Changelog
You can now filter Access policies by their action, selectors, rule groups, and assigned applications.
Private self-hosted applications and reusable Access policies are now generally available (GA) for all customers.
Cloudflare Access self-hosted applications can now be defined by private IPs, private hostnames (on port 443) and public hostnames. Additionally, we made Access policies into their own object which can be reused across multiple applications. These updates involved significant updates to the overall Access dashboard experience. The updates will be slowly rolled out to different customer cohorts. If you are an Enterprise customer and would like early access, reach out to your account team.
Enterprise customers can now use Logpush to export SSH command logs for Access for Infrastructure targets.
If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. Refer to Troubleshooting for instructions and troubleshooting steps.
Enterprise users can now provide an IP address for a private DNS resolver to use with DNS locations. Gateway supports bringing your own IPv4 and IPv6 addresses.
IP visibility enables admins to inspect the different IP addresses associated with an end-user device. IP types available for review on the Cloudflare dashboard include: the device's private IP, the public IP assigned to the device by the ISP, and the router's (that the device is connected to) private IP.
DLP now supports setting a confidence level for source code profiles.
When viewing decrypted payload log matches, DLP now provides more context by listing multiple DLP matches and the matching DLP profile.
Admins can now collect packet captures (PCAPs) and WARP diagnostic logs from end-user devices. For more information, refer to Remote captures.
Customers can now have more transparency about their team and user submissions. The new Reclassification tab in the Zero Trust dashboard will allow customers to have a full understanding of what submissions they have made and what the outcomes of those submissions are.
Microsoft 365 customers can now choose to scan all folders or just the inbox when deploying via the Graph API.
The latest cloudflared build 2024.12.2 ↗ introduces the ability to collect all the diagnostic logs needed to troubleshoot a cloudflared instance. For more information, refer to Diagnostic logs.
You can now deploy WARP Connector using a simplified, guided workflow similar to cloudflared connectors. For detailed instructions, refer to the WARP Connector documentation.
The new cloudflared build 2024.10.0 ↗ has a bugfix related to the --grace-period tunnel run parameter. cloudflared connectors will now abide by the specified waiting period before forcefully closing connections to Cloudflare's network.
Cloudflare's SCIM integrations with Okta and Microsoft Entra ID (formerly AzureAD) are now out of beta and generally available (GA) for all customers. These integrations can be used for Access and Gateway policies and Zero Trust user management. Note: This GA release does not include Dashboard SSO SCIM support.
Admins can now use Access for Infrastructure to manage privileged access to SSH servers. Access for Infrastructure provides improved control and visibility over who accessed what service and what they did during their SSH session. Access for Infrastructure also eliminates the risk and overhead associated with managing SSH keys by using short-lived SSH certificates to access SSH servers.
DLP profiles now support setting a confidence level to choose how tolerant its detections are to false positives based on the context of the detection. The higher a profile's confidence level is, the less false positives will be allowed. Confidence levels include Low, Medium, or High. DLP profile confidence levels supersede context analysis.
In addition to logging the payload from HTTP requests that matched a DLP policy in Cloudflare Logs, Enterprise users can now configure a Logpush job to send the entire HTTP request that triggered a DLP match to a storage destination. This allows long-term storage of full requests for use in forensic investigation.
You can now use CASB to find security misconfigurations in your AWS cloud environment. You can also connect your AWS compute account to extract and scan your S3 buckets for sensitive data while avoiding egress fees.
Gateway users can now create network policies with the Content Categories and Security Risks traffic selectors. This update simplifies malicious traffic blocking and streamlines network monitoring for improved security management.
Gateway users can now generate unique root CAs for their Zero Trust account. Both generated certificate and custom certificate users must activate a root certificate to use it for inspection. Per-account certificates replace the default Cloudflare certificate, which is set to expire on 2025-02-02.
Gateway now offers time-based DNS policy duration. With policy duration, you can configure a duration of time for a policy to turn on or set an exact date and time to turn a policy off.
Gateway now offers new fields in activity logs for DNS, network, and HTTP policies to provide greater insight into your users' traffic routed through Gateway.
Gateway users on Enterprise plans can create HTTP policies with file sandboxing to quarantine previously unseen files downloaded by your users and scan them for malware.
Gateway users on any plan can now use the PDNS threat intelligence feed provided by the UK National Cyber Security Centre (NCSC) in DNS policies.
Gateway users can now select which endpoints to use for a given DNS location. Available endpoints include IPv4, IPv6, DNS over HTTPS (DoH), and DNS over TLS (DoT). Users can protect each configured endpoint by specifying allowed source networks. Additionally, for the DoH endpoint, users can filter traffic based on source networks and/or authenticate user identity tokens.
You can now upload files with multiple columns of data as Exact Data Match datasets. DLP can use each column as a separate existing detection entry.
Admins can now configure Zero Trust seats to automatically expire after 1 month of user inactivity. The previous minimum was 2 months.
Email Security is now live under Zero Trust.
Customers using Microsoft Office 365 can set up Email Security via Microsoft Graph API.
macOS users can now download cloudflared-arm64.pkg directly from GitHub ↗, in addition to being available via Homebrew.
Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the Ignore CNAME domain categories setting in the policy builder and the ignore_cname_category_matches setting in the API.
Gateway now offers a more extensive, categorized list of files to control uploads and downloads.
You can now exchange user risk scores with Okta to inform SSO-level policies.
You can now configure a predefined risk behavior to evaluate user risk score using device posture attributes from the SentinelOne integration.
Applications now load more quickly for customers with a large number of applications or complex policies.
Access admins can defer all CORS enforcement to their origin server for specific Access applications.
All user identity changes via SCIM or Authentication events are logged against a user's registry identity.
You can now scan your Bitbucket Cloud workspaces for a variety of contextualized security issues such as source code exposure, admin misconfigurations, and more.
You can now scan your Box and Dropbox files for DLP matches.
You can now export all top-level CASB findings or every instance of your findings to CSV.
You can now scan your Box and Dropbox files for DLP matches.
DLP can now detect sensitive data in jpeg, jpg, and png files. This helps companies prevent the leak of sensitive data in images, such as screenshots.
Admins can view the last ISP seen for a device by going to My Team > Devices. Requires setting up a traceroute test.
Admins can now set DEX alerts using Cloudflare Notifications. Three new DEX alert types:
- Device connectivity anomaly
- Test latency
- Test low availability
Removed dependency on third-party cookies in the isolated browser, fixing an issue that previously caused intermittent disruptions for users maintaining multi-site, cross-tab sessions in the isolated browser.
Access for SaaS applications can be setup with OIDC as an authentication method. OIDC and SAML 2.0 are now both fully supported.
Allow users to log in to Access applications with their WARP session identity. Users need to reauthenticate based on default session durations. WARP authentication identity must be turned on in your device enrollment permissions and can be enabled on a per application basis.
All new Access for SaaS applications have unique Entity IDs. This allows for multiple integrations with the same SaaS provider if required. The unique Entity ID has the application audience tag appended. Existing apps are unchanged.
Allows Access admins to set a default relay state on Access for SaaS apps.
Access admins can now tag applications and allow users to filter by those tags in the App Launcher.
Allow Access admins to configure the App Launcher page within Zero Trust.
Access admins can now view the full contents of a user's identity and device information for all active application sessions.
Access admins can now add custom claims to the existing named IdP providers. Previously this was locked to the generic OIDC provider.
Support Azure AD authentication contexts directly in Access policies.
Allow Access admins to customize the block pages presented by Access to end users.