes the following metrics:

Internet speed: download and upload throughput
Latency: download, upload, unloaded latency, and jitter
Network quality score: video streaming, webchat/real-time communication (RTC)

In the Cloudflare dashboard, go to Zero Trust > Insights > Digital experience > Diagnostics and select Run diagnostics to use the feature today.

Data Loss Prevention - Create and manage DLP detection entries outside of profiles

Tue, 28 Apr 2026 00:00:00 GMT

You can now create, view, and manage DLP detection entries outside of profiles.

Detection entries are no longer hidden inside individual profiles. Administrators can manage detection entries directly from the Detection entries section and use them in custom DLP profiles.

For more information, refer to Configure detection entries.

Data Loss Prevention - Detect PII records with a new predefined DLP profile

Tue, 28 Apr 2026 00:00:00 GMT

Cloudflare DLP now includes a new predefined profile designed to detect PII records that contain multiple types of personal data: Personally Identifiable Information (PII) Record.

Most predefined and custom DLP profiles match when any enabled detection entry matches. The Personally Identifiable Information (PII) Record profile is different. It only matches when at least three unique detection entries are found in close proximity, which reduces false positives from standalone values that may not represent a real PII record.

Detection entries included in the profile:

AU Passport Number
American Express Card Number
Diners Club Card Number
US Driver's License Number
Email Address
Full Name
US Mailing Address
Mastercard Card Number
US Individual Tax Identification Number (ITIN)
US Passport Number
US Phone Number
Union Pay Card Number
United States SSN Numeric Detection
Visa Card Number

For more information, refer to predefined DLP profiles.

Gateway, Cloudflare One - Network Session Logs now available for all on-ramps

Fri, 24 Apr 2026 00:00:00 GMT

Zero Trust Network Session Logs are now generated for all traffic proxied through Cloudflare Gateway, regardless of on-ramp type. This includes traffic from proxy endpoints (PAC files) and Browser Isolation egress — on-ramps that previously did not generate session logs.

Customers who already consume the zero_trust_network_sessions dataset via Logpush or Log Explorer may see increased log volume if they use these on-ramps.

For field definitions, refer to Zero Trust Network Session Logs. For traffic analysis, refer to Network session analytics.

Access - AAGUID restrictions and AMR matching for Access independent MFA

Thu, 23 Apr 2026 00:00:00 GMT

Independent MFA in Cloudflare Access now supports two additional organization-level controls:

Restrict authenticators by AAGUID — Limit enrollment to a specific set of WebAuthn authenticators using their AAGUID. This is useful for organizations that require FIPS-validated security keys or company-issued hardware. AAGUIDs are managed through a new List type.
AMR matching — Skip the independent MFA prompt when the identity provider has already performed an equivalent MFA. Access reads the amr claim defined in RFC 8176 and matches supported values such as hwk, otp, and fpt to the authenticator types allowed on the application or policy. This prevents users from having to complete MFA twice when their identity provider already enforces it.

To get started, refer to Independent MFA.

Cloudflare Network Firewall, Magic Transit, Cloudflare WAN - Country rules supported in Unified Routing

Tue, 21 Apr 2026 12:00:00 GMT

Cloudflare Advanced Network Firewall Country rules are now supported for accounts using Unified Routing mode. This feature requires a Cloudflare Advanced Network Firewall subscription.

You can create firewall rules that match traffic based on source or destination country to enforce geographic access policies across your network.

This is the first of the Cloudflare Advanced Network Firewall features to become available in Unified Routing. Support for additional features - IP Lists, ASN Lists, Threat Intel Lists, IDS, Rate Limiting, SIP, and Managed Rulesets - is planned.

For the full list of current beta limitations, refer to Traffic steering beta limitations.

Cloudflare One, Gateway - Network session analytics dashboard

Mon, 20 Apr 2026 00:00:00 GMT

The new Network session analytics dashboard is now available in Cloudflare One. This dashboard provides visibility into your network traffic patterns, helping you understand how traffic flows through your Cloudflare One infrastructure.

What you can do with Network session analytics

Analyze geographic distribution: View a world map showing where your network traffic originates, with a list of top locations by session count.
Monitor key metrics: Track session count, total bytes transferred, and unique users.
Identify connection issues: Analyze connection close reasons to troubleshoot network problems.
Review protocol usage: See which network protocols (TCP, UDP, ICMP) are most used.

Dashboard features

Summary metrics: Session count, bytes total, and unique users
Traffic by location: World map visualization and location list with top traffic sources
Top protocols: Breakdown of TCP, UDP, ICMP, and ICMPv6 traffic
Connection close reasons: Insights into why sessions terminated (client closed, origin closed, timeouts, errors)

How to access

Log in to Cloudflare One.
Go to Zero Trust > Insights > Dashboards.
Select Network session analytics.

For more information, refer to the Network session analytics documentation.

Access - Homepage and sign-out for MCP server portals

Fri, 17 Apr 2026 00:00:00 GMT

MCP server portals display a homepage when users visit the portal domain in a browser.

The homepage shows:

The portal name and organization branding
The MCP endpoint URL with a copy button
Per-client connection instructions for Claude Desktop, Workers AI Playground, OpenCode, Windsurf, and other MCP clients

Authenticated users see their email address and a Sign out button. Selecting Sign out revokes all portal-level OAuth grants, deletes upstream server OAuth states, and redirects through Cloudflare Access logout. A confirmation page shows a summary of the revoked sessions.

For more information, refer to MCP server portals.

Access - Independent MFA for Access applications

Wed, 15 Apr 2026 00:00:00 GMT

Cloudflare Access now supports independent multi-factor authentication (MFA), allowing you to enforce MFA requirements without relying on your identity provider (IdP). With per-application and per-policy configuration, you can enforce stricter authentication methods like hardware security keys on sensitive applications without requiring them across your entire organization. This reduces the risk of MFA fatigue for your broader user population while adding additional security where it matters most.

This feature also addresses common gaps in IdP-based MFA, such as inconsistent MFA policies across different identity providers or the need for additional security layers beyond what the IdP provides.

Independent MFA supports the following authenticator types:

Authenticator application — Time-based one-time passwords (TOTP) using apps like Google Authenticator, Microsoft Authenticator, or Authy.
Security key — Hardware security keys such as YubiKeys.
Biometrics — Built-in device authenticators including Apple Touch ID, Apple Face ID, and Windows Hello.

Configuration levels

You can configure MFA requirements at three levels:

Level	Description
Organization	Enforce MFA by default for all applications in your account.
Application	Require or turn off MFA for a specific application.
Policy	Require or turn off MFA for users who match a specific policy.

Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement.

User enrollment

Users enroll their authenticators through the App Launcher. To help with onboarding, administrators can share a direct enrollment link: <your-team-name>.cloudflareaccess.com/AddMfaDevice.

To get started with Independent MFA, refer to Independent MFA.

Cloudflare One - New, streamlined creation experience for Access Applications and Gateway Policies

Wed, 15 Apr 2026 00:00:00 GMT

The Cloudflare One dashboard now features redesigned builders for two core workflows: creating Gateway policies and configuring self-hosted Access applications.

Gateway rule builder

The Gateway rule builder now features a redesigned user experience, bringing it in line with the Access policy builder experience. Improvements include:

Streamlined UX with clearer states and improved user interactions
Wirefilter editing for viewing and editing Gateway rules directly from wirefilter expressions
Preview state to review the impact of your policy in a simple graphic

For more information, refer to Traffic policies.

Access application builder for self-hosted apps

The self-hosted Access application builder now offers a simplified creation workflow with fewer steps from setup to save. Improvements include:

New application selection experience that makes choosing the right application type before you begin easier.
Streamlined creation flow with fewer clicks to build and save an application
Inline policy creation for building Access policies directly within the application creation flow
Preview state to understand how your policies enforce user access before saving

For more information, refer to self-hosted applications.

Digital Experience Monitoring - Last seen timestamp for Cloudflare One Client devices is more consistent

Wed, 15 Apr 2026 00:00:00 GMT

The last seen timestamp for Cloudflare One Client devices is now more consistent across the dashboard. IT teams will see more consistent information about the most recent client event between a device and Cloudflare's network.

Data Loss Prevention - DLP account-level settings

Tue, 14 Apr 2026 12:00:00 GMT

Account-level DLP settings are now available in Cloudflare One. You can now configure advanced DLP settings at the account level, including OCR, AI context analysis, and payload masking. This provides consistent enforcement across all DLP profiles and simplifies configuration management.

Key changes:

Consistent enforcement: Settings configured at the account level apply to all DLP profiles
Simplified migration: Settings enabled on any profile are automatically migrated to account level
Deprecation notice: Profile-level advanced settings will be deprecated in a future release

Migration details:

During the migration period, if a setting is enabled on any profile, it will automatically be enabled at the account level. This means profiles that previously had a setting disabled may now have it enabled if another profile in the account had it enabled.

Settings are evaluated using OR logic - a setting is enabled if it is turned on at either the account level or the profile level. However, profile-level settings cannot be enabled when the account-level setting is off.

For more details, refer to the DLP settings documentation.

Cloudflare One - Introducing Cloudflare Mesh

Tue, 14 Apr 2026 00:00:00 GMT

Cloudflare Mesh is now available (blog post). Mesh connects your services and devices with post-quantum encrypted networking, allowing you to route traffic privately between servers, laptops, and phones over TCP, UDP, and ICMP.

What Cloudflare Mesh does

Assigns a private Mesh IP to every enrolled device and node.
Enables any participant to reach any other participant by IP — including client-to-client, without deploying any infrastructure.
Supports CIDR routes for subnet routing through Mesh nodes.
Supports high availability with active-passive replicas for nodes with routes.
All traffic flows through Cloudflare, so Gateway network policies, device posture checks, and access rules apply to every connection.

What changed

WARP Connector is now Cloudflare Mesh. Existing WARP Connectors are now called mesh nodes. All existing deployments continue to work — no migration required.
Peer-to-peer connectivity is now called Mesh connectivity and is part of the Cloudflare Mesh documentation.
Mesh node limit increased from 10 to 50 per account.
New dashboard experience at Networking > Mesh with an interactive network map, node management, route configuration, diagnostics, and a setup wizard.

Get started

Refer to the Cloudflare Mesh documentation to set up your first Mesh network.

Data Loss Prevention - Detect Cloudflare API tokens with DLP

Tue, 14 Apr 2026 00:00:00 GMT

The Credentials and Secrets DLP profile now includes three new predefined entries for detecting Cloudflare API credentials:

Entry name	Token prefix	Detects
Cloudflare User API Key	`cfk_`	User-scoped API keys
Cloudflare User API Token	`cfut_`	User-scoped API tokens
Cloudflare Account Owned API Token	`cfat_`	Account-scoped API tokens

These detections target the new Cloudflare API credential format, which uses a structured prefix and a CRC32 checksum suffix. The identifiable prefix makes it possible to detect leaked credentials with high confidence and low false positive rates — no surrounding context such as Authorization: Bearer headers is required.

Credentials generated before this format change will not be matched by these entries.

How to enable Cloudflare API token detections

In the Cloudflare dashboard, go to Zero Trust > DLP > DLP Profiles.
Select the Credentials and Secrets profile.
Turn on one or more of the new Cloudflare API token entries.
Use the profile in a Gateway HTTP policy to log or block traffic containing these credentials.

Example policy:

Selector	Operator	Value	Action
DLP Profile	in	Credentials and Secrets	Block

You can also enable individual entries to scope detection to specific credential types — for example, enabling Account Owned API Token detection without enabling User API Key detection.

For more information, refer to predefined DLP profiles.

Gateway, Data Loss Prevention - Configure how sensitive data appears in DLP payload logs

Tue, 14 Apr 2026 00:00:00 GMT

You can now configure how sensitive data matches are displayed in your DLP payload match logs — giving your incident response team the context they need to validate alerts without compromising your security posture.

To get started, go to the Cloudflare dashboard, select Zero Trust > Data loss prevention > DLP settings and find the Payload log masking card.

Previously, all DLP payload logs used a single masking mode that obscured matched data entirely and hid the original character count, making it difficult to distinguish true positives from false positives. This update introduces three options:

Full Mask (default): Masks the match while preserving character count and visual formatting (for example, ***-**-**** for a Social Security Number). This is an improvement over the previous default, which did not preserve character count.
Partial Mask: Reveals 25% of the matched content while masking the remainder (for example, ***-**-6789).
Clear Text: Stores the full, unmasked violation for deep investigation (for example, 123-45-6789).

Important: The masking level you select is applied at detection time, before the payload is encrypted. This means the chosen format is what your team will see after decrypting the log with your private key — the existing encryption workflow is unchanged.

Applies to all enabled detections: When a masking level other than Full Mask is selected, it applies to all sensitive data matches found within a payload window — not just the match that triggered the policy. Any data matched by your enabled DLP detection entries will be masked at the selected level.

For more information, refer to DLP logging options.

Browser Isolation - Canvas Remoting optimizes performance for productivity applications

Fri, 10 Apr 2026 00:00:00 GMT

Remote Browser Isolation now supports Canvas Remoting, improving performance for HTML5 Canvas applications by sending vector draw commands instead of rasterized bitmaps.

Key improvements

10x bandwidth reduction: Microsoft Word and other Office apps use 90% less bandwidth
Smooth performance: Google Sheets maintains consistent 30fps rendering
Responsive terminals: Web-based development environments and AI notebooks work in real-time
Zero configuration: Enabled by default for all Browser Isolation customers

How it works

Instead of sending rasterized bitmaps for every Canvas update, Browser Isolation now:

Captures Canvas draw commands at the source
Converts them to lightweight vector instructions
Renders Canvas content on the client

This reduces bandwidth from hundreds of kilobytes per second to tens of kilobytes per second.

Managing Canvas Remoting

To temporarily disable for troubleshooting:

Right-click the isolated webpage background
Select Disable Canvas Remoting
Re-enable the same way by selecting Enable Canvas Remoting

Limitations

Currently supports 2D Canvas contexts only. WebGL and 3D graphics applications continue using bitmap rendering. For more information, refer to Canvas Remoting.

CASB - Send CASB posture finding instances with webhooks

Thu, 09 Apr 2026 00:00:00 GMT

You can now use CASB webhooks in Cloudflare One to send posture finding instances to external systems such as chat platforms, ticketing systems, SIEMs, SOAR tools, and custom automation services.

This gives security teams a simple way to route CASB posture findings into the tools and workflows they already use for triage and response.

To get started, go to Integrations > Webhooks in the Cloudflare One dashboard to create a webhook destination. After you configure a webhook, open a posture finding instance and select Send webhook to send it.

Key capabilities

Flexible authentication — Configure destinations using None, Basic Auth, Bearer Auth, Static Headers, or HMAC-Signing.
Built-in testing — Use Test delivery to send a test request before sending a live finding instance.
Posture finding workflows — Send posture finding instances directly from the finding details workflow in Cloud & SaaS findings.
HTTPS destinations — Configure webhook destinations with public https:// URLs.

Learn more

Configure CASB webhooks in Cloudflare.
Learn how to manage findings in Cloudflare.

CASB webhooks are now available in Cloudflare One.

Risk Score - User risk scoring for high risk browsing activity

Wed, 08 Apr 2026 00:00:00 GMT

Cloudflare One's User Risk Scoring now incorporates direct signals from Gateway DNS traffic patterns. This update allows security teams to automatically elevate a user's risk score when they visit high-risk or malicious domains, providing a more holistic view of internal threats.

Why this matters

Browsing activity is a primary indicator of potential compromise. By tying Gateway DNS logs to specific users, administrators can now flag individuals interacting with:

Security threats: Domains associated with malware, phishing, or command-and-control (C2) centers.
High-risk content: Categories such as questionable content or violence that may violate corporate compliance.

Even if a Gateway policy is set to Block the traffic, the interaction is still captured as a "hit" to ensure the user's risk profile reflects the attempted activity.

New risk behaviors

Two new behaviors are now available in the dashboard:

Suspicious Security Domain Visited: Triggers when a user visits a domain in the security threats or security risk categories.
High risk domain visited: Triggers when a user visits domains categorized as questionable content, violence, or CIPA.

To learn more and get started, refer to the User Risk Scoring documentation.

Cloudflare One Client - Cloudflare One Client for Windows (version 2026.3.851.0)

Tue, 07 Apr 2026 15:56:36 GMT

A new GA release for the Windows Cloudflare One Client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

The next stable release for Windows will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information.

