From 0320fc5b35bb62e2e396b1c21ec54820514fc7ca Mon Sep 17 00:00:00 2001 From: Ankur Aggarwal Date: Fri, 27 Feb 2026 17:18:52 -0800 Subject: [PATCH 1/2] [Cloudflare One] Add TCP SYN filtering guidance to order of enforcement docs Document how to use Cloudflare Network Firewall to prevent TCP SYN packets from reaching origin servers, since Gateway sends TCP SYN before evaluating policies during connection establishment. Resolves PCX-20932 --- .../gateway/order-of-enforcement.mdx | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx index 57a3886159c0f58..d6e4a3eadd5d5ea 100644 --- a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx +++ b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx @@ -84,6 +84,23 @@ If the TCP connection to the destination server is successful, Gateway will appl Connections to Zero Trust will always appear in your [Zero Trust network session logs](/logs/logpush/logpush-job/datasets/account/zero_trust_network_sessions/) regardless of connection success. Because Gateway does not inspect failed connections, they will not appear in your [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/). +### Filter TCP SYN packets with Cloudflare Network Firewall + +Because Gateway sends a TCP SYN to the destination server before evaluating policies, Gateway Network or HTTP Block policies do not prevent the initial TCP SYN from reaching the origin. If you need to prevent TCP SYN packets from being sent to specific destination IP addresses, you can create a [Cloudflare Network Firewall](/cloudflare-one/traffic-policies/packet-filtering/) rule to block traffic at the packet level. As shown in the [enforcement flowchart](#order-of-enforcement), Cloudflare Network Firewall evaluates traffic before Gateway checks for origin availability. + +To block TCP SYN packets to a specific destination: + +1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Firewall policies** > **Custom policies**. +2. Select **Add a policy**. +3. Create a rule with the destination IP address or CIDR range you want to block. For example, to block all traffic to `10.0.0.0/8`, use the expression `ip.dst in {10.0.0.0/8}` with a **Block** action. +4. Select **Add new policy**. + +For more information on creating packet filtering rules, refer to [Add policies](/cloudflare-one/traffic-policies/packet-filtering/add-policies/). + +:::note +Cloudflare Network Firewall is available to Enterprise users only. +::: + ## Priority between policy builders Gateway applies your policies in the following order: From cf5fc9039f474a887d04b86cbb2572d25e571a60 Mon Sep 17 00:00:00 2001 From: Ankur Aggarwal Date: Fri, 27 Feb 2026 17:22:19 -0800 Subject: [PATCH 2/2] [Cloudflare One] Fix terminology consistency and move Enterprise note earlier - Use 'destination server' consistently instead of mixing with 'origin' - Move Enterprise-only note before the step-by-step instructions so readers see the prerequisite upfront --- .../cloudflare-one/gateway/order-of-enforcement.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx index d6e4a3eadd5d5ea..4e9da25d3cdd470 100644 --- a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx +++ b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx @@ -86,7 +86,11 @@ Connections to Zero Trust will always appear in your [Zero Trust network session ### Filter TCP SYN packets with Cloudflare Network Firewall -Because Gateway sends a TCP SYN to the destination server before evaluating policies, Gateway Network or HTTP Block policies do not prevent the initial TCP SYN from reaching the origin. If you need to prevent TCP SYN packets from being sent to specific destination IP addresses, you can create a [Cloudflare Network Firewall](/cloudflare-one/traffic-policies/packet-filtering/) rule to block traffic at the packet level. As shown in the [enforcement flowchart](#order-of-enforcement), Cloudflare Network Firewall evaluates traffic before Gateway checks for origin availability. +Because Gateway sends a TCP SYN to the destination server before evaluating policies, Gateway Network or HTTP Block policies do not prevent the initial TCP SYN from reaching the destination server. If you need to prevent TCP SYN packets from being sent to specific destination IP addresses, you can create a [Cloudflare Network Firewall](/cloudflare-one/traffic-policies/packet-filtering/) rule to block traffic at the packet level. As shown in the [enforcement flowchart](#order-of-enforcement), Cloudflare Network Firewall evaluates traffic before Gateway checks for origin availability. + +:::note +Cloudflare Network Firewall is available to Enterprise users only. +::: To block TCP SYN packets to a specific destination: @@ -97,10 +101,6 @@ To block TCP SYN packets to a specific destination: For more information on creating packet filtering rules, refer to [Add policies](/cloudflare-one/traffic-policies/packet-filtering/add-policies/). -:::note -Cloudflare Network Firewall is available to Enterprise users only. -::: - ## Priority between policy builders Gateway applies your policies in the following order: