95%
of enterprise web traffic is HTTPS, making TLS inspection a prerequisite for visibility
40+
application categories available in Cloudflare Gateway for granular bypass targeting
3-5%
typical latency overhead added by active TLS decryption on inspected sessions
1st
position of Do Not Inspect rules in Gateway evaluation order, bypassing all downstream policies

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Cloudflare Gateway SSL inspection works by positioning Gateway as a forward proxy between your users and the internet. When a user opens an HTTPS connection, Gateway decrypts the session using the root CA certificate your organization has deployed to managed endpoints, inspects the content against your HTTP policies, then re-encrypts and forwards the traffic to the destination. The user's browser sees a valid certificate signed by your trusted root, so the connection appears normal unless the destination application is performing its own certificate validation against a hardcoded or pinned cert. This is where selective decryption becomes not just a convenience feature but an operational necessity. Full inspection without bypass rules will break applications that pin certificates, create compliance exposure for regulated traffic categories, and add unnecessary latency to high-throughput services that carry no real threat risk. The goal of a mature SSL inspection policy is maximum visibility over the traffic that matters, with precise exclusions for the traffic that does not.

How Cloudflare Gateway SSL Inspection Works

When TLS decryption is enabled in Cloudflare Gateway, every HTTPS request from a WARP-enrolled endpoint routes through Cloudflare's network before reaching the destination server. Gateway terminates the TLS session on the Cloudflare side, applies your HTTP filtering policies to the decrypted request and response, then establishes a new TLS session to the origin. The certificate presented to the user's browser is signed by the Cloudflare root CA your organization has installed on managed endpoints. This forward proxy architecture is the same model used by enterprise SSL inspection appliances, but running at Cloudflare's global network scale rather than on-premises hardware. The critical dependency is the root CA certificate. Without it installed in the operating system and browser trust stores on every endpoint, users will see certificate errors on every inspected HTTPS site. WARP client handles this automatically on enrolled devices by installing the Cloudflare certificate during onboarding. For non-WARP managed endpoints, the certificate must be deployed via MDM tools like Microsoft Intune or Jamf before SSL inspection is enabled. This is a common deployment oversight that causes widespread browser errors when teams enable inspection before confirming certificate deployment coverage. As part of your zero trust architecture, Gateway SSL inspection enforces the principle that no traffic should be implicitly trusted simply because it is encrypted.

Filtering Dimensions for Selective Bypass

Cloudflare Gateway Do Not Inspect rules support multiple filtering dimensions that can be combined to build precise bypass policies. Each dimension targets a different aspect of the HTTP request, giving teams the flexibility to exclude exactly the traffic that should remain private without opening broad gaps in inspection coverage. The available dimensions are: destination domain or URL, where wildcard rules such as *.bankofamerica.com or .epic.com match all subdomains of a target; HTTP method, where you can bypass inspection specifically for POST requests to certain endpoints to avoid intercepting form submissions or API payloads that contain credential or payment data; URI path, where rules like /api/payments/ or /oauth/token exclude specific paths on otherwise-inspectable domains; Cloudflare application category, where the built-in app catalog includes categories such as Financial and Banking, Healthcare, and Legal that allow you to bypass entire market verticals without listing individual domains; and user identity or group, where rules scoped to Azure AD or Okta groups allow you to exclude sensitive roles such as executives, legal teams, or HR from decryption entirely based on their IdP group membership. Combining these dimensions produces bypass policies that are specific enough to close unintended gaps while remaining maintainable as your application portfolio grows. The ZTNA control model applies here too: bypass rules should follow least-privilege logic, granting inspection exceptions only where there is a documented reason.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configuring Do Not Inspect Rules in the Gateway UI

Do Not Inspect rules live under Settings > Gateway > SSL/TLS in the Cloudflare Zero Trust dashboard. Each rule is an HTTP policy with the action set to Do Not Inspect. Rule evaluation in Gateway follows a top-down precedence model where the first matching rule wins. Because Do Not Inspect is evaluated before all other HTTP filtering actions, any traffic that matches a bypass rule exits the inspection pipeline entirely and is passed through without content analysis. This means that bypass rules should be written with the same care as allow rules in a firewall: overly broad bypass patterns create visibility blind spots that attackers can exploit by routing exfiltration or command-and-control traffic through bypassed destinations. The recommended configuration approach is to start with Cloudflare's built-in Financial and Banking and Healthcare application categories as the first two Do Not Inspect rules, then add domain-specific wildcard rules for any internal applications or SaaS tools that fail under inspection. After those foundational rules are in place, layer in method-specific or path-specific rules for domains where only certain request types need to be excluded. For example, a rule matching POST requests to .salesforce.com/services/apexrest/ can exclude API write operations from inspection while still allowing GET requests to be inspected for policy compliance. Document every bypass rule with a justification comment in the rule name field so that future administrators can audit the policy without having to reconstruct the original reasoning.