Changes and improvements

Fixed an issue causing Windows client tunnel interface initialization failure which prevented clients from establishing a tunnel for connection.
Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms.
Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support.
Fixed unnecessary registration deletion caused by RDP connections in multi-user mode.
Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT.
Fixed tunnel failing to connect when the system DNS search list contains unexpected characters.
Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization.
Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.
Fixed an issue where degraded Windows Management Instrumentation (WMI) state could put the client in a failed connection state loop during initialization.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution. This warning will be omitted from future release notes. This Windows update was released in July 2025.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025.
DNS resolution may be broken when the following conditions are all true:
- The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while the client is connected.
To work around this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface.

Email security - User Submission Triage Status Tracking

Tue, 07 Apr 2026 09:00:00 GMT

Cloudflare Email security now supports Triage Status Tracking for User Submissions. This enhancement gives SOC teams a streamlined way to track, manage, and prioritize user-submitted emails directly within the Cloudflare One dashboard.

The User Submissions table now includes a Status column with three states: Unreviewed (new submissions awaiting triage), Reviewed (submissions assessed by the SOC team), and Escalated (submissions escalated to team submissions for further investigation). Analysts can quickly update statuses and filter the table to focus on what needs attention.
SOC teams can now organize their triage workflows, avoid duplicate reviews, and make sure critical threats get escalated for deeper investigation—bringing order to the chaos of high-volume submission management.

Triage Status Tracking is automatically available for all Email security customers using the user submissions feature. No additional configuration is required; customers just need to make sure user submissions are being sent to their user submission aliases.

This applies to all Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Link aggregation (LACP) support for Cloudflare One Appliance

Tue, 07 Apr 2026 00:00:00 GMT

Cloudflare One Appliance now supports Link Aggregation Control Protocol (LACP), allowing you to bundle up to six physical LAN ports into a single logical interface. Link aggregation increases available bandwidth and eliminates single points of failure on the LAN side of the appliance.

This feature is available in beta on physical appliance hardware with the latest OS. No entitlement is required.

To configure a Link Aggregation Group, refer to Configure link aggregation groups.

Email security - DANE Support for MX Deployments

Mon, 06 Apr 2026 09:00:00 GMT

Cloudflare Email Security now supports DANE (DNS-based Authentication of Named Entities) for MX deployments. This enhancement strengthens email transport security by enabling DNSSEC-backed certificate verification for our regional MX records.

Regional MX hostnames now publish DANE TLSA records backed by DNSSEC, enabling DANE-capable SMTP senders to cryptographically validate certificate identities before establishing TLS connections—moving beyond opportunistic encryption to verified encrypted delivery.
DANE support is automatically available for all customers using regional MX deployments. No additional configuration is required; DANE-capable mail infrastructure will automatically validate MX certificates using the published records.

This applies to all Email Security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare Fundamentals, Cloudflare One, Gateway - Organizations is now in public beta for enterprises

Mon, 06 Apr 2026 00:00:00 GMT

We're announcing the public beta of Organizations for enterprise customers, a new top-level Cloudflare container that lets Cloudflare customers manage multiple accounts, members, analytics, and shared policies from one centralized location.

What's New

Organizations [BETA]: Organizations are a new top-level container for centrally managing multiple accounts. Each Organization supports up to 500 accounts and 5000 zones, giving larger teams a single place to administer resources at scale.

Self-serve onboarding: Enterprise customers can create an Organization in the dashboard and assign accounts where they are already Super Administrators.

Centralized Account Management: At launch, every Organization member has the Organization Super Admin role. Organization Super Admins can invite other users and manage any child account under the Organization implicitly. Shared policies: Share WAF or Gateway policies across multiple accounts within your Organization to simplify centralized policy management. Implicit access: Members of an Organization automatically receive Super Administrator permissions across child accounts, removing the need for explicit membership on each account. Additional Org-level roles will be available over the course of the year.

Unified analytics: View, filter, and download aggregate HTTP analytics across all Organization child accounts from a single dashboard for centralized visibility into traffic patterns and security events.

Terraform provider support: Manage Organizations with infrastructure as code from day one. Provision organizations, assign accounts, and configure settings programmatically with the Cloudflare Terraform provider.

Shared policies: Share WAF or Gateway policies across multiple accounts within your Organization to simplify centralized policy management.

For more info:

Cloudflare One Client - Cloudflare One Client for macOS (version 2026.3.846.0)

Thu, 02 Apr 2026 16:28:33 GMT

A new GA release for the macOS Cloudflare One Client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

The next stable release for macOS will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information.

Changes and improvements

Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization.
Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms.
Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.

Cloudflare One Client - Cloudflare One Client for Linux (version 2026.3.846.0)

Thu, 02 Apr 2026 15:39:10 GMT

A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

The next stable release for Linux will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information.

Changes and improvements

Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization.
Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms.
Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.

Access - Session management for MCP server portals

Thu, 02 Apr 2026 00:00:00 GMT

MCP server portals support in-session management of upstream MCP server connections. Users can return to the server selection page at any time to enable or disable servers, reauthenticate, or change which data a server has access to — all without leaving their MCP client.

To return to the server selection page, ask your AI agent with a prompt like "take me back to the server selection page." The portal responds with an authorization URL via MCP elicitation that you open in your browser:

https://<subdomain>.<domain>/authorize?elicitationId=<ELICITATION_ID>

From the server selection page you can:

Enable or disable servers — Toggle individual upstream MCP servers on or off. Disabling a server removes its tools from the active session, which reduces context window usage.
Log out and reauthenticate — Log out of a server and log back in to change which data the server has access to, or to reauthenticate with different permissions.

Users can also enable or disable a server inline by asking their AI agent directly, for example "enable the wiki server" or "disable my Jira server."

The portal also automatically prompts connected users to authorize new servers when an admin adds them to the portal. This requires the use of managed OAuth.

For more information, refer to Manage portal sessions.

Cloudflare One, Access, Gateway - Logs UI refresh

Wed, 01 Apr 2026 00:00:00 GMT

Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs.

The updated UI includes:

Filter by field - Select any field value to add it as a filter and narrow down your results.
Customizable fields - Choose which fields to display in the log table. Querying for fewer fields improves log loading performance.
View details - Select a timestamp to view the full details of a log entry.
Switch to classic view - Return to the previous log viewer interface if needed.

For more information, refer to Access authentication logs and Gateway activity logs.

Access - Code mode for MCP server portals

Thu, 26 Mar 2026 00:00:00 GMT

MCP server portals support code mode, a technique that reduces context window usage by replacing individual tool definitions with a single code execution tool. Code mode is turned on by default on all portals.

To turn it off, edit the portal in Access controls > AI controls and turn off Code mode under Basic information.

When code mode is active, the portal exposes a single code tool instead of listing every tool from every upstream MCP server. The connected AI agent writes JavaScript that calls typed codemode.* methods for each upstream tool. The generated code runs in an isolated Dynamic Worker environment, keeping authentication credentials and environment variables out of the model context.

To use code mode, append ?codemode=search_and_execute to your portal URL when connecting from an MCP client:

https://<subdomain>.<domain>/mcp?codemode=search_and_execute

For more information, refer to code mode.

Access - Context optimization for MCP server portals

Thu, 26 Mar 2026 00:00:00 GMT

MCP server portals support two context optimization options that reduce how many tokens tool definitions consume in the model's context window. Both options are activated by appending the optimize_context query parameter to the portal URL.

`minimize_tools`

Strips tool descriptions and input schemas from all upstream tools, leaving only their names. The portal exposes a special query tool that agents use to retrieve full definitions on demand. This provides up to 5x savings in token usage.

https://<subdomain>.<domain>/mcp?optimize_context=minimize_tools

`search_and_execute`

Hides all upstream tools and exposes only two tools: query and execute. The query tool searches and retrieves tool definitions. The execute tool runs the upstream tools in an isolated Dynamic Worker environment. This reduces the initial token cost to a small constant, regardless of how many tools are available through the portal.

https://<subdomain>.<domain>/mcp?optimize_context=search_and_execute

For more information, refer to Optimize context.

Data Loss Prevention - Streaming ZIP file scanning removes per-file size limits

Thu, 26 Mar 2026 00:00:00 GMT

DLP now processes ZIP files using a streaming handler that scans archive contents element-by-element as data arrives. This removes previous file size limitations and improves memory efficiency when scanning large archives.

Microsoft Office documents (DOCX, XLSX, PPTX) also benefit from this improvement, as they use ZIP as a container format.

This improvement is automatic — no configuration changes are required.

Data Loss Prevention - Detect and sanitize HAR files

Wed, 25 Mar 2026 00:00:00 GMT

HTTP Archive (HAR) files are used by engineering and support teams to capture and share web traffic logs for troubleshooting. However, these files routinely contain highly sensitive data — including session cookies, authorization headers, and other credentials — that can pose a significant risk if uploaded to third-party services without being reviewed or cleaned first.

Gateway now includes a predefined DLP profile called Unsanitized HAR that detects HAR files in HTTP traffic. You can use this profile in a Gateway HTTP policy to either block HAR file uploads entirely or redirect users to a sanitization tool before allowing the upload to proceed.

How to configure a HAR file policy

In the Cloudflare dashboard, go to Zero Trust > Traffic policies > Firewall Policies > HTTP and create a new HTTP policy using the DLP Profile selector:

Selector	Operator	Value	Action
DLP Profile	in	Unsanitized HAR

Then choose one of the following actions:

Block: Prevents the upload of any HAR file that has not been sanitized by Cloudflare's sanitizer. Use this for strict environments where HAR file sharing must be disallowed entirely.
Block with Gateway Redirect: Intercepts the upload and redirects the user to https://har-sanitizer.pages.dev/, where they can sanitize the file. Once sanitized, the user can re-upload the clean file and proceed with their workflow.

Sanitized HAR recognition

HAR files processed by the Cloudflare HAR sanitizer receive a tamper-evident sanitized marker. DLP recognizes this marker and will not re-trigger the policy on a file that has already been sanitized and has not been modified since. If a previously sanitized file is edited, it will be treated as unsanitized and flagged again.

Visibility in Gateway logs

Gateway logs will reflect whether a detected HAR file was classified as Unsanitized or Sanitized, giving your security team full visibility into HAR file activity across your organization.

For more information, refer to predefined DLP profiles.

Gateway - OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies

Tue, 24 Mar 2026 00:00:00 GMT

Cloudflare Gateway now supports OIDC Claims as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types.

With this update, you can:

Filter traffic in DNS, HTTP, and Network firewall policies based on OIDC claim values.
Apply custom resolver policies to route DNS queries to specific resolvers depending on a user's OIDC claims.
Control egress policies to assign dedicated egress IPs based on OIDC claim attributes.

For example, you can create a policy that routes traffic differently for users with department=engineering in their OIDC claims, or restrict access to certain destinations based on a user's role claim.

To get started, configure custom OIDC claims on your identity provider and use the OIDC Claims selector in the Gateway policy builder.

For more information, refer to Identity-based policies.

Access - Managed OAuth for Cloudflare Access

Fri, 20 Mar 2026 00:00:00 GMT

Cloudflare Access supports managed OAuth, which allows non-browser clients — such as CLIs, AI agents, SDKs, and scripts — to authenticate with Access-protected applications using a standard OAuth 2.0 authorization code flow.

Previously, non-browser clients that attempted to access a protected application received a 302 redirect to a login page they could not complete. The established workaround was cloudflared access curl, which required installing additional tooling.

With managed OAuth, clients instead receive a 401 response with a WWW-Authenticate header that points to Access's OAuth discovery endpoints (RFC 8414 and RFC 9728). The client opens the end user's browser to the Access login page. The end user authenticates with their identity provider, and the client receives an OAuth access token for subsequent requests.

Access enforces the same policies as a browser login; the OAuth layer is a new transport mechanism, not a separate authentication path.

Managed OAuth can be enabled on any self-hosted Access application or MCP server portal. It is opt-in for existing applications to avoid interfering with those that run their own OAuth servers and rely on their own WWW-Authenticate headers.

To enable managed OAuth, go to Zero Trust > Access controls > Applications, edit the application, and turn on Managed OAuth under Advanced settings.

You can also enable it via the API by setting oauth_configuration.enabled to true on the Access applications endpoint.

For setup instructions, refer to Enable managed OAuth.

Access - Route MCP server portal traffic through Cloudflare Gateway

Fri, 20 Mar 2026 00:00:00 GMT

MCP server portals can now route traffic through Cloudflare Gateway for richer HTTP request logging and data loss prevention (DLP) scanning.

When Gateway routing is turned on, portal traffic appears in your Gateway HTTP logs. You can create Gateway HTTP policies with DLP profiles to detect and block sensitive data sent to upstream MCP servers.

To enable Gateway routing, go to Access controls > AI controls, edit the portal, and turn on Route traffic through Cloudflare Gateway under Basic information.

For more details, refer to Route traffic through Gateway.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Stream logs from multiple replicas of Cloudflare Tunnel simultaneously

Fri, 20 Mar 2026 00:00:00 GMT

In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

Previously, you could only stream logs from one replica at a time. With this update:

Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel's overview page under Connectors. Select any replica to stream its logs.
Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

For more information, refer to Tunnel log streams and Deploy replicas.

Email security - Unlimited result paging in Investigations

Sun, 15 Mar 2026 16:00:00 GMT

Investigations now support unlimited result paging in both the dashboard and the API, removing the previous 1,000-record cap. Security teams can page through complete result sets when searching across large mail volumes, giving SOC analysts and automated workflows deeper visibility for forensics and threat hunting.

In the dashboard, infinite paging is now supported in the Investigations view. The 1,000-record ceiling has been removed, so you can navigate through the full result set directly in the UI. The Investigations API now returns up to 10,000 records per page (up from 1,000), with no cap on total result volume across pages.

For high-volume use cases, we recommend:

Logpush to a SIEM for full-fidelity datasets and long-term retention.
SOAR playbooks against the async bulk action API for large-scale remediation. Bulk actions initiated from the dashboard remain capped at 1,000 messages per action.
The Investigations API for report exports larger than 1,000 results, which is the dashboard download cap.

This applies to all Email Security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare One Client - WARP client for macOS (version 2026.3.566.1)

Tue, 10 Mar 2026 17:10:39 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the Cloudflare Community forum and let us know.

Changes and improvements

Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client's operation mode.
The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.

Cloudflare One Client - WARP client for Windows (version 2026.3.566.1)

Tue, 10 Mar 2026 17:10:37 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

Changes and improvements

Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
Added monitoring for tunnel statistics collection timeouts.
Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support.
Fixed unnecessary registration deletion caused by RDP connections in multi-user mode.
Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT.
Fixed tunnel failing to connect when the system DNS search list contains unexpected characters.
Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client.
An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client's operation mode.
The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.
For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025.
DNS resolution may be broken when the following conditions are all true:
- The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while the client is connected. To work around this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface.

Cloudflare One, Access - User risk score selector in Access policies

Wed, 04 Mar 2026 00:00:00 GMT

You can now use user risk scores in your Access policies. The new User Risk Score selector allows you to create Access policies that respond to user behavior patterns detected by Cloudflare's risk scoring system, including impossible travel, high DLP policy matches, and more.

For more information, refer to Use risk scores in Access policies.

Gateway - Gateway Authorization Proxy and hosted PAC files (open beta)

Wed, 04 Mar 2026 00:00:00 GMT

The Gateway Authorization Proxy and PAC file hosting are now in open beta for all plan types.

Previously, proxy endpoints relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with Cloudflare Access authentication, verifying who a user is before applying Gateway filtering without installing the WARP client.

This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints.

Key capabilities

Identity-aware proxy traffic — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write identity-based policies like "only the Finance team can access this accounting tool."
Multiple identity providers — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems.
Cloudflare-hosted PAC files — Create and host PAC files directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at https://pac.cloudflare-gateway.com/<account-id>/<slug> on Cloudflare's global network.
Simplified billing — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track.

Get started

In Cloudflare One, go to Networks > Resolvers & Proxies > Proxy endpoints.
Create an authorization proxy endpoint and configure Access policies.
Create a hosted PAC file or write your own.
Configure browsers to use the PAC file URL.
Install the Cloudflare certificate for HTTPS inspection.

For more details, refer to the proxy endpoints documentation and the announcement blog post.

Cloudflare One - Copy Cloudflare One resources as JSON or POST requests

Mon, 02 Mar 2026 00:00:00 GMT

You can now copy Cloudflare One resources as JSON or as a ready-to-use API POST request directly from the dashboard. This makes it simple to transition workflows into API calls, automation scripts, or infrastructure-as-code pipelines.

