Changelog · Cloudflare One

Magic WAN - Updates to High Availability on the Magic WAN Connector

Wed, 17 Jul 2024 08:00:00 EST

The High Availability feature on Magic WAN Connector now supports additional failover conditions, DHCP lease syncing, and staggered upgrades.

Gateway - Gateway DNS filter non-authenticated queries

Sun, 14 Jul 2024 08:00:00 EST

Gateway users can now select which endpoints to use for a given DNS location. Available endpoints include IPv4, IPv6, DNS over HTTPS (DoH), and DNS over TLS (DoT). Users can protect each configured endpoint by specifying allowed source networks. Additionally, for the DoH endpoint, users can filter traffic based on source networks and/or authenticate user identity tokens.

Magic Cloud Networking - Closed beta launch

Mon, 01 Jul 2024 08:00:00 EST

The Magic Cloud Networking closed beta release is available, with the managed cloud on-ramps feature.

Zero Trust WARP Client - WARP client for macOS (version 2024.6.416.0)

Fri, 28 Jun 2024 08:00:00 EST

A new GA release for the macOS WARP client is now available in the App Center. This release includes some exciting new features. It also includes additional fixes and minor improvements.

New features:

Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, refer to Device tunnel protocol. This feature will be rolled out to customers in stages over approximately the next month.
The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany, where 123456 is the device serial number).

Additional changes and improvements:

Fixed a known issue where the certificate was not always properly left behind in /Library/Application Support/Cloudflare/installed_cert.pem.
Fixed an issue where re-auth notifications were not cleared from the UI when the user switched configurations.
Fixed a macOS firewall rule that allowed all UDP traffic to go outside the tunnel. Relates to TunnelVision ( CVE-2024-3661).
Fixed an issue that could cause the Cloudflare WARP menu bar application to disappear when switching configurations.

Warning:

This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of warp-cli -h.

Known issues:

If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.
There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if:
- A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. Please check migration status with your account team.
- Your account has Regional Services enabled.

Zero Trust WARP Client - WARP client for Windows (version 2024.6.415.0)

Fri, 28 Jun 2024 08:00:00 EST

A new GA release for the macOS WARP client is now available in the App Center. This release includes some exciting new features. It also includes additional fixes and minor improvements.

New features:

Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, refer to Device tunnel protocol. This feature will be rolled out to customers in stages over approximately the next month.
The ZT WARP client on Windows devices can now connect before the user completes their Windows login. This Windows pre-login capability allows for connecting to on-premise Active Directory and/or similar resources necessary to complete the Windows login.
The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany, where 123456 is the device serial number).

Additional changes and improvements:

Added a new Unable to Connect message to the UI to help in troubleshooting.
The upgrade window now uses international date formats.
Made a change to ensure DEX tests are not running when the tunnel is not up due to the device going to or waking from sleep. This is specific to devices using the S3 power model.
Fixed a known issue where the certificate was not always properly left behind in %ProgramData%\Cloudflare\installed_cert.pem.
Fixed an issue where ICMPv6 Neighbor Solicitation messages were being incorrectly sent on the WARP tunnel.
Fixed an issue where a silent upgrade was causing certain files to be deleted if the target upgrade version is the same as the current version.

Warning:

This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of warp-cli -h.

Known issues:

If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.
There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if:
- A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. Please check migration status with your account team.
- Your account has Regional Services enabled.

Zero Trust WARP Client - Cloudflare One Agent for iOS (version 1.4)

Thu, 27 Jun 2024 08:00:00 EST

A new GA release for the iOS Cloudflare One Agent is now available in the iOS App Store.

Notable updates:

Fixed an issue with endpoint IP settings in MDM files
Cleaned up some erroneous links
Updated the Terms of Service

Gateway - Gateway DNS policy setting to ignore CNAME category matches

Tue, 25 Jun 2024 08:00:00 EST

Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the Ignore CNAME domain categories setting in the policy builder and the ignore_cname_category_matches setting in the API.

