Applications and app types
Gateway allows you to create DNS, Network, and HTTP policies based on applications and app types. You can select individual applications or groups of app types to filter specific traffic on your network.
When you choose the Application selector in a Gateway policy builder, the Value field will include all supported applications and their respective app types. Alternatively, you can use the Gateway API to fetch a list of applications, app types, and ID numbers.
To manage a consolidated list of applications across Zero Trust, you can use the Application Library.
Gateway sorts applications into the following app type groups:
| Value | Definition |
|---|---|
| Artificial Intelligence | AI assistance applications |
| Audio Streaming | Music streaming, podcasts, and other audio applications |
| Collaboration & Online Meetings | Business communication and collaboration applications |
| Dating | Online dating applications |
| Development | Software development and development operations applications |
| Email applications | |
| Encrypted DNS | DNS encryption applications |
| File Sharing | File sharing applications |
| Finance & Accounting | Financial and accounting applications |
| Gaming | Games and gaming applications |
| Human Resources | Employee management applications and workforce tools |
| Instant Messaging | Instant messaging applications |
| IT Management | IT deployment management applications |
| Legal | Legal tools and applications |
| News | News applications |
| Productivity | Business and productivity applications |
| Public Cloud | Public cloud infrastructure management applications |
| Sales & Marketing | Sales and marketing applications |
| Search Engines | Web search engines and applications |
| Security | Information security applications, including shadow IT |
| Shopping | Online shopping applications |
| Social Networking | Social networking applications |
| Sports | Sports streaming and news applications |
| Video Streaming | Video streaming applications |
| Do Not Inspect | Applications incompatible with the TLS certificate required by the Gateway proxy |
With Application Granular Controls, you can choose specific actions and operations to match application traffic. Supported applications and operations include:
ChatGPT (app ID 1199)
1199)| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
|---|---|---|---|---|---|---|
| SendPrompt | 8004 | Prompt | 1652 | ✅ | Chat | 1650 |
| UploadFile | 8008 | Upload | 1653 | ❌ | Chat | 1650 |
| UploadFilePayload | 8013 | Upload | 1653 | ✅ | Chat | 1650 |
| ShareResponse | 8006 | Share | 1654 | ❌ | Chat | 1650 |
| ShareCanvas | 8007 | Share | 1654 | ❌ | Chat | 1650 |
| TranscribeVoice | 8011 | Voice | 1655 | ❌ | Chat | 1650 |
| EnableVoiceMode | 8003 | Voice | 1655 | ❌ | Chat | 1650 |
| AllowTraining | 8009 | ❌ | Settings | 1651 | ||
| AllowVoiceTraining | 8010 | ❌ | Settings | 1651 | ||
| AllowVideoTraining | 8016 | ❌ | Settings | 1651 | ||
| ExportData | 8020 | ❌ | Settings | 1651 |
Google Gemini (app ID 1340)
1340)| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
|---|---|---|---|---|---|---|
| SendPrompt | 8021 | Prompt | 1657 | ✅ | Chat | 1656 |
| UploadFile | 8022 | Upload | 1658 | ❌ | Chat | 1656 |
| UploadFilePayload | 8023 | Upload | 1658 | ✅ | Chat | 1656 |
| TranscribeVoice | 8025 | Voice | 1659 | ❌ | Chat | 1656 |
Perplexity (app ID 1937)
1937)| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
|---|---|---|---|---|---|---|
| SendPrompt | 11947 | Prompt | 2598 | ✅ | Chat | 2596 |
| ClarifyingPrompt | 11951 | Prompt | 2598 | ✅ | Chat | 2596 |
| CreateUploadUrl | 11948 | Upload | 2599 | ❌ | Chat | 2596 |
| UploadFile | 11955 | Upload | 2599 | ✅ | Chat | 2596 |
| UploadOrganizationFile | 11950 | Upload | 2599 | ❌ | Settings | 2597 |
| ShareChat | 11952 | Share | 2600 | ❌ | Chat | 2596 |
| VoiceTranscription | 11953 | Voice | 2601 | ❌ | Chat | 2596 |
| ExportChat | 11949 | ❌ | Chat | 2596 | ||
| DeleteThread | 11954 | ❌ | Chat | 2596 | ||
| DeleteOrganizationFile | 11956 | ❌ | Settings | 2597 |
Claude (app ID 2430)
2430)| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
|---|---|---|---|---|---|---|
| SendPrompt | 10048 | Prompt | 2127 | ✅ | Chat | 2126 |
| PromptCompletion | 10050 | Prompt | 2127 | ✅ | Chat | 2126 |
| RetryPromptCompletion | 10040 | Prompt | 2127 | ✅ | Chat | 2126 |
| UploadFile | 10039 | Upload | 2128 | ✅ | Chat | 2126 |