To use this feature, click the overflow menu (⋮) on any supported resource and select Copy as JSON or Copy as POST request. The copied output includes only the fields present on your resource, giving you a clean and minimal starting point for your own API calls.

Initially supported resources:

Access applications
Access policies
Gateway policies
Resolver policies
Service tokens
Identity providers

We will continue to add support for more resources throughout 2026.

Access - Clipboard controls for browser-based RDP

Sun, 01 Mar 2026 00:00:00 GMT

You can now configure clipboard controls for browser-based RDP with Cloudflare Access. Clipboard controls allow administrators to restrict whether users can copy or paste text between their local machine and the remote Windows server.

This feature is useful for organizations that support bring-your-own-device (BYOD) policies or third-party contractors using unmanaged devices. By restricting clipboard access, you can prevent sensitive data from being transferred out of the remote session to a user's personal device.

Configuration options

Clipboard controls are configured per policy within your Access application. For each policy, you can independently allow or deny:

Copy from local client to remote RDP session — Users can copy/paste text from their local machine into the browser-based RDP session.
Copy from remote RDP session to local client — Users can copy/paste text from the browser-based RDP session to their local machine.

By default, both directions are denied for new policies. For existing Access applications created before this feature was available, clipboard access remains enabled to preserve backwards compatibility.

When a user attempts a restricted clipboard action, the clipboard content is replaced with an error message informing them that the action is not allowed.

For more information, refer to Clipboard controls for browser-based RDP.

Access - Export MCP server portal logs with Logpush

Fri, 27 Feb 2026 00:00:00 GMT

MCP server portals now supports Logpush integration. You can automatically export MCP server portal activity logs to third-party storage destinations or security information and event management (SIEM) tools for analysis and auditing.

Available log fields

The MCP server portal logs dataset includes fields such as:

Datetime — Timestamp of the request
PortalID / PortalAUD — Portal identifiers
ServerID / ServerURL — Upstream MCP server details
Method — JSON-RPC method (for example, tools/call, prompts/get, resources/read)
ToolCallName / PromptGetName / ResourceReadURI — Method-specific identifiers
UserID / UserEmail — Authenticated user information
Success / Error — Request outcome
ServerResponseDurationMs — Response time from upstream server

For the complete field reference, refer to MCP portal logs.

Set up Logpush

To configure Logpush for MCP server portal logs, refer to Logpush integration.

Gateway - New protocols added for Gateway Protocol Detection (Beta)

Fri, 27 Feb 2026 00:00:00 GMT

Gateway Protocol Detection now supports seven additional protocols in beta:

Protocol	Notes
IMAP	Internet Message Access Protocol — email retrieval
POP3	Post Office Protocol v3 — email retrieval
SMTP	Simple Mail Transfer Protocol — email sending
MYSQL	MySQL database wire protocol
RSYNC-DAEMON	rsync daemon protocol
LDAP	Lightweight Directory Access Protocol
NTP	Network Time Protocol

These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the Detected Protocol selector in Network policies to identify and filter traffic based on the application-layer protocol, without relying on port-based identification.

If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic.

For more information on using Protocol Detection, refer to the Protocol detection documentation.

Cloudflare One Client - WARP client for Windows (version 2026.1.150.0)

Tue, 24 Feb 2026 01:15:23 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features.

Changes and improvements

Improvements to multi-user mode. Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost.
Added a new feature to manage NetBIOS over TCP/IP functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in device profile settings.
Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for the Windows client certificate posture check to ensure logged results are from checks that run once users log in.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode.
Improved service shutdown behavior in cases where the daemon is unresponsive.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2026.1.150.0)

Tue, 24 Feb 2026 01:15:22 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
Fixed an issue with DNS server configuration failures that caused tunnel connection delays.
Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode.

Cloudflare One Client - WARP client for Linux (version 2026.1.150.0)

Tue, 24 Feb 2026 00:14:20 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

Changes and improvements

Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
Fixed issues causing DNS requests to fail with clients in Traffic and DNS mode or DNS only mode.

CASB - Understand CASB findings instantly with Cloudy Summaries

Fri, 20 Feb 2026 00:00:00 GMT

You can now easily understand your SaaS security posture findings and why they were detected with Cloudy Summaries in CASB. This feature integrates Cloudflare's Cloudy AI directly into your CASB Posture Findings to automatically generate clear, plain-language summaries of complex security misconfigurations, third-party app risks, and data exposures.

This allows security teams and IT administrators to drastically reduce triage time by immediately understanding the context, potential impact, and necessary remediation steps for any given finding—without needing to be an expert in every connected SaaS application.

To view a summary, simply navigate to your Posture Findings in the Cloudflare One dashboard (under Cloud and SaaS findings) and open the finding details of a specific instance of a Finding.

Cloudy Summaries are supported on all available integrations, including Microsoft 365, Google Workspace, Salesforce, GitHub, AWS, Slack, and Dropbox. See the full list of supported integrations here.

Key capabilities

Contextual explanations — Quickly understand the specifics of a finding with plain-language summaries detailing exactly what was detected, from publicly shared sensitive files to risky third-party app scopes.
Clear risk assessment — Instantly grasp the potential security impact of the finding, such as data breach risks, unauthorized account access, or email spoofing vulnerabilities.
Actionable guidance — Get clear recommendations and next steps on how to effectively remediate the issue and secure your environment.
Built-in feedback — Help improve future AI summarization accuracy by submitting feedback directly using the thumbs-up and thumbs-down buttons.

Learn more

Learn more about managing CASB Posture Findings in Cloudflare.

Cloudy Summaries in CASB are available to all Cloudflare CASB users today.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard

Fri, 20 Feb 2026 00:00:00 GMT

Cloudflare Tunnel is now available in the main Cloudflare Dashboard at Networking > Tunnels, bringing first-class Tunnel management to developers using Tunnel for securing origin servers.

This new experience provides everything you need to manage Tunnels for public applications, including:

Full Tunnel lifecycle management: Create, configure, delete, and monitor all your Tunnels in one place.
Native integrations: View Tunnels by name when configuring DNS records and Workers VPC — no more copy-pasting UUIDs.
Real-time visibility: Monitor replicas and Tunnel health status directly in the dashboard.
Routing map: Manage all ingress routes for your Tunnel, including public applications, private hostnames, private CIDRs, and Workers VPC services, from a single interactive interface.

Choose the right dashboard for your use case

Core Dashboard: Navigate to Networking > Tunnels to manage Tunnels for:

Securing origin servers and public applications with CDN, WAF, Load Balancing, and DDoS protection
Connecting Workers to private services via Workers VPC

Cloudflare One Dashboard: Navigate to Zero Trust > Networks > Connectors to manage Tunnels for:

Securing your public applications with Zero Trust access policies
Connecting users to private applications
Building a private mesh network

Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow.

Get started

New to Tunnel? Learn how to get started with Cloudflare Tunnel or explore advanced use cases like securing SSH servers or running Tunnels in Kubernetes.

Digital Experience Monitoring - DEX Supports EU Customer Metadata Boundary

Thu, 19 Feb 2026 00:00:00 GMT

Digital Experience Monitoring (DEX) provides visibility into WARP device connectivity and performance to any internal or external application.

Now, all DEX logs are fully compatible with Cloudflare's Customer Metadata Boundary (CMB) setting for the 'EU' (European Union), which ensures that DEX logs will not be stored outside the 'EU' when the option is configured.

If a Cloudflare One customer using DEX enables CMB 'EU', they will not see any DEX data in the Cloudflare One dashboard. Customers can ingest DEX data via LogPush, and build their own analytics and dashboards.

If a customer enables CMB in their account, they will see the following message in the Digital Experience dashboard: "DEX data is unavailable because Customer Metadata Boundary configuration is on. Use Cloudflare LogPush to export DEX datasets."

Access - Streamlined clientless browser isolation for private applications

Tue, 17 Feb 2026 00:00:00 GMT

A new Allow clientless access setting makes it easier to connect users without a device client to internal applications, without using public DNS.

Previously, to provide clientless access to a private hostname or IP without a published application, you had to create a separate bookmark application pointing to a prefixed Clientless Web Isolation URL (for example, https://<your-teamname>.cloudflareaccess.com/browser/https://10.0.0.1/). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application.

Now, you can manage clientless access directly within your private self-hosted application. When Allow clientless access is turned on, users who pass your Access application policies will see a tile in their App Launcher pointing to the prefixed URL. Users must have remote browser permissions to open the link.

Access - Policies for bookmark applications

Tue, 17 Feb 2026 00:00:00 GMT

You can now assign Access policies to bookmark applications. This lets you control which users see a bookmark in the App Launcher based on identity, device posture, and other policy rules.

Previously, bookmark applications were visible to all users in your organization. With policy support, you can now:

Tailor the App Launcher to each user — Users only see the applications they have access to, reducing clutter and preventing accidental clicks on irrelevant resources.
Restrict visibility of sensitive bookmarks — Limit who can view bookmarks to internal tools or partner resources based on group membership, identity provider, or device posture.

Bookmarks support all Access policy configurations except purpose justification, temporary authentication, and application isolation. If no policy is assigned, the bookmark remains visible to all users (maintaining backwards compatibility).

For more information, refer to Add bookmarks.

Cloudflare One, Cloudflare WAN, Cloudflare Network Firewall, Network Flow - Cloudflare One Product Name Updates

Tue, 17 Feb 2026 00:00:00 GMT

We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey.

We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare.

What's changing

Magic WAN → Cloudflare WAN
Magic WAN IPsec → Cloudflare IPsec
Magic WAN GRE → Cloudflare GRE
Magic WAN Connector → Cloudflare One Appliance
Magic Firewall → Cloudflare Network Firewall
Magic Network Monitoring → Network Flow
Magic Cloud Networking → Cloudflare One Multi-cloud Networking

No action is required by you — all functionality, existing configurations, and billing will remain exactly the same.

For more information, visit the Cloudflare One documentation.

Cloudflare Fundamentals, Access - Fine-grained permissions for Access policies and service tokens

Fri, 13 Feb 2026 00:00:00 GMT

Fine-grained permissions for Access policies and Access service tokens are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources.

New roles

Cloudflare Access policy admin: Can edit a specific Access policy in an account.
Cloudflare Access service token admin: Can edit a specific Access service token in an account.

These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets.

For more information:

Cloudflare WAN - Anycast IPs displayed on the dashboard

Thu, 12 Feb 2026 00:00:00 GMT

Cloudflare WAN now displays your Anycast IP addresses directly in the dashboard when you configure IPsec or GRE tunnels.

Previously, customers received their Anycast IPs during onboarding or had to retrieve them with an API call. The dashboard now pre-loads these addresses, reducing setup friction and preventing configuration errors.

No action is required. All Cloudflare WAN customers can see their Anycast IPs in the tunnel configuration form automatically.

For more information, refer to Configure tunnel endpoints.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Post-quantum encryption support for Cloudflare One Appliance

Wed, 11 Feb 2026 00:00:00 GMT

Cloudflare One Appliance version 2026.2.0 adds post-quantum encryption support using hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism).

The appliance now uses TLS 1.3 with hybrid ML-KEM for its connection to the Cloudflare edge. During the TLS handshake, the appliance and the edge share a symmetric secret over the TLS connection and inject it into the ESP layer of IPsec. This protects IPsec data plane traffic against harvest-now, decrypt-later attacks.

This upgrade deploys automatically to all appliances during their configured interrupt windows with no manual action required.

For more information, refer to Cloudflare One Appliance.

Email security - Improved Accessibility and Search for Monitoring

Mon, 02 Feb 2026 11:05:33 GMT

We have updated the Monitoring page to provide a more streamlined and insightful experience for administrators, improving both data visualization and dashboard accessibility.

Enhanced Visual Layout: Optimized contrast and the introduction of stacked bar charts for clearer data visualization and trend analysis.
Improved Accessibility & Usability:
- Widget Search: Added search functionality to multiple widgets, including Policies, Submitters, and Impersonation.
- Actionable UI: All available actions are now accessible via dedicated buttons.
- State Indicators: Improved UI states to clearly communicate loading, empty datasets, and error conditions.
Granular Data Breakdowns: New views for dispositions by month, malicious email details, link actions, and impersonations.

This applies to all Email Security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare WAN, Magic Transit, Cloudflare One - BGP over GRE and IPsec tunnels

Fri, 30 Jan 2026 00:00:00 GMT

Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using IPsec and GRE tunnel on-ramps (beta).

Using BGP peering allows customers to:

Automate the process of adding or removing networks and subnets.
Take advantage of failure detection and session recovery features.

With this functionality, customers can:

Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via IPsec and GRE tunnel on-ramps.
Secure the session by MD5 authentication to prevent misconfigurations.
Exchange routes dynamically between their devices and their Magic routing table.

For configuration details, refer to:

Cloudflare One Client - WARP client for Windows (version 2026.1.89.1)

Tue, 27 Jan 2026 18:47:00 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes, improvements, and new features.

Changes and improvements

Improvements to multi-user mode. Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost.
Added a new feature to manage NetBIOS over TCP/IP functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in device profile settings.
Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for the Windows client certificate posture check to ensure logged results are from checks that run once users log in.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2026.1.89.1)

Tue, 27 Jan 2026 18:46:59 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0.
Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.

Cloudflare One, Cloudflare WAN - Configure Cloudflare source IPs (beta)

Tue, 27 Jan 2026 00:00:00 GMT

Cloudflare source IPs are the IP addresses used by Cloudflare services (such as Load Balancing, Gateway, and Browser Isolation) when sending traffic to your private networks.

For customers using legacy mode routing, traffic to private networks is sourced from public Cloudflare IPs, which may cause IP conflicts. For customers using Unified Routing mode (beta), traffic to private networks is sourced from dedicated, non-Internet-routable private IPv4 range to ensure:

Symmetric routing over private network connections
Proper firewall state preservation
Private traffic stays on secure paths

Key details:

IPv4: Sourced from 100.64.0.0/12 by default, configurable to any /12 CIDR
IPv6: Sourced from 2606:4700:cf1:5000::/64 (not configurable)
Affected connectors: GRE, IPsec, CNI, WARP Connector, and WARP Client (Cloudflare Tunnel is not affected)

Configuring Cloudflare source IPs requires Unified Routing (beta) and the Cloudflare One Networks Write permission.

For configuration details, refer to Configure Cloudflare source IPs.

Cloudflare One, Access - Require Access protection for zones

Thu, 22 Jan 2026 00:00:00 GMT

You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked.

This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed.

How it works

Blocked by default: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname.
Explicit access required: To allow traffic, create an Access application with an Allow or Bypass policy.
Hostname exemptions: You can exempt specific hostnames from this requirement.

To turn on this feature, refer to Require Access protection.

Access - New granular API token permissions for Cloudflare Access

Thu, 22 Jan 2026 00:00:00 GMT

Three new API token permissions are available for Cloudflare Access, giving you finer-grained control when building automations and integrations:

Access: Organizations Revoke — Grants the ability to revoke user sessions in a Zero Trust organization. Use this permission when you need a token that can terminate active sessions without broader write access to organization settings.
Access: Population Read — Grants read access to the SCIM users and groups synced from an identity provider to Cloudflare Access. Use this permission for tokens that only need to read synced user and group data.
Access: Population Write — Grants write access to the SCIM users and groups synced from an identity provider to Cloudflare Access. Use this permission for tokens that need to create or modify synced user and group data.

These permissions are scoped at the account level and can be combined with existing Access permissions.

For a full list of available permissions, refer to API token permissions.

Magic Transit, Cloudflare Network Firewall, Cloudflare WAN, Network Flow - Network Services navigation update

Thu, 15 Jan 2026 00:00:00 GMT

The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together.

Your existing configurations will remain the same, and you will have access to all of the same features and functionality.

The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to Magic Transit, Magic WAN, and Magic Firewall.

Summary of changes:

A new Overview page provides access to the most common tasks across Magic Transit and Magic WAN.
Product names have been removed from top-level navigation.
Magic Transit and Magic WAN configuration is now organized under Routes and Connectors. For example, you will find IP Prefixes under Routes, and your GRE/IPsec Tunnels under Connectors.
Magic Firewall policies are now called Firewall Policies.
Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as Appliances and Appliance profiles. They can be found under Connectors > Appliances.
Network analytics, network health, and real-time analytics are now available under Insights.
Packet Captures are found under Insights > Diagnostics.
You can manage your Sites from Insights > Network health.
You can find Magic Network Monitoring under Insights > Network flow.

