Tiered policies

Gateway supports using Cloudflare Organizations to share configurations between and apply specific policies to accounts within an Organization. Tiered Gateway policies with Organizations support DNS, network, HTTP, and resolver policies.

Managed service providers (MSPs) that are Cloudflare Partners can use tiered or siloed Gateway accounts with the Tenant API. For more information, refer to Managed service providers (MSPs).

Get started

To set up Cloudflare Organizations, refer to Create an Organization. Once you have provisioned and configured your Organization's accounts, you can create Gateway policies.

Account types

Zero Trust accounts in Cloudflare Organizations include source accounts and recipient accounts.

In a tiered policy configuration, a top-level source account can share Gateway policies with its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure other settings for recipient accounts independently from the source account, including:

Configuring a custom block page
Generating or uploading root certificates
Mapping DNS locations
Creating lists

Gateway will automatically generate a unique root CA for each recipient account in an Organization. Each recipient account is subject to the default Zero Trust account limits.

Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass or modify source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and Logpush jobs must be configured separately. When using DLP policies with payload logging, each recipient account must configure its own encryption public key.

flowchart TD
%% Accessibility
 accTitle: How Gateway policies work in a tiered account configuration
 accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration using Cloudflare Organizations.

%% Flowchart
 subgraph s1["Source account"]
        n1["Block malware"]
        n2["Block spyware"]
        n3["Block DNS tunnel"]
  end
 subgraph s2["Recipient account A"]
        n5["Block malware"]
        n6["Block spyware"]
        n4["Block social media"]
  end
 subgraph s3["Recipient account B"]
        n8["Block malware"]
        n9["Block spyware"]
        n10["Block DNS tunnel"]
        n7["Block instant messaging"]
  end
    n1 ~~~ n2
    n2 ~~~ n3
    s1 -- Share policies with --> s2 & s3

    n1@{ shape: rect}
    n2@{ shape: rect}
    n3@{ shape: rect}
    n4@{ shape: rect}
    n5@{ shape: rect}
     n1:::Sky
     n2:::Sky
     n3:::Peach
     n5:::Sky
     n6:::Sky
     n8:::Sky
     n9:::Sky
     n10:::Peach
    classDef Sky stroke-width:1px, stroke-dasharray:none, stroke:#374D7C, fill:#E2EBFF, color:#374D7C
    classDef Peach stroke-width:1px, stroke-dasharray:none, stroke:#FBB35A, fill:#FFEFDB, color:#8F632D

Limitations

Tiered policies do not support egress policies. Source accounts cannot share policies with selectors that target device posture checks, Access private apps, or virtual networks. Source and recipient accounts can still create and apply policies with these selectors separately from the Organization share.

Manage policies

You can create, configure, and share your tiered policies in the source account for your Cloudflare Organization.

To share a Gateway policy from a source account to a recipient account:

In Zero Trust ↗, go to Gateway > Firewall policies.
Choose the policy type you want to share. If you want to share a resolver policy, go to Gateway > Resolver policies.
Find the policy you want to share from the list. In the three-dot menu, select Share. Alternatively, to bulk share multiple policies, you can select each policy you want to share, then select Actions > Share.
In Select account, choose the accounts you want to share the policy with. To share the policy with all existing and future recipient accounts in your Organization, choose Select all accounts in org.
Select Continue, then select Share.

A sharing icon will appear next to the policy's name. When sharing is complete, the policy will appear in and apply the recipient accounts. Shared policies will appear grayed out in the recipient account's list of Gateway policies.

If a policy fails to share to recipient accounts, Gateway will retry deploying the policy automatically unless the error is unrecoverable.

To change or remove recipients for a Gateway policy:

In Zero Trust ↗, go to Gateway > Firewall policies.
Choose the policy type you want to edit. If you want to edit a resolver policy, go to Gateway > Resolver policies.
Find the policy you want to edit from the list.
In the three-dot menu, select Edit shared configuration recipients.
In Select account, choose the accounts you want to share the policy with. To remove a recipient, select Remove next to the recipient account's name.
Select Continue, then select Save.

When sharing is complete, the policy sharing will update across the configured recipient accounts.

Unshare policy

To stop sharing a policy with all recipient accounts:

In Zero Trust ↗, go to Gateway > Firewall policies.
Choose the policy type you want to remove. If you want to remove a resolver policy, go to Gateway > Resolver policies.
Find the policy you want to remove from the list. In the three-dot menu, select Unshare. Alternatively, to bulk remove multiple policies, you can select each policy you want to remove, then select Actions > Unshare.
Select Unshare.

When sharing is complete, Gateway will stop sharing the policy with all recipient accounts and only apply the policy to the source account.

Edit shared policy

When you edit or delete a shared policy in a source account, Gateway will require confirmation before making any changes. Changes made to shared policies will apply to all recipient accounts. Deleting a shared policy will delete the policy from both the source account and all recipient accounts.

Manage settings

You can share Zero Trust settings from your source account to recipient accounts in your Cloudflare Organization, including the Gateway block page and extended email address matching. Other Gateway settings configured in a source account, such as AV scanning and file sandboxing, will not affect recipient account configurations.

To share your Gateway block page settings from a source account to a recipient account:

In Zero Trust ↗, go to Settings > Custom pages.
In Account Gateway block page, select the three-dot menu and choose Share.
In Select account, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose Select all accounts in org.
Select Continue, then select Share.

A sharing icon will appear next to the setting. When sharing is complete, the setting will appear in and apply to the recipient accounts.

To modify share recipients or unshare the setting, select the three-dot menu and choose Edit shared configuration recipients or Unshare.

To share your extended email address matching settings from a source account to a recipient account:

In Zero Trust ↗, go to Settings > Network.
In Firewall > Matched extended email address, select the three-dot menu and choose Share.
In Select account, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose Select all accounts in org.
Select Continue, then select Share.