Warp or Gateway Policy using Cloudflare Warp (Teams / Zero Trust)

Security Gateway
#1

Hello, I’ve been attempting to perform the following.

Protect an application (website) using a Cloudflare for Teams (Cloudflare Zero Trust) policy however when the user has the Cloudflare Warp Client connected to the organization I want it to bypass the authentication page.

Here’s what I did:

  • Create a new application and configure it to protect my application
  • Tested entering into the application and an authentication page was showed
  • Created a new bypass rule and tested specifying a country or ip address to see if the bypass rule works, and it does
  • Changed the previous rule to Bypass for Warp or Gateway and it didn’t worked

Here’s what I’ve found so far:

With Warp connected to a team/organization

image
image1920×1045 62.9 KB

With Warp connected (disconnected from a team/organization)

image
image1920×1042 62.4 KB

With Warp disconnected

image
image1920×1042 62.3 KB

Device Posture

image
image1242×814 89.6 KB

Settings

image
image2168×624 117 KB

Device Posture

image
image1682×1420 129 KB

Policy

image
image1470×1830 219 KB

TLDR: Want to bypass authentication when connected to Cloudflare Warp inside a Team/Organization.

Any tips?
Thanks!

Cloudflare require gateway is not working
#2

I have found you need to enable TLS decryption in your network settings. However, i still can’t get this to work reliably. It work when I set a bypass rule to “Warp” (any warp client), but not “gateway” (warp client logged in to team). This indicates that Cloudflare somehow does not see that my Warp client is enrolled in my team and thus it won’t apply the bypass rule.

#3

Thanks for your reply. I did check my configuration and I already have TLS Decryption enabled. I tried to toggle it off and toggle it on again to see if something changed but it didn’t.

image
image2180×392 68.8 KB 

➜  ~ curl 'https://help.teams.cloudflare.com/cdn-cgi/trace'
...
ts=1644940573.344
visit_scheme=https
uag=curl/7.64.1
colo=LIS
http=http/2
loc=PT
tls=TLSv1.2
sni=plaintext
warp=off
gateway=off

I was already seeing traffic in the Cloudflare Analytics which shows me that the inspection is already in place.

#4

I would like to add that, when creating a new organization I have different results than the ones posted here. It seems that older organizations are not behaving properly. I’ve already reported this situation on a ticket.