Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Protocol detection

Early Access

Gateway supports the detection, logging, and filtering of network protocols using packet attributes.

​​ Enable protocol detection

  1. In Zero Trust, go to Settings > Network > Firewall.
  2. Enable Protocol Detection.

You can now use Detected Protocol as a selector in a Network policy.

​​ Supported protocols

Gateway supports detection and filtering of the following protocols:

ProtocolNotes
HTTPThe policy builder includes separate values for HTTP/1.1 and HTTP/2.
SSH
TLSGateway detects TLS versions 1.1 through 1.3 with the TLS value.
DCE/RPC
MQTT
TPKTTPKT commonly initiates RDP sessions, so you can use it to identify and filter RDP traffic.
DNP3

​​ Example network policy

You can create network policies that filter traffic based on protocol detections rather than common ports. For example, you can block all SSH traffic on your network without blocking port 22 or any other non-default ports:

SelectorOperatorValueAction
Detected ProtocolinSSHBlock