WARP modes
You can deploy the WARP client in different modes to control the types of traffic sent to Cloudflare Gateway. The WARP mode determines which Zero Trust features are available on the device.
This mode is best suited for organizations that want to use advanced firewall/proxy functionalities and enforce device posture rules.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| Yes | Yes | Yes | DNS policies, network policies, HTTP policies, Browser Isolation, identity-based policies, device posture checks, AV scanning, and Data Loss Prevention |
Gateway with DNS-over-HTTPS (DoH) is best suited for organizations that only want to apply DNS filtering to outbound traffic from their company devices. Network and HTTP traffic is handled by the default mechanisms on your devices.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| Yes | No | No | DNS policies |
Secure Web Gateway without DNS filtering mode (sometimes referred to as tunnel-only mode) is best suited for organizations that want to proxy network and HTTP traffic but keep their existing DNS filtering software. DNS traffic is handled by the default mechanism on your device.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| No | Yes | Yes | Network policies, HTTP policies, Browser Isolation, identity-based policies, device posture checks, AV scanning, and Data Loss Prevention |
Proxy mode is best suited for organizations that want to filter traffic directed to specific applications.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| No | No | Yes | HTTP policies, Browser Isolation, identity-based policies, AV scanning, and Data Loss Prevention for traffic sent through localhost proxy |
When you create a Cloudflare One account, a default device profile is created in Gateway with WARP service mode. To set up proxy mode, you will need to edit the default device profile or create a new device profile and set the WARP service mode to Proxy mode.
The default profile is used for all devices that are not assigned to a specific profile. If you want to apply proxy mode to a specific group of devices, you will need to create a new device profile and assign it to those devices.
To set up proxy mode:
- In Cloudflare One ↗, go to Teams & Resources > Device profiles.
- Decide whether you would like to edit the default profile or create a new device profile.
- Select the device profile you want to configure > Edit (If you only see View, you lack the permissions required to modify profiles).
- Ensure the Device tunnel protocol is set to
MASQUE. - Under Service mode, select Proxy mode.
- Select Save profile.
For devices using proxy mode, the WARP client listens on the configured port at the address 127.0.0.1 (localhost). Cloudflare uses 40000 as the default port for WARP in proxy mode, but you can modify this to any available port. You must explicitly configure individual applications or your system proxy settings to use this proxy.
Once configured, traffic to and from these applications will securely tunnel through WARP.
To make more complex routing decisions (such as, routing traffic directly to the Internet or other proxies), you can use a PAC file.
- Proxy mode can only be used by applications/operating systems that support SOCKS5/HTTP proxy communication.
- Requires the MASQUE device tunnel protocol. Wireguard is not supported.
- Only available on Windows, Linux, and macOS.
- Proxy mode has a timeout limit of 10 seconds for requests. If a request goes above the 10 second limit, Cloudflare will drop the connection.
This mode is best suited for organizations that only want to enforce WARP client device posture checks for zones in your account. DNS, Network and HTTP traffic is handled by the default mechanisms on your devices. To setup Device Information Only mode, refer to the dedicated page.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| No | No | No | Device posture rules in Access policies |
Each WARP mode offers a different set of Zero Trust features.
| WARP Mode | DNS Filtering | Network Filtering | HTTP Filtering | Service mode (displayed in warp-cli settings) |
|---|---|---|---|---|
| Gateway with WARP (default) | ✅ | ✅ | ✅ | WarpWithDnsOverHttps |
| Gateway with DoH | ✅ | ❌ | ❌ | DnsOverHttps |
| Secure Web Gateway without DNS filtering | ❌ | ✅ | ✅ | TunnelOnly |
| Proxy mode | ❌ | ❌ | ✅ | WarpProxy on port 40000 |
| Device Information Only | ❌ | ❌ | ❌ | PostureOnly |
- Connectivity status - Learn about the status messages displayed by the WARP client during its connection process, and understand each stage as WARP establishes a secure tunnel to Cloudflare.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
