Skip to content
Cloudflare Docs

External Emergency Disconnect

Feature availability
WARP modesZero Trust plans
All modesAll plans
SystemAvailabilityMinimum WARP version
Windows2025.10.186.0
macOS2025.10.186.0
Linux2025.10.186.0
iOS
Android
ChromeOS

The External Emergency Disconnect feature allows organizations to remotely disconnect and reconnect their fleet of WARP clients using their own infrastructure, independent of Cloudflare's infrastructure. For example, in the event of a Cloudflare network outage you ensure that you can still manage your devices even if Cloudflare’s systems are down or unreachable.

When External Emergency Disconnect is enabled, WARP clients will periodically poll a customer-hosted HTTPS endpoint. A client will only change its connection state if it receives a valid JSON payload with the new state. Any failure to successfully retrieve the state (such as endpoint unreachability, invalid certificate fingerprint, or an improperly structured payload) will not cause a state change on the client.

You can use External Emergency Disconnect in combination with the dashboard-initiated Disconnect WARP on all devices setting. A disconnect signal retrieved from the external endpoint will take precedence.

Use cases

Use External Emergency Disconnect to mitigate single-point-of-failure risks and ensure business continuity during network disruptions. Example use cases include:

  • Security Incident Response: Provides the ability to quickly terminate all WARP tunnels across the entire fleet.
  • Compliance and Auditing: Fulfills requirements in sensitive or regulated environments that mandate an "emergency stop" capability that is fully isolated, auditable, and controlled by the organization's own infrastructure.
  • Disaster Recovery: If WARP devices cannot reach Cloudflare's API (due to a network outage, routing issue, or client-side misconfiguration), administrators retain the ability to force-disconnect the fleet via the customer-hosted endpoint.

External endpoint requirements

An external disconnect endpoint is an HTTPS server hosted outside of Cloudflare from which WARP will fetch the emergency disconnect signal. The customer is fully responsible for managing this endpoint.

Endpoint URL

The external endpoint URL should:

  • Use the HTTPS protocol.
  • Use an IPv4 or IPv6 address as the host, not a domain.
  • (Recommended) Use a public IP to ensure that devices can fetch the latest state regardless of their network location.

Response payload

The WARP client expects a JSON response payload from the external endpoint with the following format:

{
  "emergency_disconnect": false | true
}
  • If emergency_disconnect is set to true, the device will initiate an emergency disconnect.
  • If emergency_disconnect is set to false, the device will continue normal operation.

Cipher suites

The WARP client establishes a TLS connection using Rustls. Make sure your HTTPS endpoint accepts one of the cipher suites supported by Rustls.

Set up External Emergency Disconnect

1. Create an external disconnect endpoint

To configure External Emergency Disconnect, you will need an HTTPS endpoint in your own infrastructure that serves the global disconnect signal. The WARP client will poll the external endpoint and validate its TLS/SSL certificate against an SHA-256 fingerprint that you upload to Zero Trust. Refer to External endpoint requirements for more details.

The following example demonstrates how to deploy an external disconnect endpoint using an nginx container in Docker.

  1. Generate a TLS/SSL certificate:

    Terminal window
    openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout key.pem -out cert.pem

    You will be prompted to fill in Distinguished Name (DN) fields. Fill in your organization's information or press Enter to use the default values.

    The command will output a certificate in PEM format and its private key. Store these files in a secure place.

  2. Configure an HTTPS server on your network to use this certificate and key:

    a. Create an nginx configuration file called nginx.conf:

    nginx.conf
    events {
      worker_connections  1024;
    }
    

    http {
        server {
            listen              443 ssl;
            ssl_certificate     /certs/cert.pem;
            ssl_certificate_key /certs/key.pem;
            location /status/disconnect {
                default_type application/json;
                return 200 '{"emergency_disconnect": false}';
            }
        }
    }

    If needed, replace /certs/cert.pem and /certs/key.pem with the locations of your certificate and key.

    b. Add the nginx image to your Docker compose file:

    docker-compose.yml
    services:
      nginx:
        image: nginx:latest
        ports:
          - 3333:443
        volumes:
          - ./nginx.conf:/etc/nginx/nginx.conf:ro
          - ./certs:/certs:ro

    If needed, replace ./nginx.conf and ./certs with the locations of your nginx configuration file and certificate.

    c. Start the server:

    Terminal window
    docker compose up -d

  3. To test that the HTTPS endpoint is working, run a curl command from the end user's device. You need to pass the --insecure option because we are using a self-signed certificate.

