A problem with updating the exclusion ip list of split tunnel via api

I try to update exclusion ip list(settings->warp client->default profile->Split Tunnels->excluded ip and domains) by API
I get the list success by this command:

    curl --request GET \
  --url https://api.cloudflare.com/client/v4/accounts/account_id/devices/policy/exclude \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: email.com' \
  --header 'X-Auth-Key: key'

and get all info like this:

{
    "result": [
        {
            "address": "ff05::/16"
        },
        {
            "address": "ff04::/16"
        },
        {
            "address": "ff03::/16"
        },
        {
            "address": "ff02::/16"
        }        
    ],
    "success": true,
    "errors": [],
    "messages": [],
    "result_info": {
        "page": 1,
        "per_page": 19,
        "count": 19,
        "total_count": 19
    }
}

But I want to update an exclude list through the api and I get an error.
the command like this:

    curl --request PUT \
  --url https://api.cloudflare.com/client/v4/accounts/account_id/devices/policy/exclude \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: email.com' \
  --header 'X-Auth-Key: key'
  --data '[
  {
    "address": "192.0.2.0/24",
    "description": "Exclude testing domains from the tunnel",
    "host": "*.example.com"
  }
]'

error message:

{
    "result": null,
    "success": false,
    "errors": [
        {
            "code": 2049,
            "message": "cannot update split tunnels: Host and Address both cannot be present"
        }
    ],
    "messages": []
}

I read the API doc, the example is like this:

curl --request PUT \
  --url https://api.cloudflare.com/client/v4/accounts/account_id/devices/policy/policy_id/exclude \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: ' \
  --data '[
  {
    "address": "192.0.2.0/24",
    "description": "Exclude testing domains from the tunnel",
    "host": "*.example.com"
  }
]'

But I can’t find any policy_id, I just use this page path “settings->warp client->default profile->Split Tunnels->excluded ip and domains”, use default profile.

Does anyone know how to solve this problem?

Thanks a lot.

Use this endpoint to get policy IDs programatically (or you can just extract from the dashboard if they won’t be changing)…

Use either IP address or a hostname, don’t use both.

The documentation shows…

address
string
The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

host
string
The domain name to exclude from the tunnel. If host is present, address must not be present.
1 Like

Thank you very much for your quickly response. :smiley:

I test the code by api doc, but get result like this, no policy id in the result.
command:

curl --request GET \
  --url https://api.cloudflare.com/client/v4/accounts/account_id/devices/policies \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: '

result is:

{
    "result": [
        {
            "service_mode_v2": {
                "mode": "warp"
            },
            "disable_auto_fallback": false,
            "fallback_domains": [
                {
                    "suffix": "home.arpa"
                },
                {
                    "suffix": "intranet"
                },
                {
                    "suffix": "internal"
                },
                {
                    "suffix": "private"
                },
                {
                    "suffix": "localdomain"
                },
                {
                    "suffix": "domain"
                },
                {
                    "suffix": "lan"
                },
                {
                    "suffix": "home"
                },
                {
                    "suffix": "host"
                },
                {
                    "suffix": "corp"
                },
                {
                    "suffix": "local"
                },
                {
                    "suffix": "localhost"
                },
                {
                    "suffix": "invalid"
                },
                {
                    "suffix": "test"
                }
            ],
            "exclude": [
                {
                    "address": "ff05::/16"
                },
                {
                    "address": "ff04::/16"
                },
                {
                    "address": "ff03::/16"
                },
                {
                    "address": "ff02::/16"
                },
                {
                    "address": "ff01::/16"
                },
                {
                    "address": "fe80::/10",
                    "description": "IPv6 Link Local"
                },
                {
                    "address": "fd00::/8"
                },
                {
                    "address": "255.255.255.255/32",
                    "description": "DHCP Broadcast"
                }
            ],
            "gateway_unique_id": "46badd20141f7a8207b2d9cff2ea434c",
            "support_url": "",
            "captive_portal": 180,
            "allow_mode_switch": false,
            "switch_locked": false,
            "allow_updates": false,
            "auto_connect": 0,
            "allowed_to_leave": true,
            "enabled": true,
            "default": true,
            "exclude_office_ips": true,
            "lan_allow_minutes": 0,
            "tunnel_protocol": ""
        }
    ],
    "success": true,
    "errors": [],
    "messages": [],
    "result_info": {
        "page": 1,
        "per_page": 1,
        "count": 1,
        "total_count": 1
    }
}

About address, In the example above I used

"address": "192.0.2.0/24"

which I think is a valid address.