Changelog
Gateway
Gateway DNS policy setting to ignore CNAME category matches
Gateway now offers the ability to selectively ignore CNAME domain categories in DNS policies via the ignore_cname_category_matches setting.
Magic WAN
ICMP support for traffic sourced from private IPs
Magic WAN will now support ICMP traffic sourced from private IPs going to the Internet via Gateway.
Risk score
Okta risk exchange
You can now exchange user risk scores with Okta to inform SSO-level policies.
Risk score
SentinelOne signal ingestion
You can now configure a predefined risk behavior to evaluate user risk score using device posture attributes from the SentinelOne integration.
Access
Scalability improvements to the App Launcher
Applications now load more quickly for customers with a large number of applications or complex policies.
Magic WAN
Application based prioritization
The Magic WAN Connector can now prioritize traffic on a per-application basis.
CASB
Atlassian Bitbucket integration
Customers can now scan their Bitbucket Cloud workspaces for a variety of contextualized security issues such as source code exposure, admin misconfigurations, and more.
Magic WAN
WARP virtual IP addresses
Customers using Gateway to filter traffic to Magic WAN destinations will now see traffic from Cloudflare egressing with WARP virtual IP addresses (CGNAT range), rather than public Cloudflare IP addresses. This simplifies configuration and improves visibility for customers.
CASB
Data-at-rest DLP for Box and Dropbox
You can now scan your Box and Dropbox files for DLP matches.
Zero Trust WARP Client
WARP client for Windows (version 2024.5.310.1)
A new beta release for the Windows WARP client is now available in the App Center.
Notable updates:
- Added a new Unable to Connect message to the UI to help in troubleshooting.
- In the upgrade window, a change was made to use international date formats to resolve an issue with localization.
- Made a change to ensure DEX tests are not running when the tunnel is not up due to the device going to or waking from sleep. This is specific to devices using the S3 power model.
- Fixed a known issue where the certificate was not always properly left behind in
%ProgramData%\Cloudflare\installed_cert.pem. - Fixed an issue where ICMPv6 Neighbor Solicitation messages were being incorrectly sent on the WARP tunnel.
Known issues:
- If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the
warp-cli registration deletecommand to clear the registration, and then re-register the client.
Zero Trust WARP Client
WARP client for macOS (version 2024.5.287.1)
A new beta release for the macOS WARP client is now available in the App Center
Notable updates:
- Fixed a known issue where the certificate was not always properly left behind in
/Library/Application Support/Cloudflare/installed_cert.pem. - Fixed an issue so that the reauth notification is cleared from the UI when the user switches configurations.
- Fixed an issue by correcting the WARP client setting of macOS firewall rules. This relates to TunnelVision ( CVE-2024-3661).
- Fixed an issue that could cause the Cloudflare WARP menu bar application to disappear when switching configurations.
Known issues:
- If a user has an MDM file configured to support multiple profiles (for the switch configurations feature), and then changes to an MDM file configured for a single profile, the WARP client may not connect. The workaround is to use the
warp-cli registration deletecommand to clear the registration, and then re-register the client.
Digital Experience Monitoring
Last seen ISP
Admins can view the last ISP seen for a device by going to My Team > Devices. Requires setting up a traceroute test.
Digital Experience Monitoring
DEX alerts
Admins can now set DEX alerts using Cloudflare Notifications. Three new DEX alert types:
- Device connectivity anomaly
- Test latency
- Test low availability
Zero Trust WARP Client
Cloudflare One Agent for Android (version 1.7)
A new GA release for the Android Cloudflare One Agent is now available in the Google Play Store. This release fixes an issue where the user was not prompted to select the client certificate in the browser during Access registration.
Zero Trust WARP Client
Crowdstrike posture checks for online status
Two new Crowdstrike attributes, Last Seen and State, are now available to be used as selectors in the Crowdstrike service provider integration.
Zero Trust WARP Client
WARP client for macOS (version 2024.3.444.0)
A new GA release for the macOS WARP client is now available in the App Center. This releases fixes an issue with how the WARP client sets macOS firewall rules and addresses the TunnelVision ( CVE-2024-3661) vulnerability.
Access
Add option to bypass CORS to origin server
Access admins can defer all CORS enforcement to their origin server for specific Access applications.
CASB
Export CASB findings to CSV
You can now export all top-level CASB findings or every instance of your findings to CSV.
DLP
Optical character recognition
DLP can now detect sensitive data in jpeg, jpg, and png files. This helps companies prevent the leak of sensitive data in images, such as screenshots.
Access
Zero Trust User identity audit logs
All user identity changes via SCIM or Authentication events are logged against a user’s registry identity.
Gateway
Gateway file type control improvements
Gateway now offers a more extensive, categorized list of files to control uploads and downloads.
Browser Isolation
Removed third-party cookie dependencies
Removed dependency on third-party cookies in the isolated browser, fixing an issue that previously caused intermittent disruptions for users maintaining multi-site, cross-tab sessions in the isolated browser.
Access
Access for SaaS OIDC Support
Access for SaaS applications can be setup with OIDC as an authentication method. OIDC and SAML 2.0 are now both fully supported.
Access
WARP as an identity source for Access
Allow users to log in to Access applications with their WARP session identity. Users need to reauthenticate based on default session durations. WARP authentication identity must be turned on in your device enrollment permissions and can be enabled on a per application basis.
Magic WAN
Network segmentation
You can define policies in your Connector to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features.
Access
Unique Entity IDs in Access for SaaS
All new Access for SaaS applications have unique Entity IDs. This allows for multiple integrations with the same SaaS provider if required. The unique Entity ID has the application audience tag appended. Existing apps are unchanged.
Access
Default relay state support in Access for SaaS
Allows Access admins to set a default relay state on Access for SaaS apps.
Access
App launcher supports tags and filters
Access admins can now tag applications and allow users to filter by those tags in the App Launcher.
Access
App launcher customization
Allow Access admins to configure the App Launcher page within Zero Trust.
Access
View active Access user identities in the dashboard and API
Access admins can now view the full contents of a user’s identity and device information for all active application sessions.
Access
Custom OIDC claims for named IdPs
Access admins can now add custom claims to the existing named IdP providers. Previously this was locked to the generic OIDC provider.
Access
Azure AD authentication contexts
Support Azure AD authentication contexts directly in Access policies.
Access
Custom block pages for Access applications
Allow Access admins to customize the block pages presented by Access to end users.