If you would like to provide feedback, complete this form. You can also find these details in the January 7, 2026 email titled [FYI] Upcoming Network Services Dashboard Navigation Update.

Risk Score - Support for CrowdStrike device scores in User Risk Scoring

Thu, 15 Jan 2026 00:00:00 GMT

Cloudflare One has expanded its [User Risk Scoring] (/cloudflare-one/insights/risk-score/) capabilities by introducing two new behaviors for organizations using the [CrowdStrike integration] (/cloudflare-one/integrations/service-providers/crowdstrike/).

Administrators can now automatically escalate the risk score of a user if their device matches specific CrowdStrike Zero Trust Assessment (ZTA) score ranges. This allows for more granular security policies that respond dynamically to the health of the endpoint.

New risk behaviors The following risk scoring behaviors are now available:

CrowdStrike low device score: Automatically increases a user's risk score when the connected device reports a "Low" score from CrowdStrike.
CrowdStrike medium device score: Automatically increases a user's risk score when the connected device reports a "Medium" score from CrowdStrike.

These scores are derived from [CrowdStrike device posture attributes] (/cloudflare-one/integrations/service-providers/crowdstrike/#device-posture-attributes), including OS signals and sensor configurations.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Verify WARP Connector connectivity with a simple ping

Thu, 15 Jan 2026 00:00:00 GMT

We have made it easier to validate connectivity when deploying WARP Connector as part of your software-defined private network.

You can now ping the WARP Connector host directly on its LAN IP address immediately after installation. This provides a fast, familiar way to confirm that the Connector is online and reachable within your network before testing access to downstream services.

Starting with version 2025.10.186.0, WARP Connector responds to traffic addressed to its own LAN IP, giving you immediate visibility into Connector reachability.

Learn more about deploying WARP Connector and building private network connectivity with Cloudflare One.

Cloudflare One Client - WARP client for Windows (version 2025.10.186.0)

Tue, 13 Jan 2026 15:48:19 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features. New features include the ability to manage WARP client connectivity for all devices in your fleet using an external signal, and a new WARP client device posture check for Antivirus.

Changes and improvements

Added a new feature to manage WARP client connectivity for all devices using an external signal. This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint.
Fixed an issue that caused occasional audio degradation and increased CPU usage on Windows by optimizing route configurations for large domain-based split tunnel rules.
The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
Fixed an issue where sending large messages to the daemon by Inter-Process Communication (IPC) could cause the daemon to fail and result in service interruptions.
Added support for a new WARP client device posture check for Antivirus. The check confirms the presence of an antivirus program on a Windows device with the option to check if the antivirus is up to date.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.10.186.0)

Tue, 13 Jan 2026 15:48:17 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an external signal.

Changes and improvements

The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
Added a new feature to manage WARP client connectivity for all devices using an external signal. This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint.

Cloudflare One Client - WARP client for Linux (version 2025.10.186.0)

Tue, 13 Jan 2026 01:53:14 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an external signal.

Changes and improvements

The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Linux disk encryption posture check now supports non-filesystem encryption types like dm-crypt.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
Fixed an issue where the GUI becomes unresponsive when the Re-Authenticate in browser button is clicked.
Added a new feature to manage WARP client connectivity for all devices using an external signal. This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint.

Email security - Enhanced visibility for post-delivery actions

Mon, 12 Jan 2026 11:15:33 GMT

The Action Log now provides enriched data for post-delivery actions to improve troubleshooting. In addition to success confirmations, failed actions now display the targeted Destination folder and a specific failure reason within the Activity field.

This update allows you to see the full lifecycle of a failed action. For instance, if an administrator tries to move an email that has already been deleted or moved manually, the log will now show the multiple retry attempts and the specific destination error.

This applies to all Email Security packages:

Enterprise
Enterprise + PhishGuard

Access - Cloudflare admin activity logs capture creation of DNS over HTTP (DoH) users

Thu, 08 Jan 2026 00:00:00 GMT

Cloudflare admin activity logs now capture each time a DNS over HTTP (DoH) user is created.

These logs can be viewed from the Cloudflare One dashboard, pulled via the Cloudflare API, and exported through Logpush.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Breakout traffic visibility via NetFlow

Wed, 31 Dec 2025 00:00:00 GMT

Magic WAN Connector now exports NetFlow data for breakout traffic to Magic Network Monitoring (MNM), providing visibility into traffic that bypasses Cloudflare's security filtering.

This feature allows you to:

Monitor breakout traffic statistics in the Cloudflare dashboard.
View traffic patterns for applications configured to bypass Cloudflare.
Maintain visibility across all traffic passing through your Magic WAN Connector.

For more information, refer to NetFlow statistics.

Gateway, Cloudflare One - Shadow IT - domain level SaaS analytics

Wed, 17 Dec 2025 00:00:00 GMT

Zero Trust has again upgraded its Shadow IT analytics, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application.

With this update, you can review data transfer metrics at the domain level, rather than just the application level, providing more granular insight into your data transfer patterns.

These metrics can be filtered by all available filters on the dashboard, including user, application, or content category.

Both the analytics and policies are accessible in the Cloudflare Zero Trust dashboard, empowering organizations with better visibility and control.

Cloudflare One - New duplicate action for supported Cloudflare One resources

Tue, 16 Dec 2025 00:00:00 GMT

You can now duplicate specific Cloudflare One resources with a single click from the dashboard.

Initially supported resources:

Access Applications
Access Policies
Gateway Policies

To try this out, simply click on the overflow menu (⋮) from the resource table and click Duplicate. We will continue to add the Duplicate action for resources throughout 2026.

Cloudflare One Client - WARP client for Windows (version 2025.10.118.1)

Tue, 09 Dec 2025 23:03:10 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
Fixed an issue where sending large messages to the WARP daemon by Inter-Process Communication (IPC) could cause WARP to crash and result in service interruptions.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.10.118.1)

Tue, 09 Dec 2025 23:02:28 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.

Email security - Reclassifications to Submissions

Wed, 03 Dec 2025 21:11:33 GMT

We have updated the terminology “Reclassify” and “Reclassifications” to “Submit” and “Submissions” respectively. This update more accurately reflects the outcome of providing these items to Cloudflare.

Submissions are leveraged to tune future variants of campaigns. To respect data sanctity, providing a submission does not change the original disposition of the emails submitted.

This applies to all Email Security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Email security - Adjustment to Final Disposition Column

Tue, 18 Nov 2025 00:00:00 GMT

Adjustment to Final Disposition column

The Final Disposition column in Submissions > Team Submissions tab is changing for non-Phishguard customers.

What's Changing

Column will be called Status instead of Final Disposition
Column status values will now be: Submitted, Accepted or Rejected.

Next Steps

We will listen carefully to your feedback and continue to find comprehensive ways to communicate updates on your submissions. Your submissions will continue to be addressed at an even greater rate than before, fuelling faster and more accurate email security improvement.

Cloudflare One - New Cloudflare One Navigation and Product Experience

Mon, 17 Nov 2025 00:00:00 GMT

The Zero Trust dashboard and navigation is receiving significant and exciting updates. The dashboard is being restructured to better support common tasks and workflows, and various pages have been moved and consolidated.

There is a new guided experience on login detailing the changes, and you can use the Zero Trust dashboard search to find product pages by both their new and old names, as well as your created resources. To replay the guided experience, you can find it in Overview > Get Started.

Notable changes

Product names have been removed from many top-level navigation items to help bring clarity to what they help you accomplish. For example, you can find Gateway policies under ‘Traffic policies' and CASB findings under ‘Cloud & SaaS findings.'
You can view all analytics, logs, and real-time monitoring tools from ‘Insights.'
‘Networks' better maps the ways that your corporate network interacts with Cloudflare. Some pages like Tunnels, are now a tab rather than a full page as part of these changes. You can find them at Networks > Connectors.
Settings are now located closer to the tools and resources they impact. For example, this means you'll find your WARP configurations at Team & Resources > Devices.

No changes to our API endpoint structure or to any backend services have been made as part of this effort.

Access - Generate Cloudflare Access SSH certificate authority (CA) directly from the Cloudflare dashboard

Fri, 14 Nov 2025 00:00:00 GMT

SSH with Cloudflare Access for Infrastructure allows you to use short-lived SSH certificates to eliminate SSH key management and reduce security risks associated with lost or stolen keys.

Previously, users had to generate this certificate by using the Cloudflare API directly. With this update, you can now create and manage this certificate in the Cloudflare One dashboard from the Access controls > Service credentials page.

For more details, refer to Generate a Cloudflare SSH CA.

CASB - New SaaS Security weekly digests with API CASB

Fri, 14 Nov 2025 00:00:00 GMT

You can now stay on top of your SaaS security posture with the new CASB Weekly Digest notification. This opt-in email digest is delivered to your inbox every Monday morning and provides a high-level summary of your organization's Cloudflare API CASB findings from the previous week.

This allows security teams and IT administrators to get proactive, at-a-glance visibility into new risks and integration health without having to log in to the dashboard.

To opt in, navigate to Manage Account > Notifications in the Cloudflare dashboard to configure the CASB Weekly Digest alert type.

Key capabilities

At-a-glance summary — Review new high/critical findings, most frequent finding types, and new content exposures from the past 7 days.
Integration health — Instantly see the status of all your connected SaaS integrations (Healthy, Unhealthy, or Paused) to spot API connection issues.
Proactive alerting — The digest is sent automatically to all subscribed users every Monday morning.
Easy to configure — Users can opt in by enabling the notification in the Cloudflare dashboard under Manage Account > Notifications.

Learn more

Configure notification preferences in Cloudflare.

The CASB Weekly Digest notification is available to all Cloudflare users today.

Digital Experience Monitoring - DEX Logpush jobs

Wed, 12 Nov 2025 00:00:00 GMT

Digital Experience Monitoring (DEX) provides visibility into WARP device metrics, connectivity, and network performance across your Cloudflare SASE deployment.

We've released four new WARP and DEX device data sets that can be exported via Cloudflare Logpush. These Logpush data sets can be exported to R2, a cloud bucket, or a SIEM to build a customized logging and analytics experience.

To create a new DEX or WARP Logpush job, customers can go to the account level of the Cloudflare dashboard > Analytics & Logs > Logpush to get started.

Cloudflare One Client - WARP client for Windows (version 2025.9.558.0)

Tue, 11 Nov 2025 17:28:35 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). When PMTUD is enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to diagnose connectivity issues.

Changes and improvements

Fixed an inconsistency with Global WARP override settings in multi-user environments when switching between users.
The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues.
Fixed an issue where deleting a registration was erroneously reported as having failed.
Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the PMTUD documentation.
Improvements for the OS version WARP client check. Windows Updated Build Revision (UBR) numbers can now be checked by the client to ensure devices have required security patches and features installed.
The WARP client now supports Windows 11 ARM-based machines. For information on known limitations, refer to the Known limitations page.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.9.558.0)

Tue, 11 Nov 2025 17:28:35 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

Changes and improvements

The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues.
Fixed an issue where deleting a registration was erroneously reported as having failed.
Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the PMTUD documentation.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Linux (version 2025.9.558.0)

Tue, 11 Nov 2025 15:06:09 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

Changes and improvements

The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to diagnose connectivity issues.
Fixed an issue where deleting a registration was erroneously reported as having failed.
Path Maximum Transmission Unit Discovery (PMTUD) may now be used to discover the effective MTU of the connection. This allows the WARP client to improve connectivity optimized for each network. PMTUD is disabled by default. To enable it, refer to the PMTUD documentation.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - cloudflared proxy-dns command will be removed starting February 2, 2026

Tue, 11 Nov 2025 00:00:00 GMT

Starting February 2, 2026, the cloudflared proxy-dns command will be removed from all new cloudflared releases.

This change is being made to enhance security and address a potential vulnerability in an underlying DNS library. This vulnerability is specific to the proxy-dns command and does not affect any other cloudflared features, such as the core Cloudflare Tunnel service.

The proxy-dns command, which runs a client-side DNS-over-HTTPS (DoH) proxy, has been an officially undocumented feature for several years. This functionality is fully and securely supported by our actively developed products.

Versions of cloudflared released before this date will not be affected and will continue to operate. However, note that our official support policy for any cloudflared release is one year from its release date.

Migration paths

We strongly advise users of this undocumented feature to migrate to one of the following officially supported solutions before February 2, 2026, to continue benefiting from secure DNS-over-HTTPS.

End-user devices

The preferred method for enabling DNS-over-HTTPS on user devices is the Cloudflare WARP client. The WARP client automatically secures and proxies all DNS traffic from your device, integrating it with your organization's Zero Trust policies and posture checks.

Servers, routers, and IoT devices

For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the WARP Connector.

Instead of running cloudflared proxy-dns on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your entire subnet to Cloudflare for filtering and logging.

Cloudflare One, Cloudflare WAN - Automatic Return Routing (Beta)

Thu, 06 Nov 2025 00:00:00 GMT

Magic WAN now supports Automatic Return Routing (ARR), allowing customers to configure Magic on-ramps (IPsec/GRE/CNI) to learn the return path for traffic flows without requiring static routes.

Key benefits:

Route-less mode: Static or dynamic routes are optional when using ARR.
Overlapping IP space support: Traffic originating from customer sites can use overlapping private IP ranges.
Symmetric routing: Return traffic is guaranteed to use the same connection as the original on-ramp.

This feature is currently in beta and requires the new Unified Routing mode (beta).

For configuration details, refer to Configure Automatic Return Routing.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Designate WAN link for breakout traffic

Thu, 06 Nov 2025 00:00:00 GMT

Magic WAN Connector now allows you to designate a specific WAN port for breakout traffic, giving you deterministic control over the egress path for latency-sensitive applications.

With this feature, you can:

Pin breakout traffic for specific applications to a preferred WAN port.
Ensure critical traffic (such as Zoom or Teams) always uses your fastest or most reliable connection.
Benefit from automatic failover to standard WAN port priority if the preferred port goes down.

This is useful for organizations with multiple ISP uplinks who need predictable egress behavior for performance-sensitive traffic.

For configuration details, refer to Designate WAN ports for breakout apps.

Gateway - Applications to be remapped to the new categories

Thu, 06 Nov 2025 00:00:00 GMT

We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to Changelog. While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026. This timeline allows you a dedicated period to:

Review the new category structure.
Identify any policies you have that target the older categories.
Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition.

Applications being remappedd

Application Name	Existing Category	New Category
Google Photos	File Sharing	Photography & Graphic Design
Flickr	File Sharing	Photography & Graphic Design
ADP	Human Resources	Business
Greenhouse	Human Resources	Business
myCigna	Human Resources	Health & Fitness
UnitedHealthcare	Human Resources	Health & Fitness
ZipRecruiter	Human Resources	Business
Amazon Business	Human Resources	Business
Jobcenter	Human Resources	Business
Jobsuche	Human Resources	Business
Zenjob	Human Resources	Business
DocuSign	Legal	Business
Postident	Legal	Business
Adobe Creative Cloud	Productivity	Photography & Graphic Design
Airtable	Productivity	Development
Autodesk Fusion360	Productivity	IT Management
Coursera	Productivity	Education
Microsoft Power BI	Productivity	Business
Tableau	Productivity	Business
Duolingo	Productivity	Education
Adobe Reader	Productivity	Business
AnpiReport	Productivity	Travel
ビズリーチ	Productivity	Business
doda (デューダ)	Productivity	Business
求人ボックス	Productivity	Business
マイナビ2026	Productivity	Business
Power Apps	Productivity	Business
RECRUIT AGENT	Productivity	Business
シフトボード	Productivity	Business
スタンバイ	Productivity	Business
Doctolib	Productivity	Health & Fitness
Miro	Productivity	Photography & Graphic Design
MyFitnessPal	Productivity	Health & Fitness
Sentry Mobile	Productivity	Travel
Slido	Productivity	Photography & Graphic Design
Arista Networks	Productivity	IT Management
Atlassian	Productivity	Business
CoderPad	Productivity	Business
eAgreements	Productivity	Business
Vmware	Productivity	IT Management
Vmware Vcenter	Productivity	IT Management
AWS Skill Builder	Productivity	Education
Microsoft Office 365 (GCC)	Productivity	Business
Microsoft Exchange Online (GCC)	Productivity	Business
Canva	Sales & Marketing	Photography & Graphic Design
Instacart	Shopping	Food & Drink
Wawa	Shopping	Food & Drink
McDonald's	Shopping	Food & Drink
Vrbo	Shopping	Travel
American Airlines	Shopping	Travel
Booking.com	Shopping	Travel
Ticketmaster	Shopping	Entertainment & Events
Airbnb	Shopping	Travel
DoorDash	Shopping	Food & Drink
Expedia	Shopping	Travel
EasyPark	Shopping	Travel
UEFA Tickets	Shopping	Entertainment & Events
DHL Express	Shopping	Business
UPS	Shopping	Business

For more information on creating HTTP policies, refer to Applications and app types.

Access - Access private hostname applications support all ports/protocols

Tue, 28 Oct 2025 00:00:00 GMT

Cloudflare Access for private hostname applications can now secure traffic on all ports and protocols.

Previously, applying Zero Trust policies to private applications required the application to use HTTPS on port 443 and support Server Name Indicator (SNI).

This update removes that limitation. As long as the application is reachable via a Cloudflare off-ramp, you can now enforce your critical security controls — like single sign-on (SSO), MFA, device posture, and variable session lengths — to any private application. This allows you to extend Zero Trust security to services like SSH, RDP, internal databases, and other non-HTTPS applications.

For example, you can now create a self-hosted application in Access for ssh.testapp.local running on port 22. You can then build a policy that only allows engineers in your organization to connect after they pass an SSO/MFA check and are using a corporate device.

This feature is generally available across all plans.

CASB - CASB introduces new granular roles

Tue, 28 Oct 2025 00:00:00 GMT

Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams:

Cloudflare CASB Read: Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights.
Cloudflare CASB: Provides full administrative access to configure and manage all aspects of the CASB product.

These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the Super Administrator or Administrator roles.

To enable Data Loss Prevention (DLP), scans in CASB, account members will need the Cloudflare Zero Trust role.

You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under Manage Account > Members.

To learn more about managing roles and permissions, refer to the Manage account members and roles documentation.

Gateway - New Application Categories added for HTTP Traffic Management

Tue, 28 Oct 2025 00:00:00 GMT

To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product.

We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications:

Business
Education
Entertainment & Events
Food & Drink
Health & Fitness
Lifestyle
Navigation
Photography & Graphic Design
Travel

The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories.

The full remapping will be completed by January 30, 2026.

We encourage you to use this time to:

Review the new category structure.
Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition.

For more information on creating HTTP policies, refer to Applications and app types.

Gateway - Schedule DNS policies from the UI

Mon, 20 Oct 2025 00:00:00 GMT

Admins can now create scheduled DNS policies directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights.

Preset Schedules: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more.
Custom Schedules: Define your own schedule with specific days and up to three non-overlapping time ranges per day.
Timezone Control: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user.
Combined with Duration: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence.

You can see the flow in the demo GIF:

This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API.

Email security - On-Demand Security Report

Fri, 17 Oct 2025 22:14:43 GMT

You can now generate on-demand security reports directly from the Cloudflare dashboard. This new feature provides a comprehensive overview of your email security posture, making it easier than ever to demonstrate the value of Cloudflare’s Email security to executives and other decision makers.

These reports offer several key benefits:

Executive Summary: Quickly view the performance of Email security with a high-level executive summary.
Actionable Insights: Dive deep into trend data, breakdowns of threat types, and analysis of top targets to identify and address vulnerabilities.
Configuration Transparency: Gain a clear view of your policy, submission, and domain configurations to ensure optimal setup.
Account Takeover Risks: Get a snapshot of your M365 risky users (requires a Microsoft Entra ID P2 license and M365 SaaS integration).

This feature is available across the following Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare One Client - WARP client for Windows (version 2025.9.173.1)

Thu, 16 Oct 2025 15:29:54 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues.

Changes and improvements

Improvements for Windows multi-user to maintain the Global WARP override state when switching between users.
The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
Deleting registrations no longer returns an error when succeeding.
Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.9.173.1)

Thu, 16 Oct 2025 15:29:52 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

Changes and improvements

The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
Deleting registrations no longer returns an error when succeeding.
Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Gateway - New domain categories added

Fri, 10 Oct 2025 00:00:00 GMT

We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering.

New categories added

Parent ID	Parent Name	Category ID	Category Name
26	Technology	194	Keep Awake Software
26	Technology	192	Remote Access
26	Technology	193	Shareware/Freeware

Refer to Gateway domain categories to learn more.

Cloudflare One Client - WARP client for Linux (version 2025.8.779.0)

Tue, 07 Oct 2025 19:20:00 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains significant fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

Changes and improvements

Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Windows (version 2025.8.779.0)

Tue, 07 Oct 2025 17:02:40 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains significant fixes and improvements.

Changes and improvements

Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.8.779.0)

Tue, 07 Oct 2025 17:02:40 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains significant fixes and improvements.

Changes and improvements

Proxy mode has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare Fundamentals, Access - Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta

Thu, 02 Oct 2025 00:00:00 GMT

Fine-grained permissions for Access Applications, Identity Providers (IdPs), and Targets is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.

What's New

Access Applications: Grant admin permissions to specific Access Applications.
Identity Providers: Grant admin permissions to individual Identity Providers.
Targets: Grant admin rights to specific Targets

For more info:

Data Loss Prevention - Expanded File Type Controls for Executables and Disk Images

Wed, 01 Oct 2025 00:00:00 GMT

You can now enhance your security posture by blocking additional application installer and disk image file types with Cloudflare Gateway. Preventing the download of unauthorized software packages is a critical step in securing endpoints from malware and unwanted applications.

We have expanded Gateway's file type controls to include:

Apple Disk Image (dmg)
Microsoft Software Installer (msix, appx)
Apple Software Package (pkg)

You can find these new options within the Upload File Types and Download File Types selectors when creating or editing an HTTP policy. The file types are categorized as follows:

System: Apple Disk Image (dmg)
Executable: Microsoft Software Installer (msix), Microsoft Software Installer (appx), Apple Software Package (pkg)

To ensure these file types are blocked effectively, please note the following behaviors:

DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file.
MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type Unscannable. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection.

To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to supported file types.

Cloudflare One Client - WARP client for Windows (version 2025.7.176.0)

Tue, 30 Sep 2025 20:43:09 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

MASQUE is now the default tunnel protocol for all new WARP device profiles.
Improvement to limit idle connections in Gateway with DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.
Improvement to maintain TCP connections to reduce interruptions in long-lived connections such as RDP or SSH.
Improvements to maintain Global WARP override settings when switching between organizations.
Improvements to maintain client connectivity during network changes.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.7.176.0)

Tue, 30 Sep 2025 20:43:08 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed a bug preventing the warp-diag captive-portal command from running successfully due to the client not parsing SSID on macOS.
Improvements to maintain Global WARP override settings when switching between organizations.
MASQUE is now the default tunnel protocol for all new WARP device profiles.
Improvement to limit idle connections in Gateway with DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.
Improvements to maintain client connectivity during network changes.
The WARP client now supports macOS Tahoe (version 26.0).

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Linux (version 2025.7.176.0)

Tue, 30 Sep 2025 20:20:30 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

Changes and improvements

MASQUE is now the default tunnel protocol for all new WARP device profiles.
Improvement to limit idle connections in Gateway with DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.
Improvements to maintain Global WARP override settings when switching between organizations.
Improvements to maintain client connectivity during network changes.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Gateway - Application granular controls for operations in SaaS applications

Tue, 30 Sep 2025 00:00:00 GMT

Gateway users can now apply granular controls to their file sharing and AI chat applications through HTTP policies.

The new feature offers two methods of controlling SaaS applications:

Application Controls are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include Upload, Download, Prompt, Voice, and Share depending on the application.
Operations are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function.

Get started using Application Granular Controls and refer to the list of supported applications.

Gateway, Data Loss Prevention - Refine DLP Scans with New Body Phase Selector

Thu, 25 Sep 2025 00:00:00 GMT

You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows.

In the Gateway HTTP policy builder, you will find a new selector called Body Phase. This allows you to define the direction of traffic the DLP engine will inspect:

Request Body: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts.
Response Body: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data.

For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the Body Phase to Request Body, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself.

All policies without this selector will continue to scan both request and response bodies to ensure continued protection.

For more information, refer to Gateway HTTP policy selectors.

Email security - Invalid Submissions Feedback

Tue, 23 Sep 2025 23:11:49 GMT

Email security relies on your submissions to continuously improve our detection models. However, we often receive submissions in formats that cannot be ingested, such as incomplete EMLs, screenshots, or text files.

To ensure all customer feedback is actionable, we have launched two new features to manage invalid submissions sent to our team and user submission aliases:

Email Notifications: We now automatically notify users by email when they provide an invalid submission, educating them on the correct format. To disable notifications, go to Settings > Invalid submission emails and turn the feature off.

Invalid Submission dashboard: You can quickly identify which users need education to provide valid submissions so Cloudflare can provide continuous protection.

Learn more about this feature on invalid submissions.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Access - Access Remote Desktop Protocol (RDP) destinations securely from your browser — now generally available!

Mon, 22 Sep 2025 00:00:00 GMT

Browser-based RDP with Cloudflare Access is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.

Since we announced our open beta, we've made a few improvements:

Support for targets with IPv6.
Support for Magic WAN and WARP Connector as on-ramps.
More robust error messaging on the login page to help you if you encounter an issue.
Worldwide keyboard support. Whether your day-to-day is in Portuguese, Chinese, or something in between, your browser-based RDP experience will look and feel exactly like you are using a desktop RDP client.
Cleaned up some other miscellaneous issues, including but not limited to enhanced support for Entra ID accounts and support for usernames with spaces, quotes, and special characters.

As a refresher, here are some benefits browser-based RDP provides:

Control how users authenticate to internal RDP resources with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies.
Record who is accessing which servers and when to support regulatory compliance requirements and to gain greater visibility in the event of a security event.
Eliminate the need to install and manage software on user devices. You will only need a web browser.
Reduce your attack surface by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks.

To get started, refer to Connect to RDP in a browser.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel

Thu, 18 Sep 2025 00:00:00 GMT

You can now route private traffic to Cloudflare Tunnel based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is free for all Cloudflare One customers.

Previously, Tunnel routes could only be defined by IP address or CIDR range. This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists.

What’s new:

Hostname & Domain Routing: Create routes for individual hostnames (e.g., payroll.acme.local) or entire domains (e.g., *.acme.local) and direct their traffic to a specific Tunnel.
Simplified Zero Trust Policies: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications.
Precise Egress Control: Route traffic for public hostnames (e.g., bank.example.com) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services.
No More IP Lists: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete.

Get started in the Tunnels section of the Zero Trust dashboard with your first private hostname or public hostname route.

Learn more in our blog post.

Cloudflare One - New AI-Enabled Search for Zero Trust Dashboard

Tue, 16 Sep 2025 00:00:00 GMT

Zero Trust Dashboard has a brand new, AI-powered search functionality. You can search your account by resources (applications, policies, device profiles, settings, etc.), pages, products, and more.

Ask Cloudy — You can also ask Cloudy, our AI agent, questions about Cloudflare Zero Trust. Cloudy is trained on our developer documentation and implementation guides, so it can tell you how to configure functionality, best practices, and can make recommendations.

Cloudy can then stay open with you as you move between pages to build configuration or answer more questions.

Find Recents — Recent searches and Cloudy questions also have a new tab under Zero Trust Overview.

Email security - Regional Email Processing for Germany, India, or Australia

Thu, 11 Sep 2025 23:15:00 GMT

We’re excited to announce that Email security customers can now choose their preferred mail processing location directly from the UI when onboarding a domain. This feature is available for the following onboarding methods: MX, BCC, and Journaling.

What’s new

Customers can now select where their email is processed. The following regions are supported:

Germany
India
Australia

Global processing remains the default option, providing flexibility to meet both compliance requirements or operational preferences.

How to use it

When onboarding a domain with MX, BCC, or Journaling:

Select the desired processing location (Germany, India, or Australia).
The UI will display updated processing addresses specific to that region.
For MX onboarding, if your domain is managed by Cloudflare, you can automatically update MX records directly from the UI.

Availability

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

What’s next

We’re expanding the list of processing locations to match our Data Localization Suite (DLS) footprint, giving customers the broadest set of regional options in the market without the complexity of self-hosting.

Gateway, Cloudflare WAN, Cloudflare Tunnel for SASE - DNS filtering for private network onramps

Thu, 11 Sep 2025 00:00:00 GMT

Magic WAN and WARP Connector users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet.

Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including Internal DNS and hostname-based policies.

To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, 172.64.36.1 and 172.64.36.2. Once you configure DNS resolution and filtering, you can use Source Internal IP as a traffic selector in your resolver policies for routing private DNS traffic to your Internal DNS.

Cloudflare One Client - WARP client for Windows (version 2025.7.106.1)

Wed, 10 Sep 2025 14:09:30 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements including enhancements to Proxy mode for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or all devices matching the profile will lose connectivity.

Changes and improvements

Enhancements to Proxy mode for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or all devices matching the profile will lose connectivity.
Improvement to keep TCP connections up the first time WARP connects on devices so that remote desktop sessions (such as RDP or SSH) continue to work.
Improvements to maintain Global WARP Override settings when switching between organization configurations.
The MASQUE protocol is now the default protocol for all new WARP device profiles.
Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.7.106.1)

Wed, 10 Sep 2025 14:09:02 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

Changes and improvements

Enhancements to Proxy mode for even faster resolution. The MASQUE protocol is now the only protocol that can use Proxy mode. If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or all devices matching the profile will lose connectivity.
Fixed a bug preventing the warp-diag captive-portal command from running successfully due to the client not parsing SSID on macOS.
Improvements to maintain Global WARP Override settings when switching between organization configurations.
The MASQUE protocol is now the default protocol for all new WARP device profiles.
Improvement to limit idle connections in DoH mode to avoid unnecessary resource usage that can lead to DoH requests not resolving.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare WAN - Custom IKE ID for IPsec Tunnels

Mon, 08 Sep 2025 00:00:00 GMT

Now, Magic WAN customers can configure a custom IKE ID for their IPsec tunnels. Customers that are using Magic WAN and a VeloCloud SD-WAN device together can utilize this new feature to create a high availability configuration.

This feature is available via API only. Customers can read the Magic WAN documentation to learn more about the Custom IKE ID feature and the API call to configure it.

Cloudflare WAN - Bidirectional tunnel health checks are compatible with all Magic on-ramps

Fri, 05 Sep 2025 00:00:00 GMT

All bidirectional tunnel health check return packets are accepted by any Magic on-ramp.

Previously, when a Magic tunnel had a bidirectional health check configured, the bidirectional health check would pass when the return packets came back to Cloudflare over the same tunnel that was traversed by the forward packets.

There are SD-WAN devices, like VeloCloud, that do not offer controls to steer traffic over one tunnel versus another in a high availability tunnel configuration.

Now, when a Magic tunnel has a bidirectional health check configured, the bidirectional health check will pass when the return packet traverses over any tunnel in a high availability configuration.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025

Tue, 02 Sep 2025 00:00:00 GMT

Starting December 1, 2025, list endpoints for the Cloudflare Tunnel API and Zero Trust Networks API will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified.

No action is required if you already explicitly set is_deleted=false or if you only need to list active resources.

This change affects the following API endpoints:

List all tunnels: GET /accounts/{account_id}/tunnels
List Cloudflare Tunnels: GET /accounts/{account_id}/cfd_tunnel
List WARP Connector tunnels: GET /accounts/{account_id}/warp_connector
List tunnel routes: GET /accounts/{account_id}/teamnet/routes
List subnets: GET /accounts/{account_id}/zerotrust/subnets
List virtual networks: GET /accounts/{account_id}/teamnet/virtual_networks

What is changing?

The default behavior of the is_deleted query parameter will be updated.

Scenario	Previous behavior (before December 1, 2025)	New behavior (from December 1, 2025)
`is_deleted` parameter is omitted	Returns active & deleted tunnels, routes, subnets and virtual networks	Returns only active tunnels, routes, subnets and virtual networks

Action required

If you need to retrieve deleted (or all) resources, please update your API calls to explicitly include the is_deleted parameter before December 1, 2025.

To get a list of only deleted resources, you must now explicitly add the is_deleted=true query parameter to your request:

# Example: Get ONLY deleted Tunnels
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels?is_deleted=true" \
     -H "Authorization: Bearer $API_TOKEN"

# Example: Get ONLY deleted Virtual Networks
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks?is_deleted=true" \
     -H "Authorization: Bearer $API_TOKEN"

Following this change, retrieving a complete list of both active and deleted resources will require two separate API calls: one to get active items (by omitting the parameter or using is_deleted=false) and one to get deleted items (is_deleted=true).