| ConvertDocument | 10041 | Upload | 2128 | ✅ | Chat | 2126 |
| ShareConversation | 10043 | Share | 2129 | ❌ | Chat | 2126 |
| GetShares | 10052 | Share | 2129 | ❌ | Chat | 2126 |
| CreateConversation | 10038 | ❌ | Chat | 2126 | ||
| GetConversation | 10046 | ❌ | Chat | 2126 | ||
| UpdateConversation | 10047 | ❌ | Chat | 2126 | ||
| DeleteConversation | 10045 | ❌ | Chat | 2126 | ||
| UpdateAccount | 10036 | ❌ | Settings | 2125 | ||
| InitiateDataExport | 10037 | ❌ | Settings | 2125 | ||
| GiveFeedback | 10042 | ❌ | Chat | 2126 | ||
| SetConversationTitle | 10044 | ❌ | Chat | 2126 | ||
| GetOrganisation | 10049 | ❌ | Settings | 2125 | ||
| GetFilePreview | 10051 | ❌ | Chat | 2126 |
Overlapping hostnames are most common for vendors with many applications, such as Google or Meta. When you use the Application selector in Gateway policies, actions taken by Gateway will be limited to the specific application defined. Gateway will also log other applications that use the same hostnames, but it will not take action unless the application was matched by the policy. For example, both the Facebook and Facebook Messenger apps use the chat-e2ee.facebook.com hostname. When evaluating traffic to the Facebook Messenger app, Gateway will only take action on Facebook Messenger traffic but may log both the Facebook and Facebook Messenger apps.
To ensure Gateway evaluates traffic with your desired precedence, order your most specific policies with the highest priority according to order of precedence.
Gateway automatically groups applications incompatible with TLS decryption into the Do Not Inspect app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can create a Do Not Inspect HTTP policy with the entire Do Not Inspect app type selected.
When managing applications with the Application Library, Do Not Inspect applications will appear under the corresponding application. For example, the App Library will group Google Drive (Do Not Inspect) under Google Drive.
Applications can be incompatible with TLS decryption for various reasons:
-
Certificate pinning: Certificate pinning is a security mechanism used to prevent on-path attacks on the Internet by hardcoding information about the certificate that the application expects to receive. If the wrong certificate is received, even if it is trusted by the system, the application will refuse to connect.
-
Non-web traffic: Some applications send non-web traffic, such as Session Initiation Protocol (SIP) and Extensible Messaging and Presence Protocol (XMPP), over TLS. Gateway cannot inspect these protocols.
To optimize performance for Microsoft 365 applications and services, you can bypass TLS decryption by turning on the Microsoft 365 traffic integration. This will create a Do Not Inspect policy for all Microsoft 365 domains and IP addresses ↗ specified by Microsoft. This policy also uses Cloudflare intelligence to identify other Microsoft 365 traffic not explicitly defined.
To turn on the Microsoft 365 integration:
- In Zero Trust ↗, go to Settings > Network > Integrated experiences.
- In Bypass decryption of Microsoft 365 traffic, select Create policy.
- To verify the policy was created, select View policy. Alternatively, go to Gateway > Firewall policies > HTTP. A policy named Microsoft 365 Auto Generated will be enabled in your list.
All future Microsoft 365 traffic will bypass Gateway logging and filtering. To disable this behavior, turn off or delete the policy.
Terraform users can retrieve the app types list with the cloudflare_zero_trust_gateway_app_types_list data source. This allows you to create Gateway policies with the application's name rather than its numeric ID. For example:
data "cloudflare_zero_trust_gateway_app_types_list" "gateway_apptypes" { account_id = var.cloudflare_account_id}
locals { apptypes_map = merge([ for c in data.cloudflare_zero_trust_gateway_app_types_list.gateway_apptypes.result : { (c.name) = c.id } ]...)}
resource "cloudflare_zero_trust_gateway_policy" "zt_block_dns_apps" { account_id = var.cloudflare_account_id name = "DNS Blocked apps" action = "block" traffic = "any(app.ids[*] in {${join(" ", [ local.apptypes_map["Discord"], local.apptypes_map["GoToMeeting"], local.apptypes_map["Greenhouse"], local.apptypes_map["Zelle"], local.apptypes_map["Microsoft Visual Studio"] ])}})"}Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark