diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx index a56f5c9b76f02dd..c22548baf3057b0 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx @@ -38,18 +38,31 @@ Do not exclude a site from Split Tunnels if you want to see the traffic in your - Solve connectivity issues with a specific website. For configuration guidance, refer to our [troubleshooting guide](/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues/#cannot-connect-to-a-specific-app-or-website). - Solve performance issues with a specific website. Since Cloudflare operates within 50 milliseconds of 95% of the Internet-connected population, it is usually faster to send traffic through us. If you are encountering a performance-related issue, it is best to first explore your Gateway policies or reach out to Support. -## Cloudflare Zero Trust domains +## Routes for Split Tunnels Include mode -Many Cloudflare Zero Trust services rely on traffic going through WARP, such as [device posture checks](/cloudflare-one/identity/devices/) and [WARP session durations](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). If you are using Split Tunnels in Include mode, you will need to manually add the following domains in order for these features to function: +Many Cloudflare Zero Trust services rely on traffic going through WARP, such as [device posture checks](/cloudflare-one/identity/devices/) and [WARP session durations](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). If you are using Split Tunnels in Include mode, you will need to manually add Cloudflare Zero Trust domains and IPs in order for these features to function. + +### Cloudflare Zero Trust domains + +If you are using Split Tunnels in Include mode, you must include the following domains: - The IdP used to authenticate to Cloudflare Zero Trust - `.cloudflareaccess.com` - The application protected by the Access or Gateway policy - `edge.browser.run` if using [Browser Isolation](/cloudflare-one/policies/browser-isolation/) -## Cloudflare Zero Trust IP addresses +### Cloudflare Zero Trust IP addresses + +#### Block page + +If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) with the [block page](/cloudflare-one/policies/gateway/block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to: + +- `162.159.36.12` +- `162.159.46.12` + +#### Team domain -In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) WARP mode, you cannot [add domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) to the Split Tunnel. If you are using Split Tunnels in Include mode, you must include the IPs that resolve to `.cloudflareaccess.com` instead: +In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) WARP mode, you cannot [add domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) to Split Tunnels. If you are using Split Tunnels in Include mode, you must include the IPs that resolve to `.cloudflareaccess.com` instead: - `104.19.194.29` - `104.19.195.29`