Why we’re making this change

This update is based on user feedback and aims to:

Create a more intuitive default: Aligning with common API design principles where list operations return only active resources by default.
Reduce unexpected results: Prevents users from accidentally operating on deleted resources that were returned unexpectedly.
Improve performance: For most users, the default query result will now be smaller and more relevant.

To learn more, please visit the Cloudflare Tunnel API and Zero Trust Networks API documentation.

Email security - Updated Email security roles

Mon, 01 Sep 2025 23:25:49 GMT

To provide more granular controls, we refined the existing roles for Email security and launched a new Email security role as well.

All Email security roles no longer have read or write access to any of the other Zero Trust products:

Email Configuration Admin
Email Integration Admin
Email security Read Only
Email security Analyst
Email security Policy Admin
Email security Reporting

To configure Data Loss Prevention (DLP) or Remote Browser Isolation (RBI), you now need to be an admin for the Zero Trust dashboard with the Cloudflare Zero Trust role.

Also through customer feedback, we have created a new additive role to allow Email security Analyst to create, edit, and delete Email security policies, without needing to provide access via the Email Configuration Admin role. This role is called Email security Policy Admin, which can read all settings, but has write access to allow policies, trusted domains, and blocked senders.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Cloudflare One Client - Cloudflare One WARP Diagnostic AI Analyzer

Fri, 29 Aug 2025 00:00:00 GMT

We're excited to share a new AI feature, the WARP diagnostic analyzer, to help you troubleshoot and resolve WARP connectivity issues faster. This beta feature is now available in the Cloudflare One dashboard to all users. The AI analyzer makes it easier for you to identify the root cause of client connectivity issues by parsing remote captures of WARP diagnostic logs. The WARP diagnostic analyzer provides a summary of impact that may be experienced on the device, lists notable events that may contribute to performance issues, and recommended troubleshooting steps and articles to help you resolve these issues. Refer to WARP diagnostics analyzer (beta) to learn more about how to maximize using the WARP diagnostic analyzer to troubleshoot the WARP client.

Digital Experience Monitoring - DEX MCP Server

Fri, 29 Aug 2025 00:00:00 GMT

Digital Experience Monitoring (DEX) provides visibility into device connectivity and performance across your Cloudflare SASE deployment.

We've released an MCP server (Model Context Protocol) for DEX.

The DEX MCP server is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API.

Any Cloudflare One customer using a Free, Pay-as-you-go, or Enterprise account can access the DEX MCP Server. This feature is available to everyone.

Customers can test the new DEX MCP server in less than one minute. To learn more, read the DEX MCP server documentation.

Gateway, Cloudflare One - Shadow IT - SaaS analytics dashboard

Wed, 27 Aug 2025 00:00:00 GMT

Zero Trust has significantly upgraded its Shadow IT analytics, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application.

You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including Unreviewed, In Review, Approved, and Unapproved designating how they can be used in your organization.

These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status.

Both the analytics and policies are accessible in the Cloudflare Zero Trust dashboard, empowering organizations with better visibility and control.

CASB - New CASB integrations for ChatGPT, Claude, and Gemini

Tue, 26 Aug 2025 16:00:00 GMT

Cloudflare CASB now supports three of the most widely used GenAI platforms — OpenAI ChatGPT, Anthropic Claude, and Google Gemini. These API-based integrations give security teams agentless visibility into posture, data, and compliance risks across their organization’s use of generative AI.

Key capabilities

Agentless connections — connect ChatGPT, Claude, and Gemini tenants via API; no endpoint software required
Posture management — detect insecure settings and misconfigurations that could lead to data exposure
DLP detection — identify sensitive data in uploaded chat attachments or files
GenAI-specific insights — surface risks unique to each provider’s capabilities

Learn more

These integrations are available to all Cloudflare One customers today.

Access - Manage and restrict access to internal MCP servers with Cloudflare Access

Tue, 26 Aug 2025 00:00:00 GMT

You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind Cloudflare Access.

Self-hosted applications in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.

For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the blog post on the Cloudflare Blog.

Access - MCP server portals

Tue, 26 Aug 2025 00:00:00 GMT

An MCP server portal centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:

Streamlined access to multiple MCP servers: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
Customized tools per portal: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.
Observability: Once the user's AI agent is connected to the portal, Cloudflare Access logs the individual requests made using the tools in the portal.

This is available in an open beta for all customers across all plans! For more information check out our blog for this release.

Data Loss Prevention - New DLP topic based detection entries for AI prompt protection

Mon, 25 Aug 2025 00:00:00 GMT

You now have access to a comprehensive suite of capabilities to secure your organization's use of generative AI. AI prompt protection introduces four key features that work together to provide deep visibility and granular control.

Prompt Detection for AI Applications

DLP can now natively detect and inspect user prompts submitted to popular AI applications, including Google Gemini, ChatGPT, Claude, and Perplexity.

Prompt Analysis and Topic Classification

Our DLP engine performs deep analysis on each prompt, applying topic classification. These topics are grouped into two evaluation categories:

Content: PII, Source Code, Credentials and Secrets, Financial Information, and Customer Data.
Intent: Jailbreak attempts, requests for malicious code, or attempts to extract PII.

To help you apply these topics quickly, we have also released five new predefined profiles (for example, AI Prompt: AI Security, AI Prompt: PII) that bundle these new topics.

Granular Guardrails

You can now build guardrails using Gateway HTTP policies with application granular controls. Apply a DLP profile containing an AI prompt topic detection to individual AI applications (for example, ChatGPT) and specific user actions (for example, SendPrompt) to block sensitive prompts.
Full Prompt Logging

To aid in incident investigation, an optional setting in your Gateway policy allows you to capture prompt logs to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by conversation_id, allowing you to reconstruct the full context of an interaction that led to a policy violation.

AI prompt protection is now available in open beta. To learn more about it, read the blog or refer to AI prompt topics.

Cloudflare One Client - WARP client for Windows (version 2025.6.1400.0)

Thu, 21 Aug 2025 22:36:07 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains a hotfix for pre-login for multi-user for the 2025.6.1135.0 release.

Changes and improvements

Fixes an issue where new pre-login registrations were not being properly created.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, please reconnect the WARP client by toggling off and back on.

Gateway - Gateway BYOIP Dedicated Egress IPs now available.

Thu, 21 Aug 2025 00:00:00 GMT

Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs.

Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic.

Get started by following the BYOIP onboarding process. Once your IPs are onboarded, go to Gateway > Egress policies and select or create an egress policy. In Select an egress IP, choose Use dedicated egress IPs (Cloudflare or BYOIP), then select your BYOIP address from the dropdown menu.

For more information, refer to BYOIP for dedicated egress IPs.

Cloudflare One Client - WARP client for Windows (version 2025.6.1335.0)

Tue, 19 Aug 2025 22:10:43 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Improvements to better manage multi-user pre-login registrations.
Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement for faster client connectivity on high-latency captive portal networks.
Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.6.1335.0)

Tue, 19 Aug 2025 22:10:43 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement for faster client connectivity on high-latency captive portal networks.
Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Linux (version 2025.6.1335.0)

Tue, 19 Aug 2025 19:45:33 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement for faster client connectivity on high-latency captive portal networks.
Fixed an issue where recursive CNAME records could cause intermittent WARP connectivity issues.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Access - SFTP support for SSH with Cloudflare Access for Infrastructure

Fri, 15 Aug 2025 00:00:00 GMT

SSH with Cloudflare Access for Infrastructure now supports SFTP. It is compatible with SFTP clients, such as Cyberduck.

Access - Cloudflare Access Logging supports the Customer Metadata Boundary (CMB)

Thu, 14 Aug 2025 00:00:00 GMT

Cloudflare Access logs now support the Customer Metadata Boundary (CMB). If you have configured the CMB for your account, all Access logging will respect that configuration.

Email security - Expanded Email Link Isolation

Thu, 07 Aug 2025 23:22:49 GMT

When you deploy MX or Inline, not only can you apply email link isolation to suspicious links in all emails (including benign), you can now also apply email link isolation to all links of a specified disposition. This provides more flexibility in controlling user actions within emails.

For example, you may want to deliver suspicious messages but isolate the links found within them so that users who choose to interact with the links will not accidentally expose your organization to threats. This means your end users are more secure than ever before.

To isolate all links within a message based on the disposition, select Settings > Link Actions > View and select Configure. As with other other links you isolate, an interstitial will be provided to warn users that this site has been isolated and the link will be recrawled live to evaluate if there are any changes in our threat intel. Learn more about this feature on Configure link actions.

This feature is available across these Email security packages:

Enterprise
Enterprise + PhishGuard

Cloudflare WAN - Terraform V5 support for tunnels and routes

Thu, 31 Jul 2025 00:00:00 GMT

The Cloudflare Terraform provider resources for Cloudflare WAN tunnels and routes now support Terraform provider version 5. Customers using infrastructure-as-code workflows can manage their tunnel and route configuration with the latest provider version.

For more information, refer to the Cloudflare Terraform provider documentation.

Magic Transit, Cloudflare WAN - Magic Transit and Magic WAN health check data is fully compatible with the CMB EU setting.

Wed, 30 Jul 2025 00:00:00 GMT

Today, we are excited to announce that all Magic Transit and Magic WAN customers with CMB EU (Customer Metadata Boundary - Europe) enabled in their account will be able to access GRE, IPsec, and CNI health check and traffic volume data in the Cloudflare dashboard and via API.

This ensures that all Magic Transit and Magic WAN customers with CMB EU enabled will be able to access all Magic Transit and Magic WAN features.

Specifically, these two GraphQL endpoints are now compatible with CMB EU:

magicTransitTunnelHealthChecksAdaptiveGroups
magicTransitTunnelTrafficAdaptiveGroups

Gateway - Scam domain category introduced under Security Threats

Mon, 28 Jul 2025 00:00:00 GMT

We have introduced a new Security Threat category called Scam. Relevant domains are marked with the Scam category. Scam typically refers to fraudulent websites and schemes designed to trick victims into giving away money or personal information.

New category added

Parent ID	Parent Name	Category ID	Category Name
21	Security Threats	191	Scam

Refer to Gateway domain categories to learn more.

Cloudflare One Client - WARP client for Windows (version 2025.6.824.1)

Thu, 24 Jul 2025 12:28:40 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Improvements to better manage multi-user pre-login registrations.
Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement to managed network detection checks for faster switching between managed networks.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.6.824.1)

Thu, 24 Jul 2025 12:28:40 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

Fixed an issue preventing devices from reaching split-tunneled traffic even when WARP was disconnected.
Fix to prevent WARP from re-enabling its firewall rules after a user-initiated disconnect.
Improvement to managed network detection checks for faster switching between managed networks.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Gateway - Gateway HTTP Filtering on all ports available in open BETA

Thu, 24 Jul 2025 00:00:00 GMT

Gateway can now apply HTTP filtering to all proxied HTTP requests, not just traffic on standard HTTP (80) and HTTPS (443) ports. This means all requests can now be filtered by A/V scanning, file sandboxing, Data Loss Prevention (DLP), and more.

You can turn this setting on by going to Settings > Network > Firewall and choosing Inspect on all ports.

To learn more, refer to Inspect on all ports (Beta).

Cloudflare One Client - WARP client for Windows (version 2025.5.943.0)

Wed, 23 Jul 2025 20:41:54 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect.
Changes to the SCCM VPN boundary support feature to no longer restart the SMS Agent Host (ccmexec.exe) service.
Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.5.943.0)

Wed, 23 Jul 2025 20:41:33 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect.
Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client.
For macOS deployments, the WARP client can now be managed using an mdm.xml file placed in /Library/Application Support/Cloudflare/mdm.xml. This new configuration option offers an alternative to the still supported method of deploying a managed plist through an MDM solution.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - WARP client for Linux (version 2025.5.943.0)

Wed, 23 Jul 2025 19:17:49 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

Changes and improvements

WARP proxy mode now uses the operating system's DNS settings. Changes made to system DNS settings while in proxy mode require the client to be turned off then back on to take effect.
Fixed an issue affecting clients in Split Tunnel Include mode, where access to split-tunneled traffic was blocked after reconnecting the client.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Gateway - Google Bard Application replaced by Gemini

Tue, 22 Jul 2025 00:00:00 GMT

The Google Bard application (ID: 1198) has been deprecated and fully removed from the system. It has been replaced by the Gemini application (ID: 1340). Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. For more information about application policies, please see the Cloudflare Gateway documentation.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Virtual Cloudflare One Appliance with KVM support (open beta)

Mon, 21 Jul 2025 00:00:00 GMT

The KVM-based virtual Cloudflare One Appliance is now in open beta with official support for Proxmox VE.

Customers can deploy the virtual appliance on KVM hypervisors to connect branch or data center networks to Cloudflare WAN without dedicated hardware.

For setup instructions, refer to Configure a virtual Cloudflare One Appliance.

Data Loss Prevention - New detection entry type: Document Matching for DLP

Thu, 17 Jul 2025 00:00:00 GMT

You can now create document-based detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files.

Key features and benefits:

Upload documents, forms, or templates: Easily upload .docx and .txt files (up to 10 MB) that contain sensitive information you want to protect.
Granular control with similarity percentage: Define a minimum similarity percentage (0-100%) that a document must meet to trigger a detection, reducing false positives.
Comprehensive coverage: Apply these document-based detection entries in:
- Gateway policies: To inspect network traffic for sensitive documents as they are uploaded or shared.
- CASB (Cloud Access Security Broker): To scan files stored in cloud applications for sensitive documents at rest.
Identify sensitive data: This new detection entry type is ideal for identifying sensitive data within completed forms, templates, or even small snippets of a larger document, helping you prevent data exfiltration and ensure compliance.

Once uploaded and processed, you can add this new document entry into a DLP profile and policies to enhance your data protection strategy.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Faster, more reliable UDP traffic for Cloudflare Tunnel

Tue, 15 Jul 2025 00:00:00 GMT

Your real-time applications running over Cloudflare Tunnel are now faster and more reliable. We've completely re-architected the way cloudflared proxies UDP traffic in order to isolate it from other traffic, ensuring latency-sensitive applications like private DNS are no longer slowed down by heavy TCP traffic (like file transfers) on the same Tunnel.

This is a foundational improvement to Cloudflare Tunnel, delivered automatically to all customers. There are no settings to configure — your UDP traffic is already flowing faster and more reliably.

What’s new:

Faster UDP performance: We've significantly reduced the latency for establishing new UDP sessions, making applications like private DNS much more responsive.
Greater reliability for mixed traffic: UDP packets are no longer affected by heavy TCP traffic, preventing timeouts and connection drops for your real-time services.

Learn more about running TCP or UDP applications and private networks through Cloudflare Tunnel.

Cloudflare One - New onboarding guides for Zero Trust

Thu, 10 Jul 2025 00:00:00 GMT

Use our brand new onboarding experience for Cloudflare Zero Trust. New and returning users can now engage with a Get Started tab with walkthroughs for setting up common use cases end-to-end.

There are eight brand new onboarding guides in total:

Securely access a private network (sets up device client and Tunnel)
Device-to-device / mesh networking (sets up and connects multiple device clients)
Network to network connectivity (sets up and connects multiple WARP Connectors, makes reference to Magic WAN availability for Enterprise)
Secure web traffic (sets up device client, Gateway, pre-reqs, and initial policies)
Secure DNS for networks (sets up a new DNS location and Gateway policies)
Clientless web access (sets up Access to a web app, Tunnel, and public hostname)
Clientless SSH access (all the same + the web SSH experience)
Clientless RDP access (all the same + RDP-in-browser)

Each flow walks the user through the steps to configure the essential elements, and provides a “more details” panel with additional contextual information about what the user will accomplish at the end, along with why the steps they take are important.

Try them out now in the Zero Trust dashboard!

Cloudflare One - Cloudy summaries for Access and Gateway Logs

Mon, 07 Jul 2025 00:00:00 GMT

Cloudy, Cloudflare's AI Agent, will now automatically summarize your Access and Gateway block logs.

In the log itself, Cloudy will summarize what occurred and why. This will be helpful for quick troubleshooting and issue correlation.

If you have feedback about the Cloudy summary - good or bad - you can provide that right from the summary itself.

Cloudflare One - New App Library for Zero Trust Dashboard

Mon, 07 Jul 2025 00:00:00 GMT

Cloudflare Zero Trust customers can use the App Library to get full visibility over the SaaS applications that they use in their Gateway policies, CASB integrations, and Access for SaaS applications.

