Gateway (Secure Web Gateway)
By the end of this lesson you will understand how Cloudflare Gateway provides DNS-level security, how to configure DNS policies, and what's included in the free tier.
What Is Cloudflare Gateway?
Cloudflare Gateway is a Secure Web Gateway (SWG) that filters DNS queries and HTTP traffic to block malware, phishing, and policy-violating content. It works by routing your DNS queries through Cloudflare, where policies are applied before resolution.
flowchart LR
DEVICE["Your Device\n(WARP Client)"] -->|"DNS Query"| GW["Cloudflare Gateway"]
GW -->|"Policy Check"| POLICY{"Allowed?"}
POLICY -->|"✅ Allowed"| RESOLVE["Resolve\n(normal browsing)"]
POLICY -->|"❌ Blocked"| BLOCK["Block Page\n(malware / phishing)"]
style GW fill:#f6821f,color:#fff,stroke:#e5711e
style BLOCK fill:#dc2626,color:#fff,stroke:#b91c1c
style RESOLVE fill:#16a34a,color:#fff,stroke:#15803d
Free Tier
| Feature | Free (up to 50 users) |
|---|---|
| DNS filtering | ✅ |
| Security categories (malware, phishing) | ✅ |
| Custom block lists | ✅ |
| Content categories | ✅ |
| DNS query logging | ✅ (24-hour retention) |
| HTTP filtering | ❌ (Paid Teams plan) |
| User identity-based policies | ✅ (with WARP) |
DNS Policies
DNS policies are the core of Gateway. They let you block or allow DNS resolution based on categories, domains, or custom lists.
Creating a DNS Policy
- Go to Zero Trust → Gateway → Firewall Policies → DNS
- Click "Create a policy"
- Define the traffic selector and action:
Block Malware and Phishing
| Setting | Value |
|---|---|
| Policy name | Block Threats |
| Traffic | Security Categories in Malware, Phishing, Spam |
| Action | Block |
Block Social Media (Content Filtering)
| Setting | Value |
|---|---|
| Policy name | Block Social Media |
| Traffic | Content Categories in Social Networks |
| Action | Block |
Block Specific Domains
| Setting | Value |
|---|---|
| Policy name | Block Distractions |
| Traffic | Domain in reddit.com, tiktok.com |
| Action | Block |
Configuring Devices
To route DNS through Gateway, devices need to use your Gateway DNS endpoint:
Option 1: WARP Client (Recommended)
Install the WARP client and enroll it in your Zero Trust organization. All DNS queries are automatically routed through Gateway.
Option 2: DNS over HTTPS (DoH)
Configure your devices or router to use your team's Gateway DoH endpoint:
https://<team-id>.cloudflare-gateway.com/dns-query
Option 3: Dedicated IPv4/IPv6
Cloudflare assigns dedicated IP addresses for your Gateway that you can set as your DNS server.
Logging and Analytics
Gateway logs all DNS queries so you can monitor activity:
- Go to Zero Trust → Logs → Gateway → DNS
- View queries by:
- Resolved or blocked
- Category matched
- Source device/user
- Domain queried
Free tier retains DNS logs for 24 hours. Paid plans offer longer retention and export capabilities.
Common Misconceptions
"Gateway requires the WARP client"
Reality: While WARP is the easiest way to route traffic through Gateway, you can also configure Gateway's DNS endpoint directly on your device or router (via DoH or dedicated IPs).
"Gateway blocks everything by default"
Reality: Gateway allows everything by default. You must create policies to block specific categories, domains, or custom lists.
"50 free users means 50 device installations"
Reality: One user can have WARP on multiple devices (laptop, phone). The limit is 50 unique users, not 50 devices.
Key Takeaways
- Cloudflare Gateway provides DNS filtering for security and content control — free for 50 users.
- DNS policies block malware, phishing, and unwanted content at the DNS level.
- Works with WARP client, DoH endpoints, or dedicated DNS IPs.
- Logging provides visibility into all DNS queries (24-hour retention on free).
- Gateway allows everything by default — you must create block policies.
What's Next
- Continue to Edge Computing and Developer Platform to learn about Workers, Pages, and serverless computing.