r/CloudFlare: Zero Trust Access Policy Rules Confusion
Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/zl721g/zero_trust_access_policy_rules_confusion/
Simple question. On zero trust, if I expose a service, and set no rules, no even an include rule, what’s the default behaviour?
From testing it seems that anyone accessing the domain gets the block page.
I then apply a bypass rule for gateway users (warp), I am let through as expected.
But…. If I set a block // everyone rule, then it shows the pin prompt page.
I’d prefer all non gateway users to hit a block page so I don’t set any block rules at all.
Am I wrong to do this?
Default behavior is block. The dashboard tells you this when saving an app with no policies.
The reason that you get a PIN prompt for Block on Everyone is that CFZT will only evaluate any policies in place AFTER a user has logged in successfully.
So when no policy for an app is there, the system doesn't have to authenticate to know the result, but if a policy is there, the result, if a user should get access or not, will be calculated after the login process.