[Gateway] Include and enablement for egress policy selectors (#22186)

maxvp · web-flow · commit 5e302d092a59 · 2025-05-02T21:23:44.000Z
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels.mdx
@@ -13,7 +13,7 @@ Split Tunnels can be configured to exclude or include IP addresses or domains fr
 Split Tunnels only impacts the flow of IP traffic. DNS requests are still resolved by Gateway and subject to DNS policies unless you add the domains to your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration.
 :::
 
-Because Split Tunnels controls what Gateway has visibility on at the network level, we recommend testing all changes before rolling out updates to end users. It may take up to 24 hours for changes to propagate to clients, depending on how many devices are connected to your organization.
+Because Split Tunnels controls what Gateway has visibility on at the network level, we recommend testing all changes before rolling out updates to end users. It may take up to 10 minutes for changes to propagate to clients, depending on how many devices are connected to your organization.
 
 ## Change Split Tunnels mode
 
@@ -94,7 +94,7 @@ Removing default Split Tunnel entries may cause users to lose Internet connectiv
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
-3. Under **Split Tunnels**. select **Manage**.
+3. Under **Split Tunnels**, select **Manage**.
 4. Find the IP address or hostname in the list and select **Delete**.
 
 If you need to revert to the default Split Tunnel entries recommended by Cloudflare, select **Restore default entries**.
diff --git a/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 5
 ---
 
-import { Render, Badge } from "~/components";
+import { Render, Badge, Tabs, TabItem } from "~/components";
 
 :::note
 Only available on Enterprise plans.
@@ -178,15 +178,43 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl
 
 ## Limitations
 
-The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To use these selectors to filter traffic onboarded with WARP, you need to:
+### Selector prerequisites
+
+The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). To turn on the selectors for your account, use the [Patch Zero Trust account configuration endpoint](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/). For example:
+
+```sh title="Turn on selectors for egress policies"
+curl --request PATCH \
+"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--header "Content-Type: application/json" \
+--data '{
+  "settings": {
+    "host_selector": {
+      "enabled": true
+		}
+	}
+}'
+```
+
+Additionally, to use these selectors to filter traffic onboarded with WARP, you need to:
 
 1. Ensure you have deployed [WARP beta version 2025.4.589.1](/cloudflare-one/connections/connect-devices/warp/download-warp/beta-releases/) or later on your users' devices.
-2. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), ensure Split Tunnel is set to [**Exclude IPs and domains**](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode).
-3. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel list.
-4. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses:
-   - `100.64.0.0/12`
-   - `100.81.0.0/16`
-   - `100.82.0.0/15`
-   - `100.84.0.0/14`
-   - `100.88.0.0/13`
-   - `100.96.0.0/11`
+2. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
+
+   <Tabs> <TabItem label="Exclude IPs and domains">
+
+   1. [Remove the route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list.
+   2. [Add routes](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses:
+      - `100.64.0.0/12`
+      - `100.81.0.0/16`
+      - `100.82.0.0/15`
+      - `100.84.0.0/14`
+      - `100.88.0.0/13`
+      - `100.96.0.0/11`
+
+   </TabItem> <TabItem label="Include IPs and domains">
+
+   1. Add the required [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
+   2. [Add a route](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include the IP address `100.80.0.0/16`.
+
+   </TabItem> </Tabs>
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx b/src/content/partials/cloudflare-one/gateway/selectors/egress-selector-limitation.mdx
@@ -2,4 +2,4 @@
 {}
 ---
 
-This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to [Limitations](#limitations).
+This selector is only available for traffic onboarded to Gateway with WARP, PAC files, or Browser Isolation. For more information, refer to [Selector prerequisites](/cloudflare-one/policies/gateway/egress-policies/#selector-prerequisites).
