cloudflare-one

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Cloudflare One

Before citing limits, settings, API fields, category IDs, or exact UI paths, retrieve current information from the Cloudflare One docs, the Cloudflare docs MCP server, or the Cloudflare API schema.

在引用限制条件、设置项、API字段、分类ID或精确UI路径之前，请从Cloudflare One文档、Cloudflare文档MCP服务器或Cloudflare API架构中获取最新信息。

Workflow

工作流程

Classify the ask: architecture, configuration, troubleshooting, migration, or review.
Gather context: account ID, users/sites/apps, identity provider, SCIM/group sync, device management, traffic path, compliance constraints, and rollout blast radius.
Retrieve only the current docs needed for the products involved: Access, Gateway, WARP/device client, Tunnel/Mesh, Cloudflare WAN, DLP, CASB, device posture, or identity.
If account access is available, inspect existing resources before proposing or making changes: Access apps/policies/groups/IdPs, Gateway rules/lists/categories, device profiles/posture checks, tunnels/routes, DNS/resolver settings, and locations/sites.
Propose the change set with prerequisites, validation, and rollback. For risky changes, stage disabled or scoped to a pilot group/site unless the user explicitly asks otherwise.

对需求进行分类：架构设计、配置、故障排查、迁移或审核。
收集上下文信息：账户ID、用户/站点/应用、IdP、SCIM/组同步、设备管理、流量路径、合规约束以及部署影响范围。
仅检索涉及产品的最新文档：Access、Gateway、WARP/设备客户端、Tunnel/Mesh、Cloudflare WAN、DLP、CASB、设备状态或身份管理。
如果拥有账户访问权限，在提议或进行更改前先检查现有资源：Access应用/策略/组/IdP、Gateway规则/列表/分类、设备配置文件/状态检查、隧道/路由、DNS/解析器设置以及位置/站点。
提出包含先决条件、验证步骤和回滚方案的变更集。对于高风险变更，除非用户明确要求，否则应处于禁用状态或仅针对试点组/站点部署。

Assessment Prompts

评估提示

Use these to avoid jumping straight to configuration. Ask only the prompts relevant to the user's task.

使用这些提示避免直接跳到配置环节。仅询问与用户任务相关的问题。

Architecture and Current State

架构与当前状态

Sites and users: offices, branches, data centers, VPCs, remote users, contractors, user counts, and current connectivity model.
Applications and destinations: SaaS, public apps, private apps, APIs, infrastructure targets, protocols, ports, hostnames, and IP ranges.
Connectivity: VPN, MPLS, SD-WAN, direct Internet breakout, centralized backhaul, site-to-site needs, and private DNS architecture.
Security stack: current SWG, NGFW, VPN/ZTNA, DLP, CASB, email security, logging, and compliance requirements.
Identity: IdP, SCIM/group sync, group naming, multi-IdP needs, service accounts, and contractor/partner access.
Rollout: pilot users/sites, blast radius, rollback path, support owners, and success criteria.

站点与用户：办公室、分支机构、数据中心、VPC、远程用户、承包商、用户数量以及当前连接模型。
应用与目标：SaaS、公共应用、私有应用、API、基础设施目标、协议、端口、主机名以及IP范围。
连接方式：VPN、MPLS、SD-WAN、直接互联网 breakout、集中式回传、站点到站点需求以及私有DNS架构。
安全栈：当前的SWG、NGFW、VPN/ZTNA、DLP、CASB、邮件安全、日志记录以及合规要求。
身份管理：IdP、SCIM/组同步、组命名、多IdP需求、服务账户以及承包商/合作伙伴访问权限。
部署计划：试点用户/站点、影响范围、回滚路径、支持负责人以及成功标准。

Access and SaaS Federation

Access与SaaS联邦

App shape: web app, API, SSH/RDP/VNC, database, SaaS app, public hostname, private IP, or private hostname. Retrieve Access application type docs before choosing.
Access model: clientless browser access, private networking with device client, peer to peer connectivity, service connections with service tokens or mutual TLS, or SaaS SSO federation.
Policy needs: user groups, device posture, session duration, mTLS, service tokens, and app launcher visibility. Retrieve Access policy docs before configuring selectors or evaluation order.
SaaS details: SAML vs OIDC support, ACS/redirect URLs, Entity IDs/client IDs, required attributes, and tenant-control requirements.

