Skip to content

Gateway activity logs

Gateway activity logs show the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted SSH command logs for sessions proxied by Gateway.

To view Gateway activity logs, log in to Zero Trust and go to Logs > Gateway. Select an individual row to investigate the event in more detail.

Enterprise users can generate more detailed logs with Logpush.

Selective logging

By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logs or only log blocked requests. To customize what type of events are recorded, log in to Zero Trust and go to Settings > Network. Under Activity Logging, indicate your DNS, Network, and HTTP log preferences.

These settings will only apply to logs displayed in Zero Trust. Logpush data is unaffected.

DNS logs

Explanation of the fields

Basic information

FieldDescription
DNSName of the domain that was queried.
EmailEmail address of the user who registered the WARP client where traffic originated from. If a non-identity on-ramp (such as a proxy endpoint) or machine-level authentication (such as a service token) was used, this value will be non_identity@<team-domain>.cloudflareaccess.com.
ActionThe Action Gateway applied to the query (such as Allow or Block).
TimeDate and time of the DNS query.
Resolver DecisionThe reason why Gateway applied a particular Action to the request. Refer to the list of resolver decisions.

Matched policies

FieldDescription
Policy NameName of the matched policy (if there is one).
Policy IDID of the matched policy (if there is one).
Policy DescriptionDescription of the matched policy (if there is one).

Custom resolver

FieldDescription
AddressAddress of your custom resolver.
PolicyName of the matched resolver policy.
ResponseStatus of the custom resolver response.
Time (in milliseconds)Duration of time it took for the custom resolver to respond

Identities

FieldDescription
EmailEmail address of the user who registered the WARP client where traffic originated from.
User IDUUID of the user. Each unique email address in your organization will have a UUID associated with it.
Device NameDisplay name of the device returned by the operating system to the WARP client. Typically this is the hostname of a device. Not all devices will have a device name. Device names are not guaranteed to be unique.
Device IDUUID of the device connected with the WARP client. Each unique device in your organization will have a UUID associated with it each time the device is registered for a particular email. The same physical device may have multiple UUIDs associated with it.
Last authenticatedDate and time the user last authenticated their Zero Trust session.

DNS query details

FieldDescription
Query TypeType of DNS query.
Query CategoryContent categories that the domain belongs to.
Matched CategoriesName of the Gateway policy category that match the domain.
Matched Indicator Feed NameName of the indicator feeds that matched a Gateway policy (if any).
Query Indicator Feed NameName of the indicator feeds that a matched domain or IP belongs to (if any).
Source IPPublic source IP address of the DNS query.
Source IP CountryCountry code of the DNS query.
Source Internal IPPrivate IP address assigned by the user’s local network (if any).
Resolver IPPublic IP address of the DNS resolver.
Resolved IPsResolved IP addresses in the response (if any).
PortPort that was used to make the DNS query.
ProtocolProtocol that was used to make the DNS query (such as https).
DNS LocationUser-configured location from where the DNS query was made.
Location IDID of the DNS location where the query originated.

Resolver decisions

NameValueDescription
blockedByCategory3Domain or hostname matched a category in a Block policy.
allowedOnNoLocation4Allowed because query did not match a Gateway DNS location.
allowedOnNoPolicyMatch5Allowed because query did not match a policy.
blockedAlwaysCategory6Domain or hostname is always blocked by Cloudflare.
overrideForSafeSearch7Response was overridden by a Safe Search policy.
overrideApplied8Response was overridden by an Override policy.
blockedRule9IP address in the response matched a Block policy.
allowedRule10IP address in the response matched an Allow policy.

Network logs

Explanation of the fields

Basic information

FieldDescription
Source IPIP address of the user sending the packet.
Source Internal IPPrivate IP address assigned by the user’s local network.
Destination IPIP address of the packet’s target.
ActionThe Gateway Action taken based on the first rule that matched (such as Allow or Block).
Session IDID of the unique session.
TimeDate and time of the session.

Matched policies

FieldDescription
Policy NameName of the matched policy (if there is one).
Policy IDID of the policy enforcing the decision Gateway made.
Policy DescriptionDescription of the matched policy (if there is one).

Identities

FieldDescription
EmailEmail address of the user sending the packet. This is generated by the WARP client.
User IDID of the user sending the packet. This is generated by the WARP client.
Device NameName of the device that sent the packet.
Device IDID of the device that sent the packet. This is generated by the WARP client.
Last AuthenticatedDate and time the user last authenticated with Zero Trust.