Certificate Pinning and Common Failure Modes

Certificate pinning is the leading cause of application breakage when SSL inspection is first enabled. Applications that pin certificates validate the server certificate against a hardcoded fingerprint or public key embedded in the application binary. When Gateway's root CA issues a replacement certificate for an inspected session, the pinned application rejects it as untrusted and the connection fails. The most commonly affected enterprise applications are Microsoft Teams, Slack, Zoom, and many mobile applications. Cloudflare maintains an internal list of known pinning applications and applies automatic bypass for many of them, but this list is not exhaustive and may lag behind application updates. The safest approach is to add explicit Do Not Inspect rules for any application your users rely on that exhibits connection failures after inspection is enabled. Symptoms of a pinning failure include the application showing a generic connectivity error, login loops, or silent feature degradation where some functions work but others do not. Beyond pinning, other common failure modes include expired intermediate certificates in the Gateway trust chain after a certificate rotation that was not propagated to all endpoints, split-tunnel configurations that route some traffic outside the WARP tunnel and therefore outside inspection, and browser extensions or local proxy software that intercepts connections before they reach the WARP client. The WAF layer operates on inbound traffic to your applications, but Gateway SSL inspection operates on outbound user traffic, so the two policies do not directly conflict. However, teams managing both should verify that WAF rules on internal applications do not block the source IP ranges used by Cloudflare Gateway when traffic is routed through the proxy.

Performance Considerations and Traffic Categories to Always Exclude

TLS decryption adds measurable latency because Gateway must perform two TLS handshakes per connection instead of one, plus the overhead of inspecting the decrypted payload against your HTTP policies. In practice, this overhead averages 3 to 5 percent on most enterprise networks, but can be higher for latency-sensitive applications or connections to distant origin servers. The traffic categories where decryption overhead is least justified and most disruptive are high-volume streaming media such as video conferencing and content delivery networks, operating system and software update services where the download integrity is already verified by application-layer signatures, and backup or cloud sync services where large file transfers are encrypted by the application before they even reach the TLS layer. Excluding these categories from inspection reduces total inspection volume without reducing the security value of the program, because the threat risk in these traffic categories is low compared to browser-based web traffic and SaaS application traffic where social engineering, credential harvesting, and data exfiltration are most commonly observed. The Cloudflare application catalog includes categories for Streaming Media, Software Updates, and File Sharing that can be used as Do Not Inspect targets for each of these use cases. Measuring the impact of your bypass rules on total inspection volume is possible through the Gateway Analytics dashboard, which shows the breakdown of inspected versus bypassed sessions by category over time.

Root CA Deployment via WARP, Intune, and Jamf

The Cloudflare root CA certificate is the foundation of the entire SSL inspection program. Without it, every inspected HTTPS connection generates a certificate error in the user's browser and in any application that validates server certificates. WARP client handles certificate installation automatically when a device is enrolled via the Cloudflare Zero Trust dashboard: the certificate is added to the operating system trust store during the WARP onboarding flow, covering most browsers that inherit from the OS trust store. The exception is Firefox, which maintains its own certificate trust store and requires a separate policy to trust third-party root CAs. On managed Windows endpoints using Intune, the Cloudflare certificate can be distributed as a Trusted Certificate device configuration profile, targeting all users or specific device groups. On macOS endpoints managed by Jamf, the certificate is distributed as a Configuration Profile payload of type Certificate. For both MDM platforms, the certificate should be scoped to the same device groups that have WARP profiles deployed, so that inspection is enabled and the certificate is trusted simultaneously on the same set of devices. Deploying the certificate to endpoints before enabling inspection in Gateway is the safest sequencing: it prevents a window where inspection is active but the certificate is not yet trusted. After deployment, verify coverage by querying your MDM platform for compliance status on the certificate configuration profile before toggling inspection on in the Gateway dashboard.

The bottom line

Cloudflare Gateway SSL inspection is most effective when it is scoped precisely rather than applied universally. Start by deploying the root CA certificate to all managed endpoints before enabling inspection. Build your Do Not Inspect policy with Cloudflare's built-in application categories for banking, healthcare, and streaming media as the baseline, then add domain-specific and method-specific rules for applications that require more targeted handling. Test for certificate pinning failures in your critical application portfolio before full rollout and add bypass rules for any affected tools. Treat every bypass rule as a documented policy decision with a named owner and a justification, not a permanent workaround. The teams that get the most value from Gateway SSL inspection are the ones that review their bypass list quarterly and narrow it over time as they validate that excluded traffic categories are genuinely low-risk.

