6.14. Tunnels & Gateway Security Checks#
Checks for Cloudflare Tunnels and Secure Web Gateway configuration.
6.14.1. Check Summary#
Check ID |
Title |
Severity |
Compliance |
|---|---|---|---|
CFL-TUNNEL-001 |
Cloudflare Tunnels |
medium |
CIS 5.8, SOC2 CC6.6, PCI 1.3, NIST PR.AC-5 |
CFL-GW-001 |
Gateway Policies |
high |
CIS 5.9, SOC2 CC6.1, PCI 3.4, NIST PR.DS-5 |
CFL-DEVICE-001 |
Device Enrollment Policy |
medium |
CIS 5.10, SOC2 CC6.1, NIST PR.AC-3 |
6.14.1.1. CFL-TUNNEL-001: Cloudflare Tunnels#
Severity: medium | Category: tunnels
Cloudflare Tunnels provide secure outbound connections from origins, eliminating the need for open inbound ports.
Remediation: Use Cloudflare Tunnels for origin connections instead of exposing inbound ports.
—
6.14.1.2. CFL-GW-001: Gateway Policies#
Severity: high | Category: gateway
Secure Web Gateway policies enforce acceptable use and block access to malicious destinations.
Remediation: Configure Gateway policies to block malicious traffic and enforce acceptable use.
—
6.14.1.3. CFL-DEVICE-001: Device Enrollment Policy#
Severity: medium | Category: gateway
Device enrollment policies ensure only managed and compliant devices can access protected resources.
Remediation: Configure device enrollment rules in Zero Trust → Devices.