Gateway (or Warp) as a standalone criteria for an Access policy is not currently supported. When it is, it will likely be a ‘service auth’ type rule which is non-identity based vs. an Allow rule action if that is the only criteria. It will also require that the user is using the Client in a Warp mode.