应用类型：Web应用、API、SSH/RDP/VNC、数据库、SaaS应用、公共主机名、私有IP或私有主机名。在选择前请检索Access应用类型文档。
访问模型：无客户端浏览器访问、使用设备客户端的私有网络连接、对等连接、使用服务令牌或双向TLS的服务连接，或SaaS SSO联邦。
策略需求：用户组、设备状态、会话时长、mTLS、服务令牌以及应用启动器可见性。在配置选择器或评估顺序前请检索Access策略文档。
SaaS细节：SAML与OIDC支持情况、ACS/重定向URL、实体ID/客户端ID、必填属性以及租户控制要求。

Tunnel and Private Networking

Tunnel与私有网络

Sites and segments: which data centers, VPCs, offices, or network segments need connectivity.
HA: dev/test single connector, production multiple connectors, or advanced multi-tunnel/site redundancy.
Runtime: where cloudflared or WARP Connector/Mesh will run: VM, container, Kubernetes, bare metal, or other target.
Egress: whether connectors can reach Cloudflare over the required outbound ports/protocols. Retrieve Tunnel connectivity prechecks before naming exact endpoints.
Origin reachability: whether the connector can resolve and reach every private origin.
Routing: required CIDRs/hostnames, overlapping IP spaces, virtual networks, Split Tunnels, and private DNS/resolver policy needs.
Management model: prefer remotely managed/token-based tunnels for new deployments unless there is a clear reason for local config.

站点与网段：哪些数据中心、VPC、办公室或网段需要连接。
高可用性（HA）：开发/测试环境使用单个连接器，生产环境使用多个连接器，或高级多隧道/站点冗余方案。
运行环境：cloudflared或WARP Connector/Mesh将运行在何处：虚拟机、容器、Kubernetes、裸金属或其他目标环境。
出口：连接器是否能通过所需的出站端口/协议访问Cloudflare。在指定确切端点前请检索Tunnel连接预检查文档。
源可达性：连接器是否能解析并访问所有私有源。
路由：所需的CIDR/主机名、重叠IP空间、虚拟网络、Split Tunnels以及私有DNS/解析器策略需求。
管理模式：对于新部署，优先选择远程管理/基于令牌的隧道，除非有明确理由使用本地配置。

Gateway, TLS, and DLP

Gateway、TLS与DLP

Traffic controls: DNS categories, HTTP URL/path inspection, L4 ports/protocols, egress IP requirements, custom lists, and allow/block exceptions. Retrieve Gateway traffic policy docs for current selectors and order of enforcement.
Identity: whether Gateway policies need user or group selectors, and whether users will be authenticated through WARP/IdP context. Check Gateway identity selectors and SCIM provisioning when groups are involved.
TLS inspection: root CA deployment path, certificate-pinned applications, compliance exceptions, and FIPS requirements. Retrieve TLS decryption docs before enabling.
DLP: sensitive data types, channels to inspect, TLS inspection readiness, DLP profiles, payload logging requirements, and false-positive tolerance. Retrieve DLP docs before creating enforcement.