App Library, found under My Team, makes information available about all Applications that can be used across the Zero Trust product suite.

You can use the App Library to see:

How Applications are defined
Where they are referenced in policies
Whether they have Access for SaaS configured
Review their CASB findings and integration status.

Within individual Applications, you can also track their usage across your organization, and better understand user behavior.

Access - Access RDP securely from your browser — now in open beta

Tue, 01 Jul 2025 00:00:00 GMT

Browser-based RDP with Cloudflare Access is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.

With browser-based RDP, you can:

Control how users authenticate to internal RDP resources with single sign-on (SSO), multi-factor authentication (MFA), and granular access policies.
Record who is accessing which servers and when to support regulatory compliance requirements and to gain greater visibility in the event of a security event.
Eliminate the need to install and manage software on user devices. You will only need a web browser.
Reduce your attack surface by keeping your RDP servers off the public Internet and protecting them from common threats like credential stuffing or brute-force attacks.

To get started, see Connect to RDP in a browser.

Cloudflare One Client - WARP client for Windows (version 2025.5.893.0)

Mon, 30 Jun 2025 21:10:37 GMT

A new GA release for the Windows WARP client is now available on the stable releases downloads page.

This release contains improvements and new exciting features, including SCCM VPN boundary support and post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

Changes and improvements

Fixed a device registration issue that caused WARP connection failures when changing networks.
Captive portal improvements and fixes:
- Captive portal sign in notifications will now be sent through operating system notification services.
- Fix for firewall configuration issue affecting clients in DoH only mode.
Improved the connectivity status message in the client GUI.
Fixed a bug affecting clients in Gateway with DoH mode where the original DNS servers were not restored after disabling WARP.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to handle client configuration changes made by an MDM while WARP is not running.
Improvements for multi-user experience to better handle fast user switching and transitions from a pre-login to a logged-in state.
Added a WARP client device posture check for SAN attributes to the client certificate check.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.
Added SCCM VPN boundary support to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable.
Fix for an issue causing WARP connectivity to fail without full system reboot.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5060829 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.5.893.0)

Mon, 30 Jun 2025 21:10:36 GMT

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains improvements and new exciting features, including post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

Changes and improvements

Fixed an issue where WARP sometimes failed to automatically relaunch after updating.
Fixed a device registration issue causing WARP connection failures when changing networks.
Captive portal improvements and fixes:
- Captive portal sign in notifications will now be sent through operating system notification services.
- Fix for firewall configuration issue affecting clients in DoH only mode.
Improved the connectivity status message in the client GUI.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to handle client configuration changes made by an MDM while WARP is not running.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.
Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations.
Added a WARP client device posture check for SAN attributes to the client certificate check.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Cloudflare One Client - WARP client for Linux (version 2025.5.893.0)

Mon, 30 Jun 2025 19:44:34 GMT

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

Changes and improvements

Fixed a device registration issue causing WARP connection failures when changing networks.
Captive portal improvements and fixes:
- Captive portal sign in notifications will now be sent through operating system notification services.
- Fix for firewall configuration issue affecting clients in DoH only mode.
Improved the connectivity status message in the client GUI.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to handle client configuration changes made by MDM while WARP is not running.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.
Added a WARP client device posture check for SAN attributes to the client certificate check.

Known issues

Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to Route traffic to fallback server.

Cloudflare One Client - Cloudflare One Agent for Android (version 2.4.2)

Mon, 30 Jun 2025 00:00:00 GMT

A new GA release for the Android Cloudflare One Agent is now available in the Google Play Store. This release contains improvements and new exciting features, including post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

Changes and improvements

QLogs are now disabled by default and can be enabled in the app by turning on Enable qlogs under Settings > Advanced > Diagnostics > Debug Logs. The QLog setting from previous releases will no longer be respected.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Fixed an issue that caused WARP connection failures on ChromeOS devices.

Cloudflare One Client - Cloudflare One Agent for iOS (version 1.11)

Mon, 30 Jun 2025 00:00:00 GMT

A new GA release for the iOS Cloudflare One Agent is now available in the iOS App Store. This release contains improvements and new exciting features, including post-quantum cryptography. By tunneling your corporate network traffic over Cloudflare, you can now gain the immediate protection of post-quantum cryptography without needing to upgrade any of your individual corporate applications or systems.

Changes and improvements

QLogs are now disabled by default and can be enabled in the app by turning on Enable qlogs under Settings > Advanced > Diagnostics > Debug Logs. The QLog setting from previous releases will no longer be respected.
DNS over HTTPS traffic is now included in the WARP tunnel by default.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.

Data Loss Prevention, CASB, Cloudflare One - Data Security Analytics in the Zero Trust dashboard

Mon, 23 Jun 2025 09:00:00 GMT

Zero Trust now includes Data security analytics, providing you with unprecedented visibility into your organization sensitive data.

The new dashboard includes:

Sensitive Data Movement Over Time:
- See patterns and trends in how sensitive data moves across your environment. This helps understand where data is flowing and identify common paths.
Sensitive Data at Rest in SaaS & Cloud:
- View an inventory of sensitive data stored within your corporate SaaS applications (for example, Google Drive, Microsoft 365) and cloud accounts (such as AWS S3).
DLP Policy Activity:
- Identify which of your Data Loss Prevention (DLP) policies are being triggered most often.
- See which specific users are responsible for triggering DLP policies.

To access the new dashboard, log in to Cloudflare One and go to Insights on the sidebar.

Gateway - Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025

Wed, 18 Jun 2025 00:00:00 GMT

Gateway will now evaluate Network (Layer 4) policies before HTTP (Layer 7) policies. This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.

This change will roll out progressively between July 14–18, 2025. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.

Updated order of enforcement

Previous order:

DNS policies
HTTP policies
Network policies

New order:

DNS policies
Network policies
HTTP policies

Action required: Review your Gateway HTTP policies

This change may affect block notifications. For example:

You have an HTTP policy to block example.com and display a block page.
You also have a Network policy to block example.com silently (no client notification).

With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page.

To ensure users still receive a block notification, you can:

Add a client notification to your Network policy, or
Use only the HTTP policy for that domain.

Why we’re making this change

This update is based on user feedback and aims to:

Create a more intuitive model by evaluating network-level policies before application-level policies.
Minimize 526 connection errors by verifying the network path to an origin before attempting to establish a decrypted TLS connection.

To learn more, visit the Gateway order of enforcement documentation.

Cloudflare One Client - WARP client for Windows (version 2025.5.828.1)

Tue, 17 Jun 2025 12:04:39 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1.

Changes and improvements

Improvement to better handle multi-user fast user switching.
Fix for an issue causing WARP connectivity to fail without full system reboot.

Known issues

Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.5.828.1)

Tue, 17 Jun 2025 12:04:39 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains new improvements in addition to the features and improvements introduced in Beta client version 2025.5.735.1.

Changes and improvements

Improvement for WARP connectivity issues on macOS due to the operating system not accepting DNS server configurations.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Cloudflare One Client - WARP client for Windows (version 2025.5.735.1)

Thu, 05 Jun 2025 20:38:05 GMT

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

Changes and improvements

Fixed a device registration issue causing WARP connection failures when changing networks.
Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in.
Fixed a bug where in Gateway with DoH mode, connection to DNS servers was not automatically restored after reconnecting WARP.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to gracefully handle changes made by MDM while WARP is not running.
Improvement for multi-user mode to avoid unnecessary key rotations when transitioning from a pre-login to a logged-in state.
Added a WARP client device posture check for SAN attributes to the client certificate check.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.
Added SCCM VPN boundary support to device profile settings. With SCCM VPN boundary support enabled, operating systems will register WARP's local interface IP with the on-premise DNS server when reachable.

Known issues

Microsoft has confirmed a regression with Windows 11 starting around 24H2 that may cause performance issues for some users. These performance issues could manifest as mouse lag, audio cracking, or other slowdowns. A fix from Microsoft is expected in early July.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
- WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
- A custom DNS server address is configured on the primary network adapter.
- The custom DNS server address on the primary network adapter is changed while WARP is connected. To work around this issue, reconnect the WARP client by toggling off and back on.

Cloudflare One Client - WARP client for macOS (version 2025.5.735.1)

Thu, 05 Jun 2025 20:38:04 GMT

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

Changes and improvements

Fixed an issue where the Cloudflare WARP application may not have automatically relaunched after an update.
Fixed a device registration issue causing WARP connection failures when changing networks.
Captive portal improvements including showing connectivity status in the client and sending system notifications for captive portal sign in.
The WARP client now applies post-quantum cryptography end-to-end on enabled devices accessing resources behind a Cloudflare Tunnel. This feature can be enabled by MDM.
Improvement to gracefully handle changes made by MDM while WARP is not running.
Fixed an issue affecting Split Tunnel Include mode, where traffic outside the tunnel was blocked when switching between Wi-Fi and Ethernet networks.

Known issues

macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Access, Cloudflare One - Cloudflare One Analytics Dashboards and Exportable Access Report

Thu, 05 Jun 2025 00:00:00 GMT

Cloudflare One now offers powerful new analytics dashboards to help customers easily discover available insights into their application access and network activity. These dashboards provide a centralized, intuitive view for understanding user behavior, application usage, and security posture.

![Cloudflare One Analytics Dashboards](~/assets/images/changelog/cloudflare-one/Analytics Dashboards.png)

Additionally, a new exportable access report is available, allowing customers to quickly view high-level metrics and trends in their application access. A preview of the report is shown below, with more to be found in the report:

Both features are accessible in the Cloudflare Zero Trust dashboard, empowering organizations with better visibility and control.

Gateway, Cloudflare One - New Gateway Analytics in the Cloudflare One Dashboard

Thu, 29 May 2025 00:00:00 GMT

Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources.

You can now visualize and explore:

Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity.
Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation.
Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture.
Geographic Regions: Gain insight into the global distribution of your traffic.

To access the new overview, log in to your Cloudflare Zero Trust dashboard and go to Analytics in the side navigation bar.

Gateway - Gateway Protocol Detection Now Available for Pay-as-you-go and Free Plans

Tue, 27 May 2025 00:00:00 GMT

All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans.

With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier.

This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the Protocol detection documentation.

Cloudflare One - New Applications Added to Zero Trust

Sun, 18 May 2025 00:00:00 GMT

42 new applications have been added for Zero Trust support within the Application Library and Gateway policy enforcement, giving you the ability to investigate or apply inline policies to these applications.

33 of the 42 applications are Artificial Intelligence applications. The others are Human Resources (2 applications), Development (2 applications), Productivity (2 applications), Sales & Marketing, Public Cloud, and Security.

To view all available applications, log in to your Cloudflare Zero Trust dashboard, navigate to the App Library under My Team.

For more information on creating Gateway policies, see our Gateway policy documentation.

Access, Cloudflare One - New Access Analytics in the Cloudflare One Dashboard

Fri, 16 May 2025 00:00:00 GMT

A new Access Analytics dashboard is now available to all Cloudflare One customers. Customers can apply and combine multiple filters to dive into specific slices of their Access metrics. These filters include:

Logins granted and denied
Access events by type (SSO, Login, Logout)
Application name (Salesforce, Jira, Slack, etc.)
Identity provider (Okta, Google, Microsoft, onetimepin, etc.)
Users (chris@cloudflare.com, sally@cloudflare.com, rachel@cloudflare.com, etc.)
Countries (US, CA, UK, FR, BR, CN, etc.)
Source IP address
App type (self-hosted, Infrastructure, RDP, etc.)

To access the new overview, log in to your Cloudflare Zero Trust dashboard and find Analytics in the side navigation bar.

Email security - Open email attachments with Browser Isolation

Thu, 15 May 2025 23:22:49 GMT

You can now safely open email attachments to view and investigate them.

What this means is that messages now have a Attachments section. Here, you can view processed attachments and their classifications (for example, Malicious, Suspicious, Encrypted). Next to each attachment, a Browser Isolation icon allows your team to safely open the file in a clientless, isolated browser with no risk to the analyst or your environment.

To use this feature, you must:

Turn on Allow users to open a remote browser without the device client in your Zero Trust settings.
Have Browser Isolation (BISO) seats assigned.

For more details, refer to our setup guide.

Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Gateway - Domain Categories improvements

Wed, 14 May 2025 00:00:00 GMT

New categories added

Parent ID	Parent Name	Category ID	Category Name
1	Ads	66	Advertisements
3	Business & Economy	185	Personal Finance
3	Business & Economy	186	Brokerage & Investing
21	Security Threats	187	Compromised Domain
21	Security Threats	188	Potentially Unwanted Software
6	Education	189	Reference
9	Government & Politics	190	Charity and Non-profit

Changes to existing categories

Original Name	New Name
Religion	Religion & Spirituality
Government	Government/Legal
Redirect	URL Alias/Redirect

Refer to Gateway domain categories to learn more.

Browser Isolation - SAML HTTP-POST bindings support for RBI

Tue, 13 May 2025 00:00:00 GMT

Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused 405 errors during login and improves compatibility with multi-factor authentication (MFA) flows.

With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to set up Remote Browser Isolation.

Gateway - New Applications Added for DNS Filtering

Tue, 13 May 2025 00:00:00 GMT

You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic.

With this update, you can:

Create DNS policies for a wider range of applications
Manage outbound traffic more effectively
Improve your organization's security and compliance posture

For more information on creating DNS policies, see our DNS policy documentation.

Data Loss Prevention - Case Sensitive Custom Word Lists

Mon, 12 May 2025 00:00:00 GMT

You can now configure custom word lists to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical.

Email security - Open email links with Browser Isolation

Thu, 08 May 2025 23:22:49 GMT

You can now safely open links in emails to view and investigate them.

From Investigation, go to View details, and look for the Links identified section. Next to each link, the Cloudflare dashboard will display an Open in Browser Isolation icon which allows your team to safely open the link in a clientless, isolated browser with no risk to the analyst or your environment. Refer to Open links to learn more about this feature.

To use this feature, you must:

Turn on Allow users to open a remote browser without the device client in your Zero Trust settings.
Have Browser Isolation (RBI) seats assigned.

For more details, refer to our setup guide.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Data Loss Prevention - Send forensic copies to storage without DLP profiles

Wed, 07 May 2025 00:00:00 GMT

You can now send DLP forensic copies to third-party storage for any HTTP policy with an Allow or Block action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases.

By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs.

Browser Isolation - Browser Isolation Overview page for Zero Trust

Thu, 01 May 2025 00:00:00 GMT

A new Browser Isolation Overview page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of Remote Browser Isolation (RBI) deployments, providing:

Streamlined Onboarding: Easily set up and manage isolation policies from one location.
Quick Testing: Validate clientless web application isolation with ease.
Simplified Configuration: Configure isolated access applications and policies efficiently.
Centralized Monitoring: Track aggregate usage and blocked actions.

This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively.

To access the new overview, log in to your Cloudflare Zero Trust dashboard and find Browser Isolation in the side navigation bar.

Cloudflare One - Dark Mode for Zero Trust Dashboard

Wed, 30 Apr 2025 00:00:00 GMT

The Cloudflare Zero Trust dashboard now supports Cloudflare's native dark mode for all accounts and plan types.

Zero Trust Dashboard will automatically accept your user-level preferences for system settings, so if your Dashboard appearance is set to 'system' or 'dark', the Zero Trust dashboard will enter dark mode whenever the rest of your Cloudflare account does.

Zero Trust Dashboard
To update your view preference in the Zero Trust dashboard:
1. Log into the Zero Trust dashboard.
2. Select your user icon.
3. Select Dark Mode.
Core Dashboard
To update your view preference in the Core dashboard:
1. Log into the Cloudflare dashboard.
2. Go to My Profile
3. For Appearance, choose Dark.

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Cloudflare One Appliance supports multiple DNS server IPs

Wed, 30 Apr 2025 00:00:00 GMT

Cloudflare One Appliance DHCP server settings now support specifying multiple DNS server IP addresses in the DHCP pool.

Previously, customers could only configure a single DNS server per DHCP pool. With this update, you can specify multiple DNS servers to provide redundancy for clients at branch locations.

For configuration details, refer to DHCP server.

Gateway - FQDN Filtering For Gateway Egress Policies

Mon, 28 Apr 2025 00:00:00 GMT

Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies.

Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta.
During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation.
- For WARP client support, additional configuration is required. For more information, refer to the WARP client configuration documentation.

This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path.

Access - Access bulk policy tester

Mon, 21 Apr 2025 00:00:00 GMT

The Access bulk policy tester is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable).

