Lists
With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating Gateway policies or Access policies. This allows you to quickly create rules that match and take actions against several items at once.
Before creating a list, make note of the limitations.
Lists can contain a single type of data each. Supported data types include:
- URLs
- Hostnames
- Serial numbers
- User email addresses
- IP addresses
- Device ID numbers
Here is a sample CSV file of URLs that you can use for testing. When formatting the CSV:
- Each line should be a single entry.
- Trailing whitespaces are not allowed.
- CRLF (Windows) and LF (Unix) line endings are valid.
To upload the list to Zero Trust:
- In Zero Trust ↗, go to My Team > Lists.
- Select Upload CSV.
- Next, specify a List name, enter an optional description, and choose a List type.
- Drag and drop a file into the CSV file window, or select a file.
- Select Create.
You can now use this list in the policy builder by choosing the in list operator.
- In Zero Trust ↗, go to My Team > Lists.
- Select Create manual list.
- Next, specify a List name, enter an optional description, and choose a List type.
- Enter your list element manually into the Add entry field and select Add.
- Select Save.
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/lists \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "description": "Private application IPs", "items": [{"value": "10.226.0.177/32"},{"value": "10.226.1.177/32"}], "name": "Corporate IP list", "type": "IP"}'You can now use this list in the policy builder by choosing the in list operator.
-
In the Lists page, locate the list you want to edit.
-
Select Edit. This will allow you to:
- Edit list name and description by selecting on the three-dots menu to the right of your list’s name.
- Delete the list by selecting the three-dots menu to the right of your list’s name.
- Delete individual entries.
- Manually add entries to your list.
-
Once you have edited your list, select Save.
Your lists can include up to 1,000 entries for Standard plans and 5,000 for Enterprise plans. An uploaded CSV file must be smaller than 2 MB.
Lists cannot have duplicate entries. Because hostnames are converted to Punycode ↗, multiple list entries that convert to the same string will count as duplicates. For example, éxàmple.com converts to xn—xmple-rqa5d.com, so including both éxàmple.com and xn—xmple-rqa5d.com in a list will result in an error.
Gateway ignores trailing forward slashes (/) in URLs. For example, https://example.com and https://example.com/ will count as the same URL and may return a duplicate error.
Extended email addresses (also known as plus addresses) are variants of an existing email address with + or . modifiers. Many email providers, such as Gmail and Outlook, deliver emails intended for an extended address to its original address. For example, providers will deliver emails sent to contact+123@example.com or con.tact@example.com to contact@example.com.
By default, Gateway will either filter only exact matches or all extended variants depending on the type of policy and action used:
DNS policies
| Action | Behavior |
|---|---|
| Allow | Match exact address only |
| Block | Match exact address and all variants |
| Override | Match exact address and all variants |
| Safe Search | Match exact address and all variants |
| YouTube Restricted | Match exact address and all variants |
Network policies
| Action | Behavior |
|---|---|
| Allow | Match exact address only |
| Audit SSH | Match exact address and all variants |
| Block | Match exact address and all variants |
| Network Override | Match exact address only |
HTTP policies
| Action | Behavior |
|---|---|
| Allow | Match exact address only |
| Block | Match exact address and all variants |
| Do Not Inspect | Match exact address only |
| Do Not Isolate | Match exact address only |
| Do Not Scan | Match exact address only |
| Isolate | Match exact address and all variants |
Other policies
| Policy type | Behavior |
|---|---|
| Egress policy | Match exact address only |
| Resolver policy | Match exact address only |
To force Gateway to match all email address variants, go to Settings > Network > Firewall and turn on Match extended email addresses. This setting applies to all firewall, egress, and resolver policies.