流量控制：DNS分类、HTTP URL/路径检查、L4端口/协议、出口IP要求、自定义列表以及允许/阻止例外。检索Gateway流量策略文档以获取当前选择器和执行顺序。
身份管理：Gateway策略是否需要用户或组选择器，以及用户是否将通过WARP/IdP上下文进行身份验证。当涉及组时，请检查Gateway身份选择器和SCIM配置。
TLS检查：根CA部署路径、证书固定应用、合规例外以及FIPS要求。在启用前请检索TLS解密文档。
DLP：敏感数据类型、需要检查的渠道、TLS检查就绪情况、DLP配置文件、 payload日志记录要求以及误报容忍度。在创建执行规则前请检索DLP文档。

CASB, Device Posture, and Risk

CASB、设备状态与风险

CASB: SaaS vendors, admin access level, scan policy, org size, remediation owner, and whether inline protection is also required. Retrieve CASB findings docs before recommending remediation.
Device posture: required checks, third-party EDR/MDM integrations, enrollment rules, device profiles, and split tunnel alignment.
Risk scoring: relevant behavior signals, false-positive sources such as VPNs or service accounts, and whether risk is for investigation or enforcement. Retrieve user risk score docs before using risk in policies.

CASB：SaaS供应商、管理员访问级别、扫描策略、组织规模、修复负责人以及是否还需要内联保护。在建议修复方案前请检索CASB检测结果文档。
设备状态：所需检查项、第三方EDR/MDM集成、注册规则、设备配置文件以及Split Tunnel对齐设置。
风险评分：相关行为信号、误报来源（如VPN或服务账户）以及风险用于调查还是执行。在策略中使用风险评分前请检索用户风险评分文档。

Cloudflare WAN / Site Connectivity

Cloudflare WAN / 站点连接

Site topology, on-ramp type, route ownership, tunnel redundancy, static vs BGP-managed routes, network firewall needs, and appliance/profile ownership. Retrieve Cloudflare WAN and Cloudflare Network Firewall docs before proposing site connectivity changes.

站点拓扑、接入类型、路由所有权、隧道冗余、静态与BGP管理路由、网络防火墙需求以及设备/配置文件所有权。在提议站点连接变更前请检索Cloudflare WAN和Cloudflare Network Firewall文档。

Guardrails

防护规则

Access controls application authorization; Gateway controls traffic inspection/filtering. Use both when the requirement spans identity-aware app access and network/web security.
Public hostname Access apps can be clientless. Private destination apps require WARP/Device client or another network on-ramp plus routes and DNS resolution. Retrieve self-hosted private app docs before configuring private destinations.
Cloudflare Tunnel is an off-ramp from a private network to Cloudflare. Cloudflare WAN and Mesh are other off-ramps which can also be on-ramps.
Group-based policies depend on IdP group claims or SCIM. If group sync is missing, do not invent group selectors.
Private hostnames need explicit DNS routing/resolution; creating an Access app alone is not enough. Use resolver policies and review Connect a private hostname
HTTP inspection and DLP for encrypted web traffic require TLS inspection and planned Do Not Inspect exceptions.
Gateway DNS, Network, HTTP, and Egress policies have different evaluation semantics. Retrieve order of enforcement docs before explaining precedence.
Start broad block/allow/DLP/TLS policies disabled limited to a pilot with specific target users or groups unless the user approves a wider rollout.

Access控制应用授权；Gateway控制流量检查/过滤。当需求同时涉及身份感知应用访问和网络/Web安全时，请同时使用两者。
公共主机名Access应用支持无客户端访问。私有目标应用需要WARP/设备客户端或其他网络接入点，再加上路由和DNS解析。在配置私有目标前请检索自托管私有应用文档。
Cloudflare Tunnel是从私有网络到Cloudflare的出口。Cloudflare WAN和Mesh是其他出口，同时也可作为入口。
基于组的策略依赖于IdP组声明或SCIM。如果缺少组同步，请不要创建组选择器。
私有主机名需要明确的DNS路由/解析；仅创建Access应用不足以实现访问。请使用解析器策略并查看连接私有主机名
加密Web流量的HTTP检查和DLP需要TLS检查，并规划Do Not Inspect例外。
Gateway DNS、Network、HTTP和Egress策略具有不同的评估逻辑。在解释优先级前请检索执行顺序文档。
除非用户批准更广泛的部署，否则初始的广泛阻止/允许/DLP/TLS策略应处于禁用状态，仅针对特定目标用户或组的试点部署。

