Allow only mode for Cloudflare Gateway

Is there a way to configure Cloudflare Gateway policies to set them to an “allow only” mode?

i.e. by default all domains are blocked, and only domains that you specifically allow will be permitted.

We are looking at making a switch from Umbrella to Cloudflare Gateway, but it looks like Gateway may be lacking this feature.

My initial thought for a work around was to block all tld’s and then allow certain domains. However it looks like Cloudflare Gateway has a max of 1000 domains per policy, and there are currently about 1500 tld’s.

https://data.iana.org/TLD/tlds-alpha-by-domain.txt

Great use case… can you provide a bit more context as to your end state?

We previously blocked all internet access on our PAWs (Privileged access workstations). But now with more and more of our applications moving to the cloud, we need to access things like the O365 admin console, Cloudflare admin console, Duo admin console, Cisco Meraki admin console etc… from our PAWs.

We initially used a proxy server to do this, we had explicit allow rules for these admin consoles, and then a final rule to block all other sites at the end. It was okay, but there were issues with this model working remotely, so we switched to using Umbrella.

We implemented Cisco Umbrella just for our PAWs, and used their Allow-Only mode for this purpose Create and Apply Policies.

Umbrella works okay but it is a bit quirky at times, as sometimes it allow all names to resolve for the first few minutes a users logs in. We have just learnt to live with this.

We are now looking at setting up web security solution for all of our machines company wide and have been trailing Cloudflare Gateway, and it works well. Really well :slight_smile:. Ideally we would like to move our PAWs to the same platform that we use for the rest of our machines, but to do this we would need an Allow-only mode.