Hello, I’m trying to setup device posture checks for my Zero Trust team so that a user must be connected via warp in order to access an application (example.mydomain.com) with no luck.
In my attempts to track down the issue I’ve identified that the problem seems to be related my Zero Trust configuration. What I’ve found is that when I visit https://cloudflare.com/cdn-cgi/trace or https://example.mydomain.com/cdn-cgi/trace from a warp client that is not connected to my Zero Trust team, the webpage prints ‘warp=on’ as expected. This indicates to me that the device posture would have been successful. However, once the warp client is enrolled in my team, both pages print warp=off even though it clearly is enabled.
Is there some key configuration setting that I’ve missed?
@albert thanks for that… been banging my head against a wall for a few days trying to understand how this works.
This was the critical issue i was missing.
The “Proxy” option is enabled in Settings → Network → Firewall
A great addition to the tutorial would be a succinct explanation as to what impact this Firewall setting may have on the overall security posture? ie. why is it not turned on by default.
Taking a wild guess, since the L7 proxy enables DPI, any app that has their certification pinned would stop working.
Applications such as Discord, Slack, AVs (partially) might stop working as they detect something is intercepting the connection, you will need to allowlist those applications from the dashboard.
That’s a helpful tutorial. I definitely want to use the ‘gateway’ posture check and not warp alone. It seems like my configuration currently aligns with the steps in the post but neither gateway or warp checks are working.
Going back to my original post I think it’s very odd that the warp posture check does work when the warp client is not logged into my account. Everything breaks when I register the warp client with my organization. Any ideas?
Yes, my first post explained that I used the https://cloudflare.com/cdn-cgi/trace page to debug. Here is most of the output when my warp client is turned on and logged in:
fl=354f35
h=cloudflare.com
ip=*removed*
ts=1673307419.606
visit_scheme=https
uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
colo=IAD
sliver=010-tier1
http=http/2
loc=US
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
kex=X25519
Your computer is not sending the request through WARP. Have you made changes to the split-tunnel settings? Do you have any other VPN software installed?
My split-tunnel settings seemed to be the source of the issue. Resetting the split-tunnel back to ‘Exclude IPs and domains’ fixed my problems. I’m curious why the split tunnel settings had any effect on the posture check though.
Your split-tunnel settings caused outgoing connections to be made directly rather than through Cloudflare WARP. Since the connection was not routed through Cloudflare WARP, the client did not pass the posture check.
