Gateway Activity logs
The Activity log shows the individual DNS queries, Network packets, and HTTP requests inspected by Gateway. You can also download encrypted SSH command logs for sessions proxied by Gateway.
To view Activity logs, log in to your Zero Trust dashboard and navigate to Logs > Gateway. Click on an individual row to investigate the event in more detail.
Selective logging
By default, Gateway logs all events, including DNS queries and HTTP requests that are allowed and not a risk. You can choose to disable logs or only log blocked requests. To customize what type of events are recorded, log in to your Zero Trust dashboard and navigate to Settings > Network. Under Activity Logging, indicate your DNS, Network, and HTTP log preferences.
DNS logs
Explanation of the fields
| Field | Description |
|---|---|
| Query | The name of the domain that was queried. |
| The email address of the user who made the DNS query. This is generated by the WARP client. | |
| Action | What Action Gateway applied to the query (for example Allowed or Blocked). |
| Time | The timestamp of the DNS query. |
| Source IP | The public source IP of the DNS query. |
| Request type | The DNS query type. This page contains a list of all the DNS query types. |
| Port | The port that was used to make the DNS query. |
| Protocol type | The protocol that was used to make the DNS query (for example, https). |
| User ID | The ID of the user who made the DNS query. This is generated by the WARP client. |
| User email | The email address of the user who made the DNS query. This is generated by the WARP client. |
| Device ID | The ID of the device that made the DNS query. This is generated by the WARP client. |
| Location | The user-configured location from where the DNS query was made. |
| Categories | Content categories that the domain belongs to. |
| Resolver decision | The reason why Gateway applied a particular Action to the request. Refer to the list of resolver decisions. |
Resolver decisions
| Value | Description |
|---|---|
| allowedByQueryName | Domain or hostname in the query matched an Allow policy. |
| blockedByQueryName | Domain or hostname in the query matched a Block policy. |
| allowedRule | IP address in the response matched an Allow policy. |
| blockedRule | IP address in the response matched a Block policy. |
| blockedByCategory | Domain or hostname matched a category in a Block policy. |
| blockedAlwaysCategory | Domain or hostname is always blocked by Cloudflare. |
| allowedOnNoLocation | Allowed because query did not match a Gateway location. |
| allowedOnNoPolicyMatch | Allowed because query did not match a policy. |
| overrideForSafeSearch | Response was overridden by a SafeSearch policy. |
| overrideApplied | Response was overridden by an Override policy. |
HTTP logs
Explanation of the fields
| Field | Description |
|---|---|
| Host | The hostname in the HTTP header for the HTTP request. |
| Method | The HTTP method used for the request (e.g., GET, POST, etc.) |
| Decision | The Gateway action taken based on the first rule that matched. For example: Allowed, Blocked, Bypass, etc. |
| Time | The timestamp of the HTTP request |
| URL | The full URL of the HTTP request |
| Device | The ID of the device that made the request. This is generated by the WARP client on the device that created the request. |
| Referer | The Referer request header contains the address of the page making the request. |
| User Agent | The user agent header sent in the request by the originating device. |
| File Name | File name string if a file transfer occurred or was attempted. |
| HTTP version | The HTTP version of the origin that Gateway connected to on behalf of the user. |
| Policy details | The policy corresponding to the decision Gateway made based on the traffic criteria of the request. |
Isolate requests
When a user creates a policy to isolate traffic, the initial request that triggers isolation will be logged as an Isolate decision and the is_isolated field will return false. This is because that initial request is not isolated yet — but it initiates an isolated session.
Since the request is generated in an isolated browser, the result is rendered in the isolated browser and rendered back to the user securely. This request and all subsequent requests in the isolated browser are logged to include the terminal Gateway action that gets applied (e.g. Allow / Block) and the is_isolated field as true.
Network logs
Explanation of the fields
| Field | Description |
|---|---|
| Source IP | The IP address of the user sending the packet. |
| Destination IP | The IP address of the packet’s target. |
| Source port | The source port number for the packet. |
| Destination port | The destination port number for the packet. |
| Protocol | The protocol over which the packet was sent. |
| SNI | The host whose Server Name Indication (SNI) header Gateway will filter traffic against. |
| Policy name | The name of the policy corresponding to the decision Gateway made. |
| Policy ID | The ID of the policy enforcing the decision Gateway made. |
| Device ID | The ID of the device that sent the packet. This is generated by the WARP client. |
| User ID | The ID of the user sending the packet. This is generated by the WARP client. |
| User email | The email address of the user sending the packet. This is generated by the WARP client. |
| Categories | Category or categories associated with the packet. |
Export Gateway logs with Logpush
You can configure the automatic export of Gateway Activity logs to third-party storage destinations or to security information and event management (SIEM) tools. Once exported, your team can analyze and audit the data as needed.
This feature builds on Cloudflare’s Logpush Service — refer to the Logpush documentation to find a list of available fields forDNS, Network, and HTTP logs.
To enable Logpush for Gateway Activity logs:
- In the Zero Trust dashboard, navigate to Logs > Logpush.
- Click Connect a service.
- Enter a Job name.
- From the drop-down menu, choose whether to export the Gateway DNS, Gateway Network, or Gateway HTTP dataset.
- Next, select the data fields you want to include in the log.
- In the Advanced settings card, choose the timestamp format you prefer, and whether you want to enable logs sampling.
- Click Next.
- Select the service you want to export your logs to.
- Follow the service-specific instructions on the Zero Trust dashboard to validate your destination.
The setup of your Logpush integration is now complete. Logpush will send updated logs every five minutes to your selected destination.
You can configure multiple destinations and add additional fields to your logs by returning to the Logpush page.