One of the problems we encounter with ForcePoint currently is that when their data centers go down, there is no way of failing back to regular internet in order to keep users working. Does ZT Gateway have a failback solution that would help in this type of scenario or avoid it all together?
You mean to have it automatically bypass Cloudflare’s VPN if it’s unreachable with no user interaction required?
Yes, so if the ZT/WARP client is on, then Cloudflare has an outage, does the ZT tunnel failback to not fully tunneling, or will it turn off?
Ideally with no user interaction as we would want to lock the ZT/WARP client to being connected.
That sounds like a security risk. All it takes is a bad actor to block Cloudflare on the network, and that would force the user’s requests off the secure connection without them even knowing. As it is, it’s acting like a kill switch to prevent this from happening.
With WARP, a user can switch it to DNS or completely off if they’re facing disruption, but it would be a conscious decision.
I’d just also like to add that Cloudflare has 350+ locations and still increasing. The risk of ZT going down is very low as it’s designed to reroute to an available location.
Definitely still possible. But low.
Could it maybe fail back to a protected DNS-only mode if the WARP client is switched off by the user? Possibly only allowing them to access a restricted set of work required domains?
I may be a little paranoid because ForcePoint has had 3 outages in the past month. Their product uses proxy PACs, which doesn’t seem as flexible as CF Gateway.
Good to know, ForcePoint has data centers in major locations (NoVA, Chicago, NY, etc), and they have to manually initiate a failover if users connected at a location start to have issues.
It’s also a safe bet that if ZT goes down, it’s going to get the full attention of everybody at Cloudflare, because they use it internally.
Bumping my earlier reply, in-case it was missed.
Yes it has several.
You can set Warp so users can toggle it on/off
You can force Warp off from your MDM.
You can enable the admin override flag.
Yes. But the DNS policy doesn’t change based on mode.
Great, thank you all for the support!