Glossary
Review definitions for Cloudflare Zero Trust terms.
Term | Definition | ||||
active zone | A DNS zone that is active on Cloudflare requires changing its nameservers to Cloudflare’s for management. | ||||
App Launcher | The App Launcher portal provides end users with a single dashboard to open applications secured by Cloudflare Zero Trust. | ||||
application | The resource protected by Cloudflare Zero Trust, which can be a subdomain, a path, or a SaaS application. | ||||
Authenticated Origin Pulls | Authenticated Origin Pulls allow origin web servers to validate that a web request came from Cloudflare using TLS client certificate authentication. | ||||
captive portal | A login screen shown to users when they connect to a public Wi-Fi. Captive portals typically occur in places such as airports, cafes, and hotels. | ||||
CGNAT IP | A unique, virtual IP address assigned to each WARP device from the 100.96.0.0/12 range. You can view the CGNAT IP for a device on its My Team > Devices page. | ||||
Cloudflare Access | Cloudflare Access replaces corporate VPNs with Cloudflare’s network. It allows customers to deploy internal tools in any environment, including hybrid or multi-cloud models, and secure them consistently with Cloudflare’s network. | ||||
Cloudflare Browser Isolation | Cloudflare Browser Isolation seamlessly executes active webpage content in a secure isolated browser to protect users from zero-day attacks, malware, and phishing. | ||||
Cloudflare CASB | Cloudflare CASB provides comprehensive visibility and control over SaaS apps to prevent data leaks and compliance violations. It helps detect insider threats, shadow IT, risky data sharing, and bad actors. | ||||
Cloudflare Data Loss Prevention (DLP) | Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. | ||||
Cloudflare Gateway | Cloudflare Gateway is a modern next-generation firewall between your user, device, or network and the public Internet. It includes DNS filtering to inspect and apply policies to all Internet-bound DNS queries. | ||||
Cloudflare Tunnel | Cloudflare Tunnel (formerly Argo Tunnel) establishes a secure outbound connection within your infrastructure to connect applications and machines to Cloudflare. | ||||
Cloudflare Zero Trust | Cloudflare Zero Trust provides the power of Cloudflare’s global network to your internal teams and infrastructure. It empowers users with secure, fast, and seamless access to any device on the Internet. | ||||
cloudflared | cloudflared is the software powering Cloudflare Tunnel. It runs on origin servers to connect to Cloudflare’s network and on client devices for non-HTTP traffic. | ||||
daemon | A program that performs tasks without active management or maintenance. | ||||
DNS filtering | DNS filtering uses the Domain Name System to block malicious websites and filter out harmful content, enhancing security and access control. | ||||
DNS location | DNS locations are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes, or data centers. | ||||
DNS over HTTPS | DNS over HTTPS (DoH) is a standard for encrypting DNS traffic via the HTTPS protocol, preventing tracking and spoofing of DNS queries. | ||||
DNS over TLS | DNS over TLS (DoT) is a standard for encrypting DNS traffic using its own port (853 ) and TLS encryption. | ||||
DNS server | DNS servers translate human-readable domain names into IP addresses, eliminating the need to remember complex IP addresses. | ||||
DoH subdomain | A unique DoH subdomain for each DNS location in Cloudflare Zero Trust used in WARP client settings. | ||||
EDNS Client Subnet (ECS) | ECS is a DNS extension that enables recursive DNS resolvers to include client IP address information in their DNS queries. Not all resolvers use ECS but, if they do, usually a part of the IP address is omitted. Sending ECS headers is generally intended to reduce latency and speed up content delivery in connection to CDNs and load balancers. The ECS mechanism is specified in RFC 7871. | ||||
hostname | The name given to a server or node on a network, often the public DNS name of a server. | ||||
identity provider | An identity provider (IdP) stores and manages users’ digital identities, enabling single sign-on and authentication for multiple applications. | ||||
JSON web token | A compact way to securely transmit information between parties as a JSON object, often used for authentication. | ||||
Next-generation firewall | A more powerful firewall with advanced features for modern security needs. | ||||
OAuth | A protocol for authorizing users, allowing them to perform actions and view data on different platforms without sharing credentials. | ||||
