WARP device posture check for DoH mode

We’re testing out zero trust with the end goal of allowing authenticated users who are using the WARP client in DoH mode access to an internal site. Our current setup:

  • Domain added in Cloudflare
  • Zero Trust setting “Device Posture” has “Warp” added
  • Added a cloudflared instance to internal network, and connected as a tunnel. The tunnel is configured with the subdomain as a public hostname to use and points to the internal resource
  • Access → Applications added to include our authenticated users and require Warp

The problem is, with Gateway in DoH mode I’m stilling receiving a Forbidden Access page when attempting to navigate to the site. However, Gateway in WARP is successful. If I remove “Require WARP” from the Access Policy of the application I can access the site with Gateway in DoH mode. However, this also opens up access to users without the WARP client to visit the page after authentication and we want to force the WARP client even if it’s in DoH mode.

Am I incorrect in the assumption that the access policy device posture check would allow users with the WARP client in both Gateway DoH and Gateway WARP to pass? Any suggestions on a setting I’m missing that would allow this scenario?

The Warp device posture check requires that the device be using WARP mode. The device posture data is correlated to the device based on Warp connection data. In DoH mode there’s no client specific data sent for HTTPs requests for the policy to act upon.

1 Like

Thanks for the clarification, makes sense. Appreciate it!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.