Identity and Access

身份与访问

Access Groups are Cloudflare objects; IdP/SCIM groups are identity claims. Gateway group selectors use synced IdP groups, not Access Groups.
Group names and SAML/OIDC attributes are case-sensitive. Verify exact claim names and values before creating group-based rules.
SCIM changes and group membership can be stale until sync and re-authentication complete. Troubleshoot with the user's last authenticated identity, not just the IdP state.
Access policies are default-deny. A private app with routes but no Allow policy still blocks access.
Access policy selectors can use IP lists, not Gateway domain or URL lists.
SaaS federation handles authentication into the SaaS app. SaaS authorization and tenant restrictions usually require SaaS-side roles and/or Gateway tenant controls.
Browser Rendering for SSH/VNC/RDP is an Access capability. Browser Isolation renders general web content remotely. Do not conflate them.

Access Groups是Cloudflare对象；IdP/SCIM组是身份声明。Gateway组选择器使用同步的IdP组，而非Access Groups。
组名和SAML/OIDC属性区分大小写。在创建基于组的规则前，请验证确切的声明名称和值。
SCIM变更和组成员身份可能在同步和重新认证完成前处于过期状态。排查问题时，请以用户最后一次认证的身份为准，而非仅查看IdP状态。
Access策略默认拒绝访问。有路由但无Allow策略的私有应用仍会阻止访问。
Access策略选择器可使用IP列表，但不能使用Gateway域名或URL列表。
SaaS联邦处理SaaS应用的认证。SaaS授权和租户限制通常需要SaaS端角色和/或Gateway租户控制。
SSH/VNC/RDP的Browser Rendering是Access的功能。Browser Isolation用于远程渲染通用Web内容。请勿混淆两者。

Device Client Deployment

设备客户端部署

The Cloudflare One device client is the on-ramp for user devices. Two components control it: enrollment rules (who can connect) and device profiles (how the client behaves after enrollment).
The enrollment rule is an Access application of type
```
warp
```
, not a device setting. It accepts reusable Access policies. Look in Access for enrollment debugging, not Devices.
For headless or autonomous devices (services, kiosks, Linux hosts), use service token enrollment. Non-human devices authenticate as
```
non_identity@[team-domain].cloudflareaccess.com
```
and have no group membership - device profiles targeting IdP groups will not match them. Target headless devices explicitly with the non-identity email, specific conventions about the devices (OS information, etc.),or let them fall to the default profile.
Device profiles control connection mode, split tunnel configuration, user permissions (disable, switch lock), auto-reconnect, and captive portal behavior. Profiles are matched by user group or device attributes in precedence order - first match wins, default profile catches the rest.

Split tunnel mode is the single most impactful client setting. Choose the mode based on the deployment goal:

Goal	Mode	Rationale
VPN replacement only (private apps)	Include	Route only specified private CIDRs and hostnames through the client. Everything else goes direct. Minimal blast radius.
SWG only (internet security)	Exclude	All traffic through the client. Exclude only what breaks (local printers, certificate-pinned apps).
VPN replacement + SWG	Exclude	All traffic through the client. Most common enterprise configuration.
Coexistence with another VPN	Include	Avoids conflict with the other VPN's tunnel interface and DNS control.
DNS filtering only	DNS-only mode	Only DNS queries go to Gateway. No traffic proxying.

Include vs exclude is per-profile, not per-entry. You cannot mix modes in the same profile. Switching modes mid-deployment requires re-evaluating every entry.
Split tunnel entries must align with tunnel routes bidirectionally. A CIDR in the include list without a matching tunnel route causes a black hole. A tunnel route without a matching device profile entry means traffic never enters the tunnel.
MDM parameters (
```
mdm.xml
```
/ managed preferences) override dashboard-configured profile settings for any setting specified in the file. If dashboard changes appear to have no effect on managed devices, check MDM config. Retrieve MDM deployment docs for platform-specific file locations and parameters.
If another VPN client or agent controls DNS on the device, the device client's DNS interception will conflict. In coexistence scenarios, use "traffic only" mode to avoid routing table and DNS conflicts.
Captive portal detection temporarily disconnects the client when it detects a portal (hotel WiFi, airport). This is a common source of end-user friction and should be managed carefully.