    Terminal window
    curl --insecure https://<server-ip>:3333/status/disconnect
    {"emergency_disconnect": false}

2. Extract the SHA-256 fingerprint

To obtain the SHA-256 fingerprint of a local certificate:

Terminal window
openssl x509 -noout -fingerprint -sha256 -inform pem -in cert.pem | tr -d :

The output will look something like:

SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662

3. Turn on External Emergency Disconnect

To configure External Emergency Disconnect using the dashboard:

  1. In Cloudflare One, go to Team & Resources > Devices > Management.
  2. Select Global disconnection settings.
  3. Find Manage device connection using an external signal and select Edit.
  4. Configure the following fields:
    • Endpoint IP address and port: Enter the HTTPS URL from which to fetch the external disconnect signal (for example, https://192.0.2.1:3333/status/disconnect). The endpoint must use HTTPS and have an IPv4 or IPv6 address as the host.
    • Polling frequency: Choose how often WARP should fetch the external disconnect signal.
    • Certificate fingerprint: Enter the SHA-256 fingerprint of the HTTPS server certificate (for example, DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662).
  5. Select Save.
  6. Turn on Manage device connection using an external signal.

All WARP clients in your organization will now start polling the external endpoint and connect or disconnect based on the response payload.

4. Test External Emergency Disconnect

  1. Ensure that WARP is connected.

  2. Ensure that the External Emergency Disconnect feature is turned on.

  3. In your external endpoint configuration, change emergency_disconnect to true:

    {"emergency_disconnect": true}

  4. You may need to reload the server to apply changes. To reload the example nginx server:

    Terminal window
    docker exec <container-name-or-id> nginx -s reload

WARP will automatically disconnect within the configured polling interval, and the WARP GUI will display Admin directed disconnect. To reconnect all devices, change emergency_disconnect back to false.

Logs

Since External Emergency Disconnect signals are independent from Cloudflare's infrastructure, externally-triggered disconnects are not logged by Cloudflare. Dashboard logs will only report changes to feature settings (such as turning on/off the feature or changing the endpoint URL), not disconnection events.

To get the current emergency disconnect status on a device, you can run the following command:

Terminal window
warp-cli settings
Merged configuration:
(override)  Emergency disconnect: true (issued @ 2025-12-09T13:57:42.597864Z)

The current status is also available in WARP diagnosic logs in warp-settings.txt.

Clear External Emergency Disconnect state

If the external endpoint becomes unavailable or serves an invalid configuration, WARP clients can get stuck in the emergency disconnect state. You can recover clients by removing their External Emergency Disconnect configuration:

  1. In Cloudflare One, go to Team & Resources > Devices > Management.
  2. Select Global disconnection settings.
  3. Turn off Manage device connection using an external signal.

Cloudflare will propagate the new setting to clients, instructing them to stop polling and discard its cached emergency state.

Local client reset

As a last resort, you can use the CLI to reset External Emergency Disconnect on an individual device:

warp-cli registration delete

This command will clear the client registration, clear the local policy, and discard the cached emergency state. To reconnect, you will need to turn off External Emergency Disconnect and then re-enroll WARP with your Zero Trust organization.

WARP settings precedence

Learn how global disconnect settings interact and how they impact other WARP profile settings.

Global disconnection settings

The client will honor disconnect signals from both the Cloudflare dashboard (via Disconnect WARP on all devices) and the external endpoint. A global disconnect is enforced if either source triggers it.

Disconnect WARP on all devices is OnDisconnect WARP on all devices is Off
External endpoint returns trueForce disconnectedForce disconnected
External endpoint returns falseForce disconnectedNormal operation

Auto connect

Auto connect does not apply while a global disconnect is in effect.

Lock WARP switch

Lock WARP switch does not apply while a global disconnect is in effect. Users will be unable to turn on WARP unless they have an admin override code.

Admin override

A global disconnect will clear any existing admin override codes. The only way for users to reconnect during a global disconnect is by using a new admin override code. For example, you may want to provide IT staff with a code so that they can test resolution of the incident that led to the global disconnect. The override code will exempt a specific user and device from the global disconnect until the override timeout expires.