Magic WAN - ICMP support for traffic sourced from private IPs

Sun, 23 Jun 2024 08:00:00 EST

Magic WAN will now support ICMP traffic sourced from private IPs going to the Internet via Gateway.

Risk score - Okta risk exchange

Mon, 17 Jun 2024 08:00:00 EST

You can now exchange user risk scores with Okta to inform SSO-level policies.

Risk score - SentinelOne signal ingestion

Fri, 14 Jun 2024 08:00:00 EST

You can now configure a predefined risk behavior to evaluate user risk score using device posture attributes from the SentinelOne integration.

Access - Scalability improvements to the App Launcher

Thu, 06 Jun 2024 08:00:00 EST

Applications now load more quickly for customers with a large number of applications or complex policies.

Magic WAN - Application based prioritization

Wed, 05 Jun 2024 08:00:00 EST

The Magic WAN Connector can now prioritize traffic on a per-application basis.

CASB - Atlassian Bitbucket integration

Mon, 03 Jun 2024 08:00:00 EST

Customers can now scan their Bitbucket Cloud workspaces for a variety of contextualized security issues such as source code exposure, admin misconfigurations, and more.

Magic WAN - WARP virtual IP addresses

Fri, 31 May 2024 08:00:00 EST

Customers using Gateway to filter traffic to Magic WAN destinations will now see traffic from Cloudflare egressing with WARP virtual IP addresses (CGNAT range), rather than public Cloudflare IP addresses. This simplifies configuration and improves visibility for customers.

CASB - Data-at-rest DLP for Box and Dropbox

Thu, 23 May 2024 08:00:00 EST

You can now scan your Box and Dropbox files for DLP matches.

DLP - Data-at-rest DLP for Box and Dropbox

Thu, 23 May 2024 08:00:00 EST

You can now scan your Box and Dropbox files for DLP matches.

Zero Trust WARP Client - WARP client for Windows (version 2024.5.310.1)

Wed, 22 May 2024 08:00:00 EST

A new beta release for the Windows WARP client is now available in the App Center.

Notable updates:

Added a new Unable to Connect message to the UI to help in troubleshooting.
In the upgrade window, a change was made to use international date formats to resolve an issue with localization.
Made a change to ensure DEX tests are not running when the tunnel is not up due to the device going to or waking from sleep. This is specific to devices using the S3 power model.
Fixed a known issue where the certificate was not always properly left behind in %ProgramData%\Cloudflare\installed_cert.pem.
Fixed an issue where ICMPv6 Neighbor Solicitation messages were being incorrectly sent on the WARP tunnel.

Known issues:

If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.

Zero Trust WARP Client - WARP client for macOS (version 2024.5.287.1)

Tue, 21 May 2024 08:00:00 EST

A new beta release for the macOS WARP client is now available in the App Center

Notable updates:

Fixed a known issue where the certificate was not always properly left behind in /Library/Application Support/Cloudflare/installed_cert.pem.
Fixed an issue so that the reauth notification is cleared from the UI when the user switches configurations.
Fixed an issue by correcting the WARP client setting of macOS firewall rules. This relates to TunnelVision ( CVE-2024-3661).
Fixed an issue that could cause the Cloudflare WARP menu bar application to disappear when switching configurations.

Known issues:

If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the warp-cli registration delete command to clear the registration, and then re-register the client.

Digital Experience Monitoring - Last seen ISP

Mon, 20 May 2024 08:00:00 EST

Admins can view the last ISP seen for a device by going to My Team > Devices. Requires setting up a traceroute test.

Digital Experience Monitoring - DEX alerts

Mon, 13 May 2024 08:00:00 EST

Admins can now set DEX alerts using Cloudflare Notifications. Three new DEX alert types:

Device connectivity anomaly
Test latency
Test low availability

Zero Trust WARP Client - Cloudflare One Agent for Android (version 1.7)

Fri, 10 May 2024 08:00:00 EST

A new GA release for the Android Cloudflare One Agent is now available in the Google Play Store. This release fixes an issue where the user was not prompted to select the client certificate in the browser during Access registration.

