Gateway block page
With Cloudflare Zero Trust, you can deliver actionable feedback to users when they are blocked by a Gateway policy. Custom block messages can reduce user confusion and decrease your IT ticket load.
There are two different ways to surface block messages:
You can display a custom block page in the browser when users are blocked by a Gateway DNS or HTTP policy. This is a static page that educates users on why they were blocked and how to contact IT.
The custom block page has a few drawbacks:
- To display the block page, you must install a user-side certificate on the end user device.
- You cannot customize the block message for individual DNS policies.
- The block page does not appear when users are blocked by a Gateway network policy.
- The custom block page only displays when the user loads a site in a browser. If, for instance, the user is allowed to visit a site but not allowed to upload a file, the file upload would fail silently and the user would not get a block page.
To work around these limitations, we recommend using WARP client block notifications.
For DNS policies, you will need to enable the block page on a per-policy basis.
- In Zero Trust ↗, go to Gateway > Firewall Policies > DNS.
- Find the policy you want to customize and select Edit. You can only edit the block page for policies with a Block action.
- Under Configure policy settings, go to Display block page. Choose Show a custom message.
- In Custom message, enter a block message to show users.
- Select Save policy.
Gateway will display a custom message in your users’ browsers when they are blocked by this policy.
You can customize the block page by making global changes that will show up every time a user visits a block page, independently of the type of rule (DNS or HTTP) that is blocking the website.
To apply customizations to your block page:
-
In Zero Trust ↗, go to Settings > Custom Pages.
-
Under Block page, enable the custom block page feature.
-
Select Customize. Available global customizations include:
- Adding your organization’s name
- Adding a logo
- Adding a header text
- Adding a global block message, which will be displayed above the policy-specific block message
- Adding a Mailto link
- Choosing a background color
-
Select Save.
Users will now get a custom block page when visiting a blocked website.
For more granular user feedback, you can enable WARP client block notifications on any Gateway DNS or Network Block policy. Blocked users will receive an operating system notification from the WARP client with a custom message you set.
Client notifications provide additional functionality over the custom block page:
-
Client notifications work with network policies, which means you can surface feedback for all partial actions on user traffic including blocking a specific port, file upload, or protocol.
-
Client notifications allow you to direct users to a unique link per individual policy. For example, you could link users to your organization’s acceptable use policy, data protection policy, or any existing IT troubleshooting infrastructure. If no infrastructure for this exists within your organization, you can quickly deploy an HTML site on Cloudflare Pages, put the site behind a Cloudflare Access policy, and provide dynamic feedback based on the identity and device posture values found in the user’s Access JWT.