Hello, I’m trying to setup device posture checks for my Zero Trust team so that a user must be connected via warp in order to access an application (example.mydomain.com) with no luck.
In my attempts to track down the issue I’ve identified that the problem seems to be related my Zero Trust configuration. What I’ve found is that when I visit https://cloudflare.com/cdn-cgi/trace or https://example.mydomain.com/cdn-cgi/trace from a warp client that is not connected to my Zero Trust team, the webpage prints ‘warp=on’ as expected. This indicates to me that the device posture would have been successful. However, once the warp client is enrolled in my team, both pages print warp=off even though it clearly is enabled.
Is there some key configuration setting that I’ve missed?
Taking a wild guess, since the L7 proxy enables DPI, any app that has their certification pinned would stop working.
Applications such as Discord, Slack, AVs (partially) might stop working as they detect something is intercepting the connection, you will need to allowlist those applications from the dashboard.
That’s a helpful tutorial. I definitely want to use the ‘gateway’ posture check and not warp alone. It seems like my configuration currently aligns with the steps in the post but neither gateway or warp checks are working.
Going back to my original post I think it’s very odd that the warp posture check does work when the warp client is not logged into my account. Everything breaks when I register the warp client with my organization. Any ideas?
My split-tunnel settings seemed to be the source of the issue. Resetting the split-tunnel back to ‘Exclude IPs and domains’ fixed my problems. I’m curious why the split tunnel settings had any effect on the posture check though.
Your split-tunnel settings caused outgoing connections to be made directly rather than through Cloudflare WARP. Since the connection was not routed through Cloudflare WARP, the client did not pass the posture check.