Skip to content

Gateway policy expressions #29495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pedrosousa merged 6 commits into from
Apr 13, 2026
Merged

Gateway policy expressions #29495

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
956d613
Gateway policy expressions
damiaan-commits Mar 31, 2026
57a5299
Update expression-syntax.mdx
damiaan-commits Mar 31, 2026
0b62f3d
PCX review (first pass)
pedrosousa Apr 10, 2026
b7c8388
Remove unneeded frontmatter entries (repeated value)
pedrosousa Apr 10, 2026
eb095a4
Apply suggestions from SME + PCX reviews
pedrosousa Apr 13, 2026
efb38a5
Fix line endings + prettify
pedrosousa Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
172 changes: 172 additions & 0 deletions src/content/docs/cloudflare-one/traffic-policies/expression-syntax.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
---
pcx_content_type: concept
title: Gateway policy expressions
sidebar:
order: 14
description: Learn about the expression syntax used to build Gateway DNS, HTTP, Network, Egress, and Resolver policies.
---

import { Render } from "~/components";

Gateway policies use a wirefilter-based expression language to match traffic against selectors (criteria). This syntax is similar to, but distinct from, the [Rules language](/ruleset-engine/rules-language/) used by WAF, Rules, and other Cloudflare products. Refer to [Gateway versus Ruleset Engine](#gateway-versus-ruleset-engine) for details on the differences.

:::caution[Important]

The [Ruleset Engine documentation](/ruleset-engine/rules-language/) does not apply to Gateway policies. Gateway has its own set of selectors and fields specific to Zero Trust traffic filtering. For available selectors, refer to the documentation for each policy type:

- [DNS policy selectors](/cloudflare-one/traffic-policies/dns-policies/#selectors)
- [HTTP policy selectors](/cloudflare-one/traffic-policies/http-policies/#selectors)
- [Network policy selectors](/cloudflare-one/traffic-policies/network-policies/#selectors)
- [Egress policy selectors](/cloudflare-one/traffic-policies/egress-policies/#selectors)
- [Resolver policy selectors](/cloudflare-one/traffic-policies/resolver-policies/#selectors)

:::

## Expression syntax

Gateway expressions follow this pattern:

```txt
<field> <operator> <value>
```

For example:

```txt
dns.fqdn == "example.com"
http.request.host == "api.example.com"
identity.email == "user@company.com"
```

### Operators

Gateway supports the following operators:

| Operator | Name | Example |
| --------- | -------------------------- | ------------------------------------------------ |
| `==` | Equals | `dns.fqdn == "example.com"` |
| `!=` | Does not equal | `http.request.host != "blocked.com"` |
| `in` | Value is in set | `net.dst.port in {80 443}` |
| `matches` | Matches regular expression | `http.request.host matches ".*\\.example\\.com"` |
| `>` | Greater than | `http.upload.file.size > 10` |
| `>=` | Greater than or equal to | `http.download.file.size >= 100` |
| `<` | Less than | `http.upload.file.size < 50` |
| `<=` | Less than or equal to | `http.download.file.size <= 200` |

### Logical operators

Combine multiple conditions using logical operators:

| Operator | Name | Example |
| -------- | ----------- | --------------------------------------------------------------------- |
| `and` | Logical AND | `dns.fqdn == "example.com" and identity.email == "admin@company.com"` |
| `or` | Logical OR | `net.dst.port == 80 or net.dst.port == 443` |

You can also use symbols instead of words:
Comment thread
pedrosousa marked this conversation as resolved.

- `&&` instead of `and`
- `||` instead of `or`

## Array handling

Some Gateway fields return arrays (multiple values). Use the `any()` function to match if any element in the array meets the condition:

```txt
any(http.request.uri.content_category[*] in {17 85 102})
```

```txt
any(identity.groups[*].name in {"Engineering" "Security"})
```

```txt
any(http.request.domains[*] == "example.com")
```

The `[*]` notation indicates that the function should evaluate all elements in the array.

## List handling

You can reference [lists](/cloudflare-one/reusable-components/lists/) in your expressions using the list UUID:

```txt
http.request.host in $<LIST_UUID>
```

```txt
any(http.request.domains[*] in $<LIST_UUID>)
```

To find a list's UUID, go to **My Team** > **Lists** in Zero Trust and select the list. The UUID appears in the browser URL.

## Common field patterns

Each Gateway policy type has its own set of available fields. The following table shows the field prefixes used by each policy type:

| Policy type | Field prefix | Example fields |
| -------------- | ----------------- | --------------------------------------------------------------- |
| DNS | `dns.` | `dns.fqdn`, `dns.content_category`, `dns.src_ip` |
| HTTP | `http.` | `http.request.host`, `http.request.uri`, `http.request.domains` |
| Network | `net.` | `net.dst.ip`, `net.dst.port`, `net.src.ip` |
| Identity | `identity.` | `identity.email`, `identity.groups`, `identity.name` |
| Device posture | `device_posture.` | `device_posture.checks.passed` |

For a complete list of available fields for each policy type, refer to the selectors documentation linked at the top of this page.

## Example expressions

### Block a domain in a DNS policy

```txt
dns.fqdn == "example.com"
```

### Block multiple content categories in an HTTP policy

```txt
any(http.request.uri.content_category[*] in {17 85 102})
```

### Allow traffic from a specific user group

```txt
any(identity.groups[*].name in {"Engineering"})
```

### Block traffic to a destination IP range in a Network policy

```txt
net.dst.ip in {10.0.0.0/8}
```

### Combine identity and traffic conditions

```txt
http.request.host == "internal.example.com" and identity.email matches ".*@company.com"
```

## Gateway versus Ruleset Engine

The following table summarizes the key differences between the Rules language](/ruleset-engine/rules-language/) (supported by the Ruleset Engine) and Gateway policy expressions:

| | Ruleset Engine | Gateway |
| ------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| **Products** | WAF, Transform Rules, Cache Rules, Configuration Rules | DNS, HTTP, Network, Egress, Resolver policies |
| **Field examples** | `http.request.uri.path`, `cf.bot_management.score`, `ip.src` | `dns.fqdn`, `http.request.host`, `identity.email` |
| **Identity fields** | Not available | Available (for example, `identity.email`, `identity.groups`) |
| **DNS fields** | Not available | Available (for example, `dns.fqdn`, `dns.content_category`) |
| **Documentation** | [Rules language](/ruleset-engine/rules-language/) | [Traffic policies](/cloudflare-one/traffic-policies/) |

:::note

Do not reference the [Ruleset Engine fields reference](/ruleset-engine/rules-language/fields/) when building Gateway policies. Gateway has its own field set documented on each policy type page.

:::

## Related resources

- [DNS policies](/cloudflare-one/traffic-policies/dns-policies/)
- [HTTP policies](/cloudflare-one/traffic-policies/http-policies/)
- [Network policies](/cloudflare-one/traffic-policies/network-policies/)
- [Identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/)
- [Lists](/cloudflare-one/reusable-components/lists/)
Loading