Connect with the WARP client
3 min read
The Cloudflare WARP client (known as the Cloudflare One Agent in mobile app stores) allows you to protect corporate devices by securely and privately sending traffic from those devices to Cloudflare’s global network, where Cloudflare Gateway can apply advanced web filtering.
Choose this option if:
- You want to create DNS policies based on user identity.
- You want to apply consistent policies for both remote and on-site users.
- You are interested in progressing from DNS-only security to the advanced protection offered by a Secure Web Gateway.
Deploy WARP on a test device
Most admins test by downloading the client and authenticating in with a one-time PIN.
If you previously connected without an agent, undo the DoH configuration in your browser or OS. Otherwise, your device will continue to send queries to the DoH endpoint instead of forwarding requests through WARP.
Enable one-time PIN authentication:
- In Zero Trust, go to Settings > Authenticaton.
- Under Login methods, select Add new.
- Select One-time PIN.
- If your organization uses a third-party email scanning service (for example, Mimecast or Barracuda), add
noreply@notify.cloudflare.comto the email scanning allowlist.
Enable device enrollment:
- In Zero Trust, go to Settings > WARP Client.
- In the Device enrollment card, select Manage.
- In the Rules tab, configure one or more Access policies to define who can join their device. For example, you could allow all users with a company email address:
Rule type Selector Value Include Emails ending in @company.com - In the Authentication tab, select the identity providers users can authenticate with. If you have not integrated an identity provider, you can use the one-time PIN.
- Select Save.
Switch the agent to DNS-only mode:
- In Zero Trust, go to Settings > WARP Client.
- In the Device settings card, select the Default profile.
- Select Configure.
- For Service mode, select Gateway with DoH.
- Select Save profile.
If you are running third-party firewall or TLS decryption software, verify that it does not inspect or block traffic to these IP addresses:
- Client orchestration IPs:
- IPv4 API Endpoints:
162.159.137.105and162.159.138.105 - IPv6 API Endpoints:
2606:4700:7::a29f:8969and2606:4700:7::a29f:8a69
- IPv4 API Endpoints:
- Gateway DoH IPs:
- IPv4 DoH Addresses:
162.159.36.1and162.159.46.1 - IPv6 DoH Addresses:
2606:4700:4700::1111and2606:4700:4700::1001
- IPv4 DoH Addresses:
- Client orchestration IPs:
Uninstall any existing third-party software that may manage DNS resolution. Sometmes products placed in a disconnected or disabled state will still interfere with the WARP client.
Download and install WARP on the device.
Once WARP is installed, manually authenticate into your Zero Trust organization:
Windows and macOS
- Select the Cloudflare logo in the menu bar.
- Select the gear icon.
- Navigate to Preferences > Account.
- Select Login with Cloudflare Zero Trust.
- Enter your team name.
- Complete the authentication steps required by your organization.
Linux
- Open a terminal window.
- Run
warp-cli teams-enroll <your team name>to enroll into Cloudflare Zero Trust using your organization’s team name. - Complete the authentication steps required by your organization in the browser window that opens.
- Return to your terminal window and run
warp-cli enable-always-onto toggle WARP to always stay connected.
iOS, Android, and ChromeOS
- Launch the 1.1.1.1 application.
- Select the menu bar icon.
- Select Account.
- Select Login with Cloudflare Zero Trust.
- Enter your team name.
- Complete the authentication steps required by your organization.
The WARP client should show as Connected. By default, all DNS queries from the device will be forwarded to Cloudflare Gateway for filtering.
Unit 2 of 4