OpenID Connect | A simple identity layer on top of OAuth 2.0 for verifying user identity and obtaining basic profile information. | ||||
origin certificate | A Cloudflare Origin Certificate is a free SSL/TLS certificate issued by Cloudflare that can be installed on your origin server to facilitate making sure your data is encrypted in transit from Cloudflare to your origin server using HTTPS. | ||||
PAC file | A file containing a JavaScript function which can instruct a browser to forward traffic to a proxy server instead of directly to the destination server. | ||||
policy | A set of rules that regulate network activity, such as login access and website reachability. | ||||
RDP | Remote Desktop Protocol (RDP) allows remote desktop connections to a computer, often used on Windows and Mac operating systems. | ||||
SafeSearch | SafeSearch is a feature of search engines that filters explicit or offensive content from search results. | ||||
SAML | Security Assertion Markup Language (SAML) enables single sign-on and authentication for multiple applications. | ||||
SASE | Secure Access Service Edge (SASE) is a cloud-based security model bundling networking and security functions. | ||||
seat | A unique user authenticating to access applications protected by Cloudflare Access or to use Gateway services. | ||||
service provider (SP) | A service provider (SP) provides federated access to an application for a user from an identity provider (IdP). | ||||
service token | Service tokens are generated by Cloudflare Access and enable automated systems or applications to access protected applications. | ||||
shadow IT | Shadow IT is the unsanctioned use of software, hardware, or other systems and services within an organization, often without the knowledge of that organization’s information technology (IT) department. For more information, refer to the Cloudflare Learning Center. | ||||
SIEM | A Security Information and Event Management (SIEM) solution collects, analyzes, and correlates data to help manage security incidents, detect anomalies, and meet compliance requirements. | ||||
SMB | Secure Messaging Block (SMB) is a network file sharing protocol used for accessing files and services on a network. | ||||
SSH | Secure Shell (SSH) protocol allows users to connect to infrastructure remotely and execute commands. | ||||
SSO | Single Sign-On (SSO) is a technology that combines multiple application logins into one, requiring users to enter credentials only once. | ||||
team domain | A unique subdomain assigned to your Cloudflare account, where secured applications are accessed by users; for example, Setting up a team domain is an essential step in your Cloudflare Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the App Launcher — and will be able to make login requests to them. | ||||
team name | The customizable portion of your team domain, allowing you to personalize your Cloudflare Zero Trust configuration. You can view your team name in Zero Trust under Settings > Custom Pages.
To learn about the consequences of changing your team name, refer to the FAQ. | ||||
Terraform | Terraform is a tool for building, changing, and versioning infrastructure, providing components and documentation for Cloudflare resources. | ||||
Tunnel certificate | The Cloudflare Tunnel software, cloudflared , generates a certificate for secure connections using a service token and an origin certificate. | ||||
User risk score | Cloudflare Zero Trust user risk score ranks the likelihood of a user to introduce risk to your organization’s systems and data based on the detection of security risk behaviors. Risk scores add user and entity behavior analytics (UEBA) to the Zero Trust platform. | ||||
User risk score level | Cloudflare Zero Trust assigns a risk score of Low, Medium or High based on detections of users’ activities, posture, and settings. A user’s risk score is equal to the highest-level risk behavior they trigger. | ||||
Virtual Private Network (VPN) | A VPN extends a private network across a public network, enabling users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. | ||||
WARP client | Cloudflare Zero Trust customers can use the Cloudflare WARP application to connect corporate desktops to Cloudflare Gateway for advanced web filtering. It utilizes the security benefits of WARP technology. | ||||
Zero Trust Security | Zero Trust Security is an IT security model that requires strict identity verification for every person and device accessing resources on a network. |