creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/deploying-cloudflare-access-for-zero-trust/references/workflows.md
T

2.7 KiB
Raw Blame History

Cloudflare Access Zero Trust Deployment Workflow

Phase 1: Account Setup (Day 1)

  1. Create Cloudflare account and navigate to Zero Trust dashboard
  2. Select team name (organization identifier for WARP enrollment)
  3. Choose subscription plan based on user count
  4. Configure authentication: add primary IdP (Okta, Entra ID, Google Workspace)
  5. Add secondary IdP for contractors or partners if needed
  6. Enable MFA requirements at the IdP level

Phase 2: Tunnel Deployment (Day 2-3)

2.1 Install cloudflared

  1. Install cloudflared on a server within the private network
  2. Authenticate with cloudflared tunnel login
  3. Create named tunnel: cloudflared tunnel create <name>
  4. Configure ingress rules in config.yml mapping hostnames to internal services
  5. Route DNS: cloudflared tunnel route dns <tunnel> <hostname>

2.2 High Availability

  1. Deploy multiple cloudflared instances for redundancy
  2. Use cloudflared tunnel run --protocol quic for better performance
  3. Configure systemd service for automatic restart
  4. Monitor tunnel health via Cloudflare dashboard

2.3 Private Network Routing

  1. Add private network routes: cloudflared tunnel route ip add 10.0.0.0/8 <tunnel-id>
  2. Configure split tunnel in WARP device settings
  3. Set up DNS fallback domains for private DNS resolution

Phase 3: Access Application Configuration (Day 4-5)

  1. Create Access applications for each internal service
  2. Define access policies per application:
    • Include rules: email domains, IdP groups, service tokens
    • Require rules: device posture, country restrictions
    • Exclude rules: specific users or IPs
  3. Configure session duration per application sensitivity
  4. Enable purpose justification for sensitive applications
  5. Test access with pilot users

Phase 4: WARP Client Deployment (Week 2)

  1. Create device enrollment policies with email domain restrictions
  2. Deploy WARP client via MDM (Intune, Jamf, SCCM)
  3. Install Cloudflare root certificate for TLS inspection
  4. Configure split tunnel settings for private network access
  5. Enable device posture checks: OS version, disk encryption, firewall

Phase 5: Gateway and DLP Configuration (Week 3)

  1. Enable DNS filtering with block categories (malware, phishing)
  2. Configure HTTP inspection policies
  3. Set up DLP profiles for sensitive data detection
  4. Enable browser isolation for high-risk web categories
  5. Configure CASB for SaaS application monitoring

Phase 6: Monitoring and Optimization (Ongoing)

  1. Enable Logpush to SIEM (S3, Splunk, Datadog)
  2. Monitor Access audit logs for denied requests
  3. Review tunnel health metrics
  4. Optimize split tunnel configuration
  5. Conduct quarterly access policy reviews
Reference in New Issue View Git Blame Copy Permalink