r/CloudFlare: Zero Trust Access Policy Rules Confusion

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/zl721g/zero_trust_access_policy_rules_confusion/

Question

Simple question. On zero trust, if I expose a service, and set no rules, no even an include rule, what’s the default behaviour?

From testing it seems that anyone accessing the domain gets the block page.

I then apply a bypass rule for gateway users (warp), I am let through as expected.

But…. If I set a block // everyone rule, then it shows the pin prompt page.

I’d prefer all non gateway users to hit a block page so I don’t set any block rules at all.

Am I wrong to do this?

Answer

Default behavior is block. The dashboard tells you this when saving an app with no policies.

The reason that you get a PIN prompt for Block on Everyone is that CFZT will only evaluate any policies in place AFTER a user has logged in successfully.

So when no policy for an app is there, the system doesn't have to authenticate to know the result, but if a policy is there, the result, if a user should get access or not, will be calculated after the login process.