Zero Trust WARP Client - Crowdstrike posture checks for online status

Thu, 09 May 2024 08:00:00 EST

Two new Crowdstrike attributes, Last Seen and State, are now available to be used as selectors in the Crowdstrike service provider integration.

Zero Trust WARP Client - WARP client for macOS (version 2024.3.444.0)

Wed, 08 May 2024 08:00:00 EST

A new GA release for the macOS WARP client is now available in the App Center. This releases fixes an issue with how the WARP client sets macOS firewall rules and addresses the TunnelVision ( CVE-2024-3661) vulnerability.

Access - Add option to bypass CORS to origin server

Sun, 28 Apr 2024 08:00:00 EST

Access admins can defer all CORS enforcement to their origin server for specific Access applications.

CASB - Export CASB findings to CSV

Tue, 16 Apr 2024 08:00:00 EST

You can now export all top-level CASB findings or every instance of your findings to CSV.

DLP - Optical character recognition

Tue, 16 Apr 2024 08:00:00 EST

DLP can now detect sensitive data in jpeg, jpg, and png files. This helps companies prevent the leak of sensitive data in images, such as screenshots.

Access - Zero Trust User identity audit logs

Mon, 15 Apr 2024 08:00:00 EST

All user identity changes via SCIM or Authentication events are logged against a user’s registry identity.

Gateway - Gateway file type control improvements

Fri, 05 Apr 2024 08:00:00 EST

Gateway now offers a more extensive, categorized list of files to control uploads and downloads.

Browser Isolation - Removed third-party cookie dependencies

Thu, 21 Mar 2024 08:00:00 EST

Removed dependency on third-party cookies in the isolated browser, fixing an issue that previously caused intermittent disruptions for users maintaining multi-site, cross-tab sessions in the isolated browser.

Access - Access for SaaS OIDC Support

Thu, 22 Feb 2024 08:00:00 EST

Access for SaaS applications can be setup with OIDC as an authentication method. OIDC and SAML 2.0 are now both fully supported.

Access - WARP as an identity source for Access

Thu, 22 Feb 2024 08:00:00 EST

Allow users to log in to Access applications with their WARP session identity. Users need to reauthenticate based on default session durations. WARP authentication identity must be turned on in your device enrollment permissions and can be enabled on a per application basis.

Magic WAN - Network segmentation

Tue, 23 Jan 2024 08:00:00 EST

You can define policies in your Connector to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features.

Access - Unique Entity IDs in Access for SaaS

Wed, 20 Dec 2023 08:00:00 EST

All new Access for SaaS applications have unique Entity IDs. This allows for multiple integrations with the same SaaS provider if required. The unique Entity ID has the application audience tag appended. Existing apps are unchanged.

Access - Default relay state support in Access for SaaS

Fri, 15 Dec 2023 08:00:00 EST

Allows Access admins to set a default relay state on Access for SaaS apps.

Access - App launcher supports tags and filters

Fri, 15 Sep 2023 08:00:00 EST

Access admins can now tag applications and allow users to filter by those tags in the App Launcher.

Access - App launcher customization

Fri, 15 Sep 2023 08:00:00 EST

Allow Access admins to configure the App Launcher page within Zero Trust.

Access - View active Access user identities in the dashboard and API

Fri, 15 Sep 2023 08:00:00 EST

Access admins can now view the full contents of a user’s identity and device information for all active application sessions.

Access - Custom OIDC claims for named IdPs

Fri, 08 Sep 2023 08:00:00 EST

Access admins can now add custom claims to the existing named IdP providers. Previously this was locked to the generic OIDC provider.

Access - Azure AD authentication contexts

Wed, 02 Aug 2023 08:00:00 EST

Support Azure AD authentication contexts directly in Access policies.

Access - Custom block pages for Access applications

Fri, 23 Jun 2023 08:00:00 EST

Allow Access admins to customize the block pages presented by Access to end users.