Isolate Access applications
3 min read
Cloudflare Browser Isolation integrates with your web-delivered Access applications to protect sensitive applications from data loss. You can build Access policies that require certain users to access your application exclusively through Browser Isolation, while other users matching different policies continue to access the application directly. For example, you may wish to layer on additional security measures for third-party contractors or other users without a corporate device.
Cloudflare sends all isolated traffic through our Secure Web Gateway inspection engine, which allows you to apply Gateway HTTP policies such as:
- Restrict specific actions and HTTP request methods.
- Inspect the request body to match against Data Loss Prevention (DLP) profiles with as much specificity and control as if the user had deployed an endpoint agent.
- Control users ability to cut and paste, upload and download files, or print while in an isolated session.
Prerequisites
Your browser must allow third-party cookies on the application domain. Enable Browser Isolation
- In Zero Trust, go to Settings > Browser Isolation.
- Enable Clientless Web Isolation.
- Next, go to Access > Applications.
- Choose a self-hosted application and select Configure.
- Choose an Allow policy and select Configure.
- Under Additional settings, turn on Isolate application.
- Save the policy.
Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to Check if a web page is isolated.
You can optionally add another Allow policy for users on managed devices who do not require isolation.
Example Access policies
In the following example, Policy 1 allows employees on corporate devices to access the application directly. Users who do not match Policy 1, such as employees and contractors on unmanaged devices, will load the application in an isolated browser.
Policy 1: Allow employees who pass device posture checks
Action | Rule type | Selector | Value |
---|---|---|---|
Allow | Include | Emails ending in | @team.com |
Require | Device Posture - Serial Number List | Corporate serial numbers |
Additional settings | Status |
---|---|
Isolate application | Disabled |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_uuid}/policies \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "decision": "allow", "name": "Allow employees who pass device posture checks", "include": [ { "email_domain": { "domain": "team.com" } } ], "exclude": [], "require": [ { "device_posture": { "integration_uid": "<SERIAL_NUMBER_LIST_UUID>" } } ], "precedence": 1}'
To create a list of serial numbers, refer to Create Zero Trust list.
Policy 2: Allow and isolate contractors
Action | Rule type | Selector | Value |
---|---|---|---|
Allow | Include | Emails ending in | @team.com , @contractors.com |
Additional settings | Status |
---|---|
Isolate application | Enabled |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_uuid}/policies \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "decision": "allow", "name": "Allow and isolate contractors", "include": [ { "email_domain": { "domain": "team.com" } }, { "email_domain": { "domain": "contractors.com" } } ], "exclude": [], "require": [], "precedence": 2, "isolation_required": true}'
Example HTTP policies
Disable file downloads in isolated browser
Prevents users on unmanaged devices from downloading any files from your private application.
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Host | in | internal.site.com | And | Isolate |
Passed Device Posture Checks | not in | Corporate serial numbers |
Policy settings | Status |
---|---|
Disable file downloads | Enabled |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "name": "Disable file downloads in isolated browser", "conditions": [ { "type": "traffic", "expression": { "in": { "lhs": "http.request.host", "rhs": [ "internal.site.com" ] } } }, { "type": "device_posture", "expression": { "any": { "in": { "lhs": { "splat": "device_posture.checks.passed" }, "rhs": [ "<SERIAL_NUMBER_LIST_UUID>" ] } } } } ], "action": "isolate", "precedence": 14002, "enabled": true, "description": "", "rule_settings": { "block_page_enabled": false, "block_reason": "", "biso_admin_controls": { "dcp": false, "dcr": false, "dd": true, "dk": false, "dp": false, "du": false } }, "filters": [ "http" ]}'
To create a list of serial numbers, refer to Create Zero Trust list.
Block file downloads of sensitive data
Block users on unmanaged devices from downloading files that contain credit card numbers. This logic requires two policies:
Policy 2: Block credit card numbers
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Host | in | internal.site.com | And | Block |
DLP Profile | in | Financial Information | And | |
Passed Device Posture Checks | not in | Corporate serial numbers |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "name": "Block credit card numbers", "conditions": [ { "type": "traffic", "expression": { "and": [ { "in": { "lhs": "http.request.host", "rhs": [ "internal.site.com" ] } }, { "any": { "in": { "lhs": { "splat": "dlp.profiles" }, "rhs": [ "<DLP_PROFILE_UUID>" ] } } } ] } }, { "type": "device_posture", "expression": { "any": { "in": { "lhs": { "splat": "device_posture.checks.passed" }, "rhs": [ "<SERIAL_NUMBER_LIST_UUID>" ] } } } } ], "action": "block", "precedence": 14003, "enabled": true, "description": "", "rule_settings": { "block_page_enabled": false, "block_reason": "", "biso_admin_controls": null }, "filters": [ "http" ]}'
To configure a DLP profile, refer to Update predefined profile or Create custom profile.