Cloudflare One设备客户端是用户设备的接入点。由两个组件控制：注册规则（谁可以连接）和设备配置文件（客户端注册后的行为）。
注册规则是类型为
```
warp
```
的Access应用，而非设备设置。它接受可复用的Access策略。排查注册问题时，请查看Access模块，而非Devices模块。
对于无头或自治设备（服务、自助终端、Linux主机），请使用服务令牌注册。非人类设备以
```
non_identity@[team-domain].cloudflareaccess.com
```
身份认证，且无组成员身份——针对IdP组的设备配置文件不会匹配它们。请使用非身份邮箱、设备的特定约定（如操作系统信息等）明确针对无头设备，或让它们使用默认配置文件。
设备配置文件控制连接模式、Split Tunnel配置、用户权限（禁用、切换锁定）、自动重连以及 captive portal行为。配置文件按用户组或设备属性的优先级顺序匹配——第一个匹配项生效，其余由默认配置文件处理。

Split Tunnel模式是对客户端影响最大的设置。请根据部署目标选择模式：

目标	模式	理由
仅替代VPN（私有应用）	Include	仅将指定的私有CIDR和主机名通过客户端路由。其余所有流量直接传输。影响范围最小。
仅SWG（互联网安全）	Exclude	所有流量通过客户端传输。仅排除会导致故障的流量（本地打印机、证书固定应用）。
VPN替代 + SWG	Exclude	所有流量通过客户端传输。最常见的企业配置。
与其他VPN共存	Include	避免与其他VPN的隧道接口和DNS控制冲突。
仅DNS过滤	DNS-only模式	仅DNS查询发送到Gateway。无流量代理。

Include与Exclude模式是按配置文件设置的，而非按条目设置。同一配置文件中不能混合模式。部署中途切换模式需要重新评估所有条目。
Split Tunnel条目必须与隧道路由双向对齐。Include列表中的CIDR若无匹配的隧道路由会导致黑洞。隧道路由若无匹配的设备配置文件条目意味着流量永远不会进入隧道。
MDM参数（
```
mdm.xml
```
/ 托管偏好设置）会覆盖控制台配置的配置文件设置（针对文件中指定的任何设置）。如果控制台更改对托管设备无影响，请检查MDM配置。检索MDM部署文档以获取特定平台的文件位置和参数。
如果设备上有其他VPN客户端或代理控制DNS，设备客户端的DNS拦截会产生冲突。在共存场景中，请使用“traffic only”模式以避免路由表和DNS冲突。
Captive portal检测在检测到门户（酒店WiFi、机场）时会暂时断开客户端连接。这是终端用户常见的困扰点，需谨慎管理。

Private Networking

私有网络

Split tunnel mode changes the meaning of every route decision: Exclude mode sends traffic to Cloudflare when removed from excludes; Include mode sends traffic only when added to includes.
Virtual networks should be used primarily when IP subnets overlap and hostname-based routing is not used. It can be used to control other user connectivity behavior, but it is recommended to manage through security policies.
A healthy tunnel only proves cloudflared can reach Cloudflare. The tunnel must have appropriate published application routes, network routes, or hostname routes for connectivity to function.
Cloudflare Tunnel and Cloudflare Mesh can both be used to facilitate connectivity to internal networks. Cloudflare WAN can as well, but it is gated behind Enterprise subscriptions. Retrieve choose an on-ramp when deliberating between Tunnel types.
Run multiple cloudflared connectors for production HA, preferably on separate hosts. Token-based, remotely managed tunnels are the default for new deployments.

