Skip to main content

SASE - Cloudflare - Secure Web Gateway

This article describes how to integrate a Cloudflare SASE deployment with SurePath AI using Cloudflare Secure Web Gateway policy

Updated over 2 months ago

SurePath AI integration using Cloudflare Secure Web Gateway policy

This article describes how to integrate a Cloudflare SASE deployment with SurePath AI using Cloudflare Secure Web Gateway policy

Requirements

This integration requires that web traffic be routing through the Cloudflare Secure Web Gateway. This is typically accomplished using the Cloudflare WARP (Zero Trust) client, however, other methods are documented in Cloudflare documentation.

About this document

The configurations in this document cover how to add policy to redirect traffic to the SurePath AI platform. It covers the creation of Gateway policies but does not cover specifics of how to deploy Cloudflare more generally or how to route traffic through the Cloudflare Secure Web Gateway.

About this integration

The integration with Cloudflare Secure Web Gateway requires the creation of two Gateway policies, a DNS policy which effectively redirects traffic to the SurePath AI platform and a HTTP policy which adds a HTTP header to the traffic destined for SurePath AI to assist with identifying traffic belonging to the organization.

Note: In a future release, SurePath AI plans to offer the ability for the SurePath AI Cloudflare connector to automatically configure the Cloudflare policies needed to create this integration. If the enabled, it will also allow the automatic updates of the SurePath AI public service catalog. Without the automatic updates, administrators must manually update the Cloudflare configuration to receive traffic for new GenAI services.

Prerequisites

Download the Cloudflare public service catalog

  • Login to https://admin.surepath.ai

  • In the Govern section on the left, click the Public Services option

  • At the top right portion of the page, click the DOWNLOAD CATALOG button

    • In the Download Format drop-down, choose Cloudflare Config

    • Click DOWNLOAD

    • The contents of this file will be needed to complete Cloudflare configuration

Creating the Cloudflare connector

  • Login to https://admin.surepath.ai

  • In the Configure section on the left, click the Connectors option

  • At the top right portion of the page, click the ADD CONNECTOR button

    • In the Name field, enter a name for the connector such as Cloudflare Connector

    • In the Type drop-down, from the Network Ingress section, select Cloudflare

    • Click SAVE

    • The value from the Connector ID will be needed for the Cloudflare configuration

Configuring the Cloudflare Gateway Policies

The Cloudflare configuration involves the creation of two Cloudflare Secure Web Gateway policies. The first is a DNS policy that steers GenAI traffic to the SurePath AI platform. The second is a HTTP policy that adds a SurePath AI-specific header to all GenAI traffic so that SurePath AI can identify embedded, non-web-based traffic that can't be authenticated by a web browser. Both of these policies work together to give users a seamless experience and allow administrators full visibility into their organizations GenAI usage.

Creating the Cloudflare Gateway DNS policy

  • Login to https://one.dash.cloudflare.com

  • Select Gateway from the menu panel on the left

  • Select Firewall policies in the sub-menu

  • In the DNS tab, click the Add a policy button

    • In the Step 1 section, in the Policy name field, enter a name to help identify this DNS policy, such as SurePath AI - GenAI DNS policy

      • Optionally, enter a description for the policy such as DNS policy that directs GenAI traffic to SurePath AI

    • In the Step 2 section, in the Traffic sub-section, click Add condition

      • For the Selector drop-down, select Host

      • For the Operator drop-down, select matches regex

      • In the Value field, enter the contents from the Cloudflare Config file download performed in the Prerequisite step above

    • In the Step 2 section, there is an optional sub-section, labelled Identity

      • With no value specified, this configuration will apply to ALL USERS

      • To restrict the configuration to a single user or a group of users, use the Add condition button

    • In the Step 3 section, in the Action drop-down, select Override

      • In the Override Hostname field, enter edge.surepath.ai and then click off the field to set the value

  • At the bottom of the page, click the Create policy button to save the policy

  • The policy will be created in an Enabled state

    • If desired, click the green slider in the Status column to disable the policy

Creating the Cloudflare Gateway HTTP policy

  • Login to https://one.dash.cloudflare.com

  • Select Gateway from the menu panel on the left

  • Select Firewall policies in the sub-menu

  • In the HTTP tab, click the Add a policy button

    • In the Step 1 section, in the Policy name field, enter a name to help identify this DNS policy, such as SurePath AI - GenAI HTTP policy

      • Optionally, enter a description for the policy such as HTTP policy that adds a custom SurePath AI header to all GenAI traffic

    • In the Step 2 section, in the Traffic sub-section, click Add condition

      • For the Selector drop-down, select Host

      • For the Operator drop-down, select matches regex

      • In the Value field, enter the contents from the Cloudflare Config file download performed in the Prerequisite step above

    • In the Step 2 section, there is an optional sub-section, labelled Identity

      • With no value specified, this configuration will apply to ALL USERS

      • To restrict the configuration to a single user or a group of users, use the Add condition button

    • In the Step 2 section, there is an additional optional sub-section, labelled Device Posture

      • With no value specified, this configuration will apply to ALL DEVICES regardless of posture

      • To restrict the configuration to a specific device posture, use the Add condition button

    • In the Step 3 section, in the Action drop-down, select Allow

      • In the Untrusted certificate action drop-down, select Pass Through

    • In the Step 4 section, click the Add a header link

      • In the Custom header name field, enter X-SP-Connector-ID

      • In the Custom header value field, enter the Connector ID value retrieved from the Cloudflare connector in the Prerequisite step above

  • At the bottom of the page, click the Create policy button to save the policy

  • The policy will be created in an Enabled state

    • If desired, click the green slider in the Status column to disable the policy

Verifying the SurePath AI integration

To verify the configuration, following the steps in this article.

Related Articles
SASE - Zscaler - Proxy Chaining
SASE - Netskope - Proxy Chaining
Proxy - Google Workspace - Distributing Configuration to Chrome and ChromeOS
Proxy - Rippling - Distributing Configuration for Windows
Proxy - Jamf Pro - Distributing Configuration for Apple devices
Did this answer your question?