Skip to content

Set up Browser Isolation

Browser Isolation is enabled through Secure Web Gateway HTTP policies. By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies.

1. Connect devices to Cloudflare

Setup instructions vary depending on how you want to connect your devices to Cloudflare. Refer to the links below to view the setup guide for each deployment option.

ConnectionModeDescription
Gateway with WARPIn-lineApply identity-based HTTP policies to traffic proxied through the WARP client.
AccessIn-lineApply identity-based HTTP policies to Access applications that are rendered in a remote browser.
Gateway proxy endpointIn-lineApply non-identity HTTP policies to traffic forwarded to a proxy endpoint.
Magic WANIn-lineApply non-identity HTTP policies to traffic connected through a GRE or IPsec tunnel.
Clientless remote browserPrefixed URLRender web pages in a remote browser when users go to https://<your-team-name>.cloudflareaccess.com/browser/<URL>.

2. Build an Isolation policy

To configure Browser Isolation policies:

  1. In Zero Trust, go to Gateway > Firewall Policies > HTTP.
  2. Select Add a policy and enter a name for the policy.
  3. Use the HTTP policy selectors and operators to specify the websites or content you want to isolate.
  4. For Action, choose either Isolate or Do not Isolate.
  5. (Optional) Configure settings for an Isolate policy.
  6. Select Create policy.

Next, verify that your policy is working.

3. Check if a web page is isolated

Users can see if a webpage is isolated by using one of the following methods:

  • Select the padlock in the address bar and check for the presence of a Cloudflare Root CA.
  • Right-click the web page and view the context menu options.

Normal browsing

  • A non-Cloudflare root certificate indicates that Cloudflare did not proxy this web page.

    Website does not present a Cloudflare root certificate

  • The right-click context menu will have all of the normal options.

    Normal right-click menu in browser

Isolated browsing

  • A Cloudflare root certificate indicates traffic was proxied through Cloudflare Gateway.

    Website presents a Cloudflare root certificate

  • The right-click context menu will be simplified.

    Simplified right-click menu in browser

Disconnect Browser Isolation

WARP users can temporarily disable remote browsing by disconnecting the WARP client. Once WARP is disconnected, a refresh will return the non-isolated page.