Split Tunnel模式会改变每个路由决策的含义：Exclude模式下，从排除列表中移除的流量会发送到Cloudflare；Include模式下，仅添加到包含列表的流量会发送到Cloudflare。
虚拟网络主要应在IP子网重叠且不使用基于主机名的路由时使用。它可用于控制其他用户连接行为，但建议通过安全策略进行管理。
健康的隧道仅能证明cloudflared可以访问Cloudflare。隧道必须有适当的已发布应用路由、网络路由或主机名路由才能实现连接。
Cloudflare Tunnel和Cloudflare Mesh均可用于实现与内部网络的连接。Cloudflare WAN也可以，但仅面向企业订阅用户。在考虑不同Tunnel类型时，请检索选择接入点文档。
生产环境中请运行多个cloudflared连接器以实现高可用性，最好在不同主机上运行。基于令牌的远程管理隧道是新部署的默认选择。

Gateway, TLS, and DLP

Gateway、TLS与DLP

```
dns.domains
```
matches a domain and subdomains;
```
dns.fqdn
```
is exact-match only.
DNS pre-resolution selectors and post-resolution selectors do not behave like a single strict precedence list. Retrieve current evaluation docs before changing rule order.
HTTP Do Not Inspect rules run before HTTP Allow/Block/Isolate behavior. A later block rule will not override an earlier inspection bypass.
Certificate-pinned apps need Do Not Inspect exceptions before broad TLS inspection. Deploy the Cloudflare root CA to managed devices before enabling inspection.
DLP profiles are detection definitions only. They do nothing until referenced by Gateway HTTP policies or CASB scan settings. Rules with body inspection may be evaluated multiple times in a single pass.
Start DLP with payload logging where appropriate, tune false positives, then block.
Gateway Network policies are strict L4 controls. Identity-aware L4 matching requires authenticated device context.

```
dns.domains
```
匹配域名及其子域名；
```
dns.fqdn
```
仅精确匹配。
DNS预解析选择器和后解析选择器的行为并非单一严格的优先级列表。在更改规则顺序前请检索最新的评估文档。
HTTP Do Not Inspect规则在HTTP允许/阻止/隔离行为之前运行。后续的阻止规则不会覆盖之前的检查绕过规则。
在启用广泛TLS检查前，证书固定应用需要Do Not Inspect例外。请先向托管设备部署Cloudflare根CA。
DLP配置文件仅为检测定义。除非被Gateway HTTP策略或CASB扫描设置引用，否则不会生效。包含正文检查的规则可能在单次扫描中被多次评估。
启动DLP时，在适当情况下先启用payload日志记录，调整误报，然后再启用阻止功能。
Gateway Network策略是严格的L4控制。身份感知L4匹配需要已认证的设备上下文。

CASB, Risk, and Operations

CASB、风险与运维

API CASB is out-of-band and periodic. It does not provide real-time inline enforcement although some integrations support "remediation"; use Gateway granular application controls for inline CASB capability for supported applications. Retrieve Granular application controls when creating security policies for specific actions in specific SaaS applications.
CASB findings are tied to specific assets and instances. Drill into affected assets before recommending remediation.
Use current Dashboard remediation guidance for CASB fixes. Most remediations happen in the SaaS admin console, not Cloudflare.
Large SaaS integrations can take 24-48 hours for initial scans. Reauthorizing can restart scan state; check credential health before reconnecting.
User risk scores are behavior-based and asynchronous. CASB findings do not automatically imply high user risk.

API CASB是带外且周期性的。它不提供实时内联执行，尽管某些集成支持“修复”；对于支持的应用，请使用Gateway细粒度应用控制实现内联CASB功能。在为特定SaaS应用中的特定操作创建安全策略时，请检索细粒度应用控制文档。
CASB检测结果与特定资产和实例绑定。在建议修复方案前，请深入分析受影响的资产。
使用控制台最新的修复指南处理CASB问题。大多数修复操作在SaaS管理控制台中进行，而非Cloudflare。
大型SaaS集成的初始扫描可能需要24-48小时。重新授权可能会重置扫描状态；重新连接前请检查凭证健康状况。
用户风险评分基于行为且是异步的。CASB检测结果并不自动意味着高用户风险。

