Zero Trust allow access only from WARP


What I want to do: allow access to internal web server only from WARP clients. Block access from everywhere else.

I set up a tunnel using cloudflared, configured a public hostname pointing to an internal web server.

I installed WARP client and enrolled it to Zero Trust.

If I create Firewall Policy to Block access to said website - it applies only if user is connected via WARP (user gets “website restricted” error). However, website is still accessable for everyone on the internet without WARP client.

What am I missing? Why Firewall Policy does not apply to non-WARP access?