Data Loss Prevention - New predefined detection entry for ICD-11

Mon, 14 Apr 2025 00:00:00 GMT

You now have access to the World Health Organization (WHO) 2025 edition of the International Classification of Diseases 11th Revision (ICD-11) as a predefined detection entry. The new dataset can be found in the Health Information predefined profile.

ICD-10 dataset remains available for use.

Gateway - HTTP redirect and custom block page redirect

Fri, 11 Apr 2025 00:00:00 GMT

You can now use more flexible redirect capabilities in Cloudflare One with Gateway.

A new Redirect action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters.
For Block actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL.

Learn more in our documentation for HTTP Redirect and Block page redirect.

Access - Cloudflare Zero Trust SCIM User and Group Provisioning Logs

Wed, 09 Apr 2025 00:00:00 GMT

Cloudflare Zero Trust SCIM provisioning now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The SCIM logs support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.

SCIM logs can be found on the Zero Trust Dashboard under Logs -> SCIM provisioning.

Email security - CASB and Email security

Tue, 01 Apr 2025 23:22:49 GMT

With Email security, you get two free CASB integrations.

Use one SaaS integration for Email security to sync with your directory of users, take actions on delivered emails, automatically provide EMLs for reclassification requests for clean emails, discover CASB findings and more.

With the other integration, you can have a separate SaaS integration for CASB findings for another SaaS provider.

Refer to Add an integration to learn more about this feature.

This feature is available across these Email security packages:

Enterprise
Enterprise + PhishGuard

Gateway - Secure DNS Locations Management User Role

Fri, 21 Mar 2025 00:00:00 GMT

We're excited to introduce the Cloudflare Zero Trust Secure DNS Locations Write role, designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions.

Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions.

Secure DNS Location Requirements:

Mandate usage of Bring your own DNS resolver IP addresses if available on the account.
Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint.

You can assign the new role via Cloudflare Dashboard (Manage Accounts > Members) or via API. For more information, refer to the Secure DNS Locations documentation.

Cloudflare One Client - Cloudflare One Agent for Android (version 2.4)

Mon, 17 Mar 2025 00:00:00 GMT

A new GA release for the Android Cloudflare One Agent is now available in the Google Play Store. This release includes a new feature allowing team name insertion by URL during enrollment, as well as fixes and minor improvements.

Changes and improvements

Improved in-app error messages.
Improved mobile client login with support for team name insertion by URL.
Fixed an issue preventing admin split tunnel settings taking priority for traffic from certain applications.

Cloudflare One Client - Cloudflare One Agent for iOS (version 1.10)

Mon, 17 Mar 2025 00:00:00 GMT

A new GA release for the iOS Cloudflare One Agent is now available in the iOS App Store. This release includes a new feature allowing team name insertion by URL during enrollment, as well as fixes and minor improvements.

Changes and improvements

Improved in-app error messages.
Improved mobile client login with support for team name insertion by URL.
Bug fixes and performance improvements.

Cloudflare Network Firewall - Cloudflare IP Ranges List

Thu, 13 Mar 2025 00:00:00 GMT

Magic Firewall now supports a new managed list of Cloudflare IP ranges. This list is available as an option when creating a Magic Firewall policy based on IP source/destination addresses. When selecting "is in list" or "is not in list", the option "Cloudflare IP Ranges" will appear in the dropdown menu.

This list is based on the IPs listed in the Cloudflare IP ranges. Updates to this managed list are applied automatically.

Note: IP Lists require a Cloudflare Advanced Network Firewall subscription. For more details about Cloudflare Network Firewall plans, refer to Plans.

Digital Experience Monitoring - Cloudflare One Agent now supports Endpoint Monitoring

Fri, 07 Mar 2025 00:00:00 GMT

Digital Experience Monitoring (DEX) provides visibility into device, network, and application performance across your Cloudflare SASE deployment. The latest release of the Cloudflare One agent (v2025.1.861) now includes device endpoint monitoring capabilities to provide deeper visibility into end-user device performance which can be analyzed directly from the dashboard.

Device health metrics are now automatically collected, allowing administrators to:

View the last network a user was connected to
Monitor CPU and RAM utilization on devices
Identify resource-intensive processes running on endpoints

This feature complements existing DEX features like synthetic application monitoring and network path visualization, creating a comprehensive troubleshooting workflow that connects application performance with device state.

For more details refer to our DEX documentation.

Browser Isolation - Gain visibility into user actions in Zero Trust Browser Isolation sessions

Tue, 04 Mar 2025 00:00:00 GMT

We're excited to announce that new logging capabilities for Remote Browser Isolation (RBI) through Logpush are available in Beta starting today!

With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session.

{
  "AccountID": "$ACCOUNT_ID",
  "Decision": "block",
  "DomainName": "www.example.com",
  "Timestamp": "2025-02-27T23:15:06Z",
  "Type": "copy",
  "UserID": "$USER_ID"
}

User Actions available:

Copy & Paste
Downloads & Uploads
Printing

Learn more about how to get started with Logpush in our documentation.

Access - New SAML and OIDC Fields and SAML transforms for Access for SaaS

Mon, 03 Mar 2025 00:00:00 GMT

Access for SaaS applications now include more configuration options to support a wider array of SaaS applications.

SAML and OIDC Field Additions

OIDC apps now include:

Group Filtering via RegEx
OIDC Claim mapping from an IdP
OIDC token lifetime control
Advanced OIDC auth flows including hybrid and implicit flows

SAML apps now include improved SAML attribute mapping from an IdP.

SAML transformations

SAML identities sent to Access applications can be fully customized using JSONata expressions. This allows admins to configure the precise identity SAML statement sent to a SaaS application.

Email security - Use Logpush for Email security detections

Sat, 01 Mar 2025 23:22:49 GMT

You can now send detection logs to an endpoint of your choice with Cloudflare Logpush.

Filter logs matching specific criteria you have set and select from over 25 fields you want to send. When creating a new Logpush job, remember to select Email security alerts as the dataset.

For more information, refer to Enable detection logs.

This feature is available across these Email security packages:

Enterprise
Enterprise + PhishGuard

Email security - Check status of Email security or Area 1

Thu, 27 Feb 2025 23:22:49 GMT

Concerns about performance for Email security or Area 1? You can now check the operational status of both on the Cloudflare Status page.

For Email security, look under Cloudflare Sites and Services.

Dashboard is the dashboard for Cloudflare, including Email security
Email security (Zero Trust) is the processing of email
API are the Cloudflare endpoints, including the ones for Email security

For Area 1, under Cloudflare Sites and Services:

Area 1 - Dash is the dashboard for Cloudflare, including Email security
Email security (Area1) is the processing of email
Area 1 - API are the Area 1 endpoints

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Email security - Use DLP Assist for M365

Tue, 25 Feb 2025 23:22:49 GMT

Cloudflare Email security customers who have Microsoft 365 environments can quickly deploy an Email DLP (Data Loss Prevention) solution for free.

Simply deploy our add-in, create a DLP policy in Cloudflare, and configure Outlook to trigger behaviors like displaying a banner, alerting end users before sending, or preventing delivery entirely.

Refer to Outbound Data Loss Prevention to learn more about this feature.

In GUI alert:

Alert before sending:

Prevent delivery:

This feature is available across these Email security packages:

Enterprise
Enterprise + PhishGuard

Cloudflare One Appliance, Cloudflare One, Cloudflare WAN - Configure your Magic WAN Connector to connect via static IP assignment

Fri, 14 Feb 2025 00:00:00 GMT

You can now locally configure your Magic WAN Connector to work in a static IP configuration.

This local method does not require having access to a DHCP Internet connection. However, it does require being comfortable with using tools to access the serial port on Magic WAN Connector as well as using a serial terminal client to access the Connector's environment.

For more details, refer to WAN with a static IP address.

Email security - Open email links with Security Center

Fri, 07 Feb 2025 23:22:49 GMT

You can now investigate links in emails with Cloudflare Security Center to generate a report containing a myriad of technical details: a phishing scan, SSL certificate data, HTTP request and response data, page performance data, DNS records, what technologies and libraries the page uses, and more.

From Investigation, go to View details, and look for the Links identified section. Select Open in Security Center next to each link. Open in Security Center allows your team to quickly generate a detailed report about the link with no risk to the analyst or your environment.

For more details, refer to Open links.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Data Loss Prevention, Gateway - Block files that are password-protected, compressed, or otherwise unscannable.

Mon, 03 Feb 2025 00:00:00 GMT

Gateway HTTP policies can now block files that are password-protected, compressed, or otherwise unscannable.

These unscannable files are now matched with the Download and Upload File Types traffic selectors for HTTP policies:

Password-protected Microsoft Office document
Password-protected PDF
Password-protected ZIP archive
Unscannable ZIP archive

To get started inspecting and modifying behavior based on these and other rules, refer to HTTP filtering.

Data Loss Prevention - Detect source code leaks with Data Loss Prevention

Mon, 20 Jan 2025 00:00:00 GMT

You can now detect source code leaks with Data Loss Prevention (DLP) with predefined checks against common programming languages.

The following programming languages are validated with natural language processing (NLP).

C
C++
C#
Go
Haskell
Java
JavaScript
Lua
Python
R
Rust
Swift

DLP also supports confidence level for source code profiles.

For more details, refer to DLP profiles.

Access - Export SSH command logs with Access for Infrastructure using Logpush

Wed, 15 Jan 2025 00:00:00 GMT

Cloudflare now allows you to send SSH command logs to storage destinations configured in Logpush, including third-party destinations. Once exported, analyze and audit the data as best fits your organization! For a list of available data fields, refer to the SSH logs dataset.

To set up a Logpush job, refer to Logpush integration.

Email security - Escalate user submissions

Thu, 19 Dec 2024 23:22:49 GMT

After you triage your users' submissions (that are machine reviewed), you can now escalate them to our team for reclassification (which are instead human reviewed). User submissions from the submission alias, PhishNet, and our API can all be escalated.

From Reclassifications, go to User submissions. Select the three dots next to any of the user submissions, then select Escalate to create a team request for reclassification. The Cloudflare dashboard will then show you the submissions on the Team Submissions tab.

Refer to User submissions to learn more about this feature.

This feature is available across these Email security packages:

Advantage
Enterprise
Enterprise + PhishGuard

Email security - Increased transparency for phishing email submissions

Thu, 19 Dec 2024 00:00:00 GMT

You now have more transparency about team and user submissions for phishing emails through a Reclassification tab in the Zero Trust dashboard.

Reclassifications happen when users or admins submit a phish to Email security. Cloudflare reviews and - in some cases - reclassifies these emails based on improvements to our machine learning models.

This new tab increases your visibility into this process, allowing you to view what submissions you have made and what the outcomes of those submissions are.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Troubleshoot tunnels with diagnostic logs

Thu, 19 Dec 2024 00:00:00 GMT

The latest cloudflared build 2024.12.2 introduces the ability to collect all the diagnostic logs needed to troubleshoot a cloudflared instance.

A diagnostic report collects data from a single instance of cloudflared running on the local machine and outputs it to a cloudflared-diag file.

For more information, refer to Diagnostic logs.

Magic Transit, Cloudflare WAN, Network Interconnect - Establish BGP peering over Direct CNI circuits

Tue, 17 Dec 2024 00:00:00 GMT

Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.

Using BGP peering allows customers to:

Automate the process of adding or removing networks and subnets.
Take advantage of failure detection and session recovery features.

With this functionality, customers can:

Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via CNI.
Secure the session by MD5 authentication to prevent misconfigurations.
Exchange routes dynamically between their devices and their Magic routing table.

Refer to Magic WAN BGP peering or Magic Transit BGP peering to learn more about this feature and how to set it up.

Multi-Cloud Networking - Generate customized terraform files for building cloud network on-ramps

Thu, 05 Dec 2024 00:00:00 GMT

You can now generate customized terraform files for building cloud network on-ramps to Magic WAN.

Magic Cloud can scan and discover existing network resources and generate the required terraform files to automate cloud resource deployment using their existing infrastructure-as-code workflows for cloud automation.

You might want to do this to:

Review the proposed configuration for an on-ramp before deploying it with Cloudflare.
Deploy the on-ramp using your own infrastructure-as-code pipeline instead of deploying it with Cloudflare.

For more details, refer to Set up with Terraform.

CASB - Find security misconfigurations in your AWS cloud environment

Fri, 22 Nov 2024 00:00:00 GMT

You can now use CASB to find security misconfigurations in your AWS cloud environment using Data Loss Prevention.

You can also connect your AWS compute account to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration.

To connect a compute account to your AWS integration:

In Cloudflare One, go to Cloud & SaaS findings > Integrations.
Find and select your AWS integration.
Select Open connection instructions.
Follow the instructions provided to connect a new compute account.
Select Refresh.

Browser Isolation - Improved non-English keyboard support

Thu, 21 Nov 2024 00:00:00 GMT

You can now type in languages that use diacritics (like á or ç) and character-based scripts (such as Chinese, Japanese, and Korean) directly within the remote browser. The isolated browser now properly recognizes non-English keyboard input, eliminating the need to copy and paste content from a local browser or device.

Email security - Use Logpush for Email security user actions

Thu, 07 Nov 2024 23:22:49 GMT

You can now send user action logs for Email security to an endpoint of your choice with Cloudflare Logpush.

Filter logs matching specific criteria you have set or select from multiple fields you want to send. For all users, we will log the date and time, user ID, IP address, details about the message they accessed, and what actions they took.

When creating a new Logpush job, remember to select Audit logs as the dataset and filter by:

Field: "ResourceType"
Operator: "starts with"
Value: "email_security".

For more information, refer to Enable user action logs.

This feature is available across all Email security packages:

Enterprise
Enterprise + PhishGuard

Cloudflare Network Firewall - Search for custom rules using rule name and/or ID

Wed, 02 Oct 2024 00:00:00 GMT

The Magic Firewall dashboard now allows you to search custom rules using the rule name and/or ID.

Log into the Cloudflare dashboard and select your account.
Go to Analytics & Logs > Network Analytics.
Select Magic Firewall.
Add a filter for Rule ID.

Additionally, the rule ID URL link has been added to Network Analytics.

Access - Eliminate long-lived credentials and enhance SSH security with Cloudflare Access for Infrastructure

Tue, 01 Oct 2024 00:00:00 GMT

Organizations can now eliminate long-lived credentials from their SSH setup and enable strong multi-factor authentication for SSH access, similar to other Access applications, all while generating access and command logs.

SSH with Access for Infrastructure uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: WARP-to-Tunnel.

SSH with Access for Infrastructure enables you to:

Author fine-grained policy to control who may access your SSH servers, including specific ports, protocols, and SSH users.
Monitor infrastructure access with Access and SSH command logs, supporting regulatory compliance and providing visibility in case of security breach.
Preserve your end users' workflows. SSH with Access for Infrastructure supports native SSH clients and does not require any modifications to users’ SSH configs.

To get started, refer to SSH with Access for Infrastructure.

Risk Score - Exchange user risk scores with Okta

Mon, 17 Jun 2024 00:00:00 GMT

Beyond the controls in Zero Trust, you can now exchange user risk scores with Okta to inform SSO-level policies.

First, configure Cloudflare One to send user risk scores to Okta.

Set up the Okta SSO integration.
In the Cloudflare dashboard, go to Zero Trust > Integrations > Identity providers.
In Your identity providers, locate your Okta integration and select Edit.
Turn on Send risk score to Okta.
Select Save.
Upon saving, Cloudflare One will display the well-known URL for your organization. Copy the value.

Next, configure Okta to receive your risk scores.

On your Okta admin dashboard, go to Security > Device Integrations.
Go to Receive shared signals, then select Create stream.
Name your integration. In Set up integration with, choose Well-known URL.
In Well-known URL, enter the well-known URL value provided by Cloudflare One.
Select Create.

Access, Browser Isolation, CASB, Cloudflare Tunnel for SASE, Digital Experience Monitoring, Data Loss Prevention, Email security, Gateway, Multi-Cloud Networking, Cloudflare Network Firewall, Network Flow, Magic Transit, Cloudflare WAN, Network Interconnect, Risk Score, Cloudflare One Client - Explore product updates for Cloudflare One

Sun, 16 Jun 2024 00:00:00 GMT

Welcome to your new home for product updates on Cloudflare One.

Our new changelog lets you read about changes in much more depth, offering in-depth examples, images, code samples, and even gifs.

If you are looking for older product updates, refer to the following locations.

Older product updates