Network query details

FieldDescription
Source IPIP address of the user sending the packet.
Source PortSource port number for the packet.
Source CountryCountry code for the packet source.
Destination IPIP address of the packet’s target.
Destination PortDestination port number for the packet.
Destination CountryDestination port number for the packet.
ProtocolProtocol over which the packet was sent.
Detected ProtocolThe detected network protocol.
SNIHost whose Server Name Indication (SNI) header Gateway will filter traffic against.
Virtual NetworkVirtual network that the client is connected to.
Category detailsCategory or categories associated with the packet.
Proxy PAC EndpointPAC file proxy endpoint Gateway forwarded traffic to, if applicable.

HTTP logs

Explanation of the fields

Basic information

FieldDescription
HostHostname in the HTTP header for the HTTP request.
EmailEmail address of the user who made the HTTP request. This is generated by the WARP client.
ActionThe Gateway Action taken based on the first rule that matched (such as Allow or Block).
Request IDUnique ID of the request.
TimeDate and time of the HTTP request.
Source Internal IPPrivate IP address assigned by the user’s local network.
User AgentUser agent header sent in the request by the originating device.
Policy detailsPolicy corresponding to the decision Gateway made based on the traffic criteria of the request.
DLP profilesName of the matched DLP profile (if there is one).
DLP profile entriesName of the matched entry within the DLP profile (if there is one).
Uploaded/downloaded file

Information about the file transferred in the request found by enhanced file detection. Details include:

  • File name
  • File type
  • File size
  • File hash (for Allowed requests only)
  • Content type
  • Direction (Upload/Download)
  • Action (Block/Allow)

Matched policies

FieldDescription
Policy NameName of the matched policy (if there is one).
Policy IDID of the matched policy (if there is one).
Policy DescriptionDescription of the matched policy (if there is one).

Identities

FieldDescription
EmailEmail address of the user who made the HTTP request. This is generated by the WARP client.
User IDID of the user who made the request. This is generated by the WARP client.
Device NameName of the device that made the request.
Device IDID of the device that made the request. This is generated by the WARP client on the device that created the request.
Last AuthenticatedDate and time the user last authenticated with Zero Trust.

HTTP query details

FieldDescription
HTTP VersionHTTP version of the origin that Gateway connected to on behalf of the user.
HTTP MethodHTTP method used for the request (such as GET or POST).
HTTP Status CodeHTTP status code returned in the response.
URLFull URL of the HTTP request.
RefererReferer request header containing the address of the page making the request.
Source IPPublic source IP address of the HTTP request.
Source PortPort that was used to make the HTTP request.
Source IP CountryCountry code of the HTTP request.
Destination IPPublic IP address of the destination requested.
Destination PortPort of the destination requested.
Destination IP CountryCountry code of the destination requested.
Blocked file reasonReason why the file was blocked if a file transfer occurred or was attempted.
Category detailsCategory the blocked file belongs to.

File detection details

FieldDescription
NameName of the detected file.
TypeFile type of the detected file.
SizeSize of the detected file.
HashHash of the detected file, generated by DLP.
Content typeMIME type of the detected file.
DirectionUpload or download direction of the detected file.
ActionThe Action Gateway applied to the request.

Enhanced file detection

Enhanced file detection is an optional feature to extract more file information from HTTP traffic. When turned on, Gateway will read file information from the HTTP body rather than the HTTP headers to provide greater accuracy and reliability. This feature may have a minor impact on performance for file-heavy organizations.

To turn on enhanced file detection:

  1. In Zero Trust, go to Settings > Network.
  2. In Firewall, turn on TLS decryption.
  3. In Gateway Logging, turn on Enable enhanced file detection.

Isolate requests

When a user creates an isolation policy, Gateway logs the initial request that triggers isolation as an Isolate action. Because this request is not isolated yet, the is_isolated field will return false. Zero Trust then securely returns the result to the user in an isolated browser. Gateway will log all subsequent requests in the isolated browser with the action (such as Allow or Block), and the is_isolated field will return true.

Limitations

Gateway activity logs are not available in the dashboard if you turn on the Customer Metadata Boundary within Cloudflare Data Localization Suite (DLS). Enterprise users using CMB can still export logs via Logpush. For more information, refer to DLS product compatibility.