Include warp and email and with domain policy not working as expected

I’m trying to combine two include policies. One is requirement for warp and the other is email ending at a domain. I expect that if I’m connected to warp, the login page shouldn’t show. And if I’m not connected to warp, the login page should show. But as soon as I add email ending at domain to the policy, it forces me to login. Even with warp connected. But if i then remove the email ending on domain policy, it still forces me to login. Even though only the warp policy is there.

Any clue what’s going on? Am I configuring something wrong?


What action is your policy set to for WARP?

I set the following in as an application policy:

And the action is set to allow:

Allow will always show the login screen - it just means that you would be accepted at the login screen if you met the criteria.

Bypass is what will skip the login screen if you meet the criteria.

Also something to note, the WARP posture means anyone using WARP including the consumer VPN. If you want it to only be users who are using WARP enrolled into your Zero Trust organisation then use the Gateway posture.

Okay! That makes sense. I’m going to try that. Thanks for your help! Gateway would only allow users who are connected to my gateway and no other gateways? (aka other Cloudflare gateway users from team x?)


This device posture attribute will check for all versions of WARP, including the consumer version.

With Require Gateway you can allow access to your applications only to devices enrolled in your organization’s instance of Gateway. Unlike Require WARP, which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization’s Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees.

1 Like

Awesome! Must have missed that in the docs. Thanks again!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.