Frequently asked questions

Can Cloudflare Gateway decrypt HTTPS?

Yes. Cloudflare Gateway can decrypt HTTPS traffic by acting as a forward proxy and using a root CA certificate installed on managed endpoints. When decryption is enabled, Gateway terminates the TLS session, inspects the plaintext request and response against your HTTP filtering policies, then re-encrypts and forwards the traffic. The user's browser sees a certificate signed by the Cloudflare root CA rather than the origin server's certificate. Decryption requires the root CA to be installed in the endpoint trust store, which WARP client handles automatically for enrolled devices.

What is selective SSL inspection?

Selective SSL inspection is the practice of decrypting and inspecting only the HTTPS traffic that security policy requires to be analyzed, while bypassing decryption for traffic categories that should remain private or that would break under inspection. In Cloudflare Gateway, selective inspection is implemented through Do Not Inspect rules that match traffic by destination domain, HTTP method, URI path, application category, or user group. Traffic matching a Do Not Inspect rule passes through Gateway without being decrypted, while all other HTTPS traffic is subject to the full inspection pipeline.

How do I bypass SSL inspection for specific sites in Cloudflare Gateway?

To bypass SSL inspection for specific sites, go to Settings > Gateway > SSL/TLS in the Cloudflare Zero Trust dashboard and create a new HTTP policy with the action set to Do Not Inspect. In the policy conditions, set the destination host or URL selector to match the sites you want to exclude. For wildcard domain matching, use the Host field with a value like *.bankofamerica.com. For path-specific bypasses, combine a Host condition with a URL Path condition. Gateway evaluates Do Not Inspect rules before all other HTTP policies, so matching traffic exits the inspection pipeline immediately.

Which applications should always be excluded from Cloudflare Gateway SSL inspection?

Applications that should always be excluded include those with certificate pinning such as Microsoft Teams, Slack, and Zoom when their automatic bypass is not already handled by Cloudflare; banking and financial services portals where decryption may violate terms of service or regulatory requirements; healthcare applications that handle protected health information; operating system update services where payload integrity is verified at the application layer; and applications used by user groups with legal privilege such as in-house counsel. Cloudflare's built-in application categories for Financial and Banking, Healthcare, and Software Updates provide a convenient way to exclude these groups without listing individual domains.

Does Cloudflare Gateway SSL inspection work without the WARP client?

Gateway SSL inspection requires the Cloudflare root CA certificate to be installed on the endpoint trust store, but it does not strictly require the WARP client for all deployment models. WARP client is the recommended method because it installs the certificate automatically and routes traffic through the Gateway proxy without additional configuration. For endpoints that cannot run WARP, the certificate can be deployed via MDM platforms like Intune or Jamf, and traffic can be proxied through Gateway using explicit proxy or PAC file configurations. However, non-WARP deployments require more manual configuration and may not support all Gateway features such as device posture checks.

How do you audit and maintain Cloudflare Gateway Do Not Inspect rules over time to prevent bypass policy drift?

Bypass policy drift is a real operational risk: rules added to fix a specific breakage often remain in place long after the underlying condition changes, accumulating into a bypass list that creates inspection blind spots with no documented owner. Establish a quarterly review cadence in which each Do Not Inspect rule is evaluated against three criteria: whether the original justification still applies, whether the destination domain or category is still used by the organization, and whether any security incidents or threat intelligence suggest that bypassed destinations are being abused for exfiltration or C2. Use Cloudflare Gateway Analytics to identify which bypassed destinations are generating the highest traffic volumes, since high-volume bypass destinations represent the largest uninspected attack surface. When adding a new bypass rule, include the ticket number or change request ID in the rule name field so the audit trail connects the policy to the decision. For privileged user group bypass rules -- such as exemptions for legal or executive users -- require re-approval from a data owner on an annual basis, since personnel and role definitions change. Cloudflare's Logpush integration can forward Gateway HTTP logs to your SIEM, where you can build dashboards tracking the ratio of inspected to bypassed sessions over time and alert if bypassed volume grows faster than inspected volume.

Sources & references

  1. Cloudflare Gateway SSL/TLS Inspection Documentation
  2. Cloudflare Do Not Inspect Policy Reference
  3. Cloudflare Gateway Application Categories
  4. Cloudflare WARP Client Root CA Deployment
  5. Cloudflare Gateway HTTP Policy Fields
  6. NIST SP 800-207 Zero Trust Architecture

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.