Infrastructure Access

基础设施访问

Zero Trust Infrastructure Access (ZTIA) is the purpose-built offering for SSH access through the device client. It provides capabilities not available through self-hosted apps: keystroke logging, control over how users authenticate to the target machine, short-lived certificates that replace static SSH keys with ephemeral certs tied to Access identity, and lightweight privileged access management. Use Infrastructure Access apps for SSH when the device client is deployed.
Browser Rendering provides clientless SSH, RDP, and VNC through the browser without requiring the device client. Clientless RDP includes session recording and file transfer controls. Use clientless access when a device client cannot be installed (contractors, partner access, unmanaged devices) - typically not as the default for managed users with the client installed.
Audit SSH is a Gateway Network policy action that logs SSH commands without blocking. It requires the session to be proxied through Cloudflare.
Short-lived certificates require CA configuration on the target host and
```
sshd
```
configured to trust the Cloudflare CA public key. Retrieve short-lived certificate setup docs before configuring.
For kubectl and database access behind private networks, use the device client with private destination routing. There is no Infrastructure Access or browser-rendered equivalent for arbitrary TCP protocols today.

Zero Trust基础设施访问（ZTIA）是专为通过设备客户端进行SSH访问而设计的解决方案。它提供自托管应用不具备的功能：按键记录、对用户如何认证到目标机器的控制、短期证书（用与Access身份绑定的临时证书替换静态SSH密钥）以及轻量级特权访问管理。当部署了设备客户端时，请使用基础设施访问应用进行SSH访问。
Browser Rendering通过浏览器提供无客户端SSH、RDP和VNC访问，无需设备客户端。无客户端RDP包含会话记录和文件传输控制。当无法安装设备客户端时（承包商、合作伙伴访问、非托管设备），请使用无客户端访问——通常不将其作为已安装客户端的托管用户的默认选项。
Audit SSH是Gateway Network策略的一项操作，可记录SSH命令但不阻止。它要求会话通过Cloudflare代理。
短期证书需要在目标主机上配置CA，并将
```
sshd
```
配置为信任Cloudflare CA公钥。在配置前请检索短期证书设置文档。
对于私有网络后的kubectl和数据库访问，请使用带有私有目标路由的设备客户端。目前没有针对任意TCP协议的基础设施访问或浏览器渲染等效方案。

Logs, Analytics, and DEX

日志、分析与DEX

Gateway activity logs record DNS, HTTP, and Network policy decisions. Filter by rule name, user identity, destination, action, and time range. These are the primary troubleshooting tool for "why was this blocked/allowed."
Access audit logs record authentication decisions per app - who authenticated, which policy matched, and session details. Use for verifying policy behavior and investigating access failures.
Shadow IT discovery uses Gateway HTTP logs to surface unmanaged SaaS applications. Requires TLS inspection for HTTPS visibility.
DEX (Digital Experience Monitoring) provides fleet-level and per-device connectivity diagnostics. Use DEX tests (HTTP, traceroute) to proactively monitor reachability to critical origins and internal apps. Fleet status shows device client health, connection mode, and connectivity state across the enrolled population.
Logpush exports Gateway, Access, Network, and DEX logs to external SIEM or storage. Configure before go-live if the customer requires centralized log retention or compliance reporting.
When troubleshooting, work from logs toward config: identify the log entry showing the failure (Gateway block, Access deny, tunnel error, DNS resolution miss), then trace back to the responsible rule, route, or policy.

Gateway活动日志记录DNS、HTTP和Network策略决策。可按规则名称、用户身份、目标、操作和时间范围过滤。这些是排查“为什么被阻止/允许”问题的主要工具。
Access审计日志记录每个应用的认证决策——谁进行了认证、匹配了哪个策略以及会话详情。用于验证策略行为和调查访问失败。
Shadow IT发现使用Gateway HTTP日志发现未管理的SaaS应用。需要TLS检查才能实现HTTPS可见性。
DEX（数字体验监控）提供 fleet级和单设备级的连接诊断。使用DEX测试（HTTP、 traceroute）主动监控关键源和内部应用的可达性。Fleet状态显示已注册设备的客户端健康状况、连接模式和连接状态。
Logpush将Gateway、Access、Network和DEX日志导出到外部SIEM或存储。如果客户需要集中日志保留或合规报告，请在上线前配置。
排查问题时，从日志到配置逐步分析：识别显示故障的日志条目（Gateway阻止、Access拒绝、隧道错误、DNS解析失败），然后追溯到对应的规则、路由或策略。

Cloudflare WAN / Site Connectivity

Cloudflare WAN / 站点连接

Cloudflare WAN is connectivity, not a security service. Apply inspection and policy with Gateway and Network Firewall where required.
WAN firewall expressions are not the same language as Gateway wirefilter expressions. Retrieve the current syntax before editing.
Generated IPsec PSKs and some OAuth/client secrets are returned once. Store them immediately.

Cloudflare WAN是连接服务，而非安全服务。必要时请使用Gateway和Network Firewall应用检查和策略。
WAN防火墙表达式与Gateway wirefilter表达式不是同一种语言。在编辑前请检索最新语法。
生成的IPsec PSK和部分OAuth/客户端密钥仅返回一次。请立即存储。

Output Defaults

输出默认格式

Designs: current assumptions, target architecture, product responsibilities, rollout phases, validation, and open decisions.
Configuration work: prerequisites, exact resources to inspect/create/change, test cases, and rollback.
Troubleshooting: traffic path, likely failure point, evidence to collect, and next test.

设计方案：当前假设、目标架构、产品职责、部署阶段、验证步骤以及未决定事项。
配置工作：先决条件、需要检查/创建/更改的精确资源、测试用例以及回滚方案。
故障排查：流量路径、可能的故障点、需要收集的证据以及下一步测试。

Validation Prompts

验证提示

Access: test authorized, unauthorized, posture-failing, service-token, and multi-IdP flows when applicable; inspect logs and policy precedence.
Private network access: verify route lookup, tunnel health, origin reachability, split tunnel behavior, DNS resolution, and end-to-end access from a device client test device.
Gateway: verify rule type, action, traffic expression, precedence/evaluation phase, referenced lists, and Gateway settings before enabling broadly.
TLS/DLP: test Do Not Inspect exceptions and root CA trust before enabling inspection; test DLP with known samples and monitor false positives before blocking.
CASB/risk: confirm integration health, credential expiry, asset discovery, scan timing, finding instances, and risk-score signal latency before declaring remediation complete.
Cloudflare WAN: verify tunnel health, route priority/ownership, traffic flow, firewall expression syntax, and connector/appliance telemetry where applicable.

Access：在适用时测试授权、未授权、状态检查失败、服务令牌以及多IdP流程；检查日志和策略优先级。
私有网络访问：验证路由查找、隧道健康状况、源可达性、Split Tunnel行为、DNS解析以及从设备客户端测试设备的端到端访问。
Gateway：在广泛启用前验证规则类型、操作、流量表达式、优先级/评估阶段、引用的列表以及Gateway设置。
TLS/DLP：在启用检查前测试Do Not Inspect例外和根CA信任；使用已知样本测试DLP并监控误报，然后再启用阻止功能。
CASB/风险：在宣布修复完成前确认集成健康状况、凭证过期时间、资产发现、扫描时间、检测实例以及风险评分信号延迟。
Cloudflare WAN：验证隧道健康状况、路由优先级/所有权、流量流向、防火墙表达式语法以及连接器/设备遥测（如适用）。

API Safety

API安全

Use fully qualified MCP tool names when MCP tools are available.
Never guess category IDs, application IDs, wirefilter fields, or API request bodies. Retrieve the current schema/docs and existing account objects.
Do not enable broad production policies without explicit approval.

当MCP工具可用时，请使用完整限定的MCP工具名称。
切勿猜测分类ID、应用ID、wirefilter字段或API请求体。请检索最新的架构/文档和现有账户对象。
未经明确批准，请勿启用广泛的生产策略。