Isolate Access applications

3 min read

Cloudflare Browser Isolation integrates with your web-delivered Access applications to protect sensitive applications from data loss. You can build Access policies that require certain users to access your application exclusively through Browser Isolation, while other users matching different policies continue to access the application directly. For example, you may wish to layer on additional security measures for third-party contractors or other users without a corporate device.

Cloudflare sends all isolated traffic through our Secure Web Gateway inspection engine, which allows you to apply Gateway HTTP policies such as:

Restrict specific actions and HTTP request methods.
Inspect the request body to match against Data Loss Prevention (DLP) profiles with as much specificity and control as if the user had deployed an endpoint agent.
Control users ability to cut and paste, upload and download files, or print while in an isolated session.

Prerequisites

Your browser must allow third-party cookies on the application domain.

Enable Browser Isolation

In Zero Trust, go to Settings > Browser Isolation.
Enable Clientless Web Isolation.

Next, go to Access > Applications.
Choose a self-hosted application and select Configure.
Choose an Allow policy and select Configure.
Under Additional settings, turn on Isolate application.
Save the policy.

Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to Check if a web page is isolated.

You can optionally add another Allow policy for users on managed devices who do not require isolation.

Example Access policies

In the following example, Policy 1 allows employees on corporate devices to access the application directly. Users who do not match Policy 1, such as employees and contractors on unmanaged devices, will load the application in an isolated browser.

Policy 1: Allow employees who pass device posture checks

Action	Rule type	Selector	Value
Allow	Include	Emails ending in	`@team.com`
	Require	Device Posture - Serial Number List	`Corporate serial numbers`

Additional settings	Status
Isolate application	Disabled

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_uuid}/policies \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{  "decision": "allow",  "name": "Allow employees who pass device posture checks",  "include": [    {      "email_domain": {        "domain": "team.com"      }    }  ],  "exclude": [],  "require": [    {      "device_posture": {        "integration_uid": "<SERIAL_NUMBER_LIST_UUID>"      }    }  ],  "precedence": 1}'

To create a list of serial numbers, refer to Create Zero Trust list.

Policy 2: Allow and isolate contractors

Action	Rule type	Selector	Value
Allow	Include	Emails ending in	`@team.com`, `@contractors.com`

Additional settings	Status
Isolate application	Enabled

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_uuid}/policies \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{  "decision": "allow",  "name": "Allow and isolate contractors",  "include": [    {      "email_domain": {        "domain": "team.com"      }    },    {      "email_domain": {        "domain": "contractors.com"      }    }  ],  "exclude": [],  "require": [],  "precedence": 2,  "isolation_required": true}'

Example HTTP policies

Disable file downloads in isolated browser

Prevents users on unmanaged devices from downloading any files from your private application.

Selector	Operator	Value	Logic	Action
Host	in	`internal.site.com`	And	Isolate
Passed Device Posture Checks	not in	`Corporate serial numbers`

Policy settings	Status
Disable file downloads	Enabled

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{--data '{  "name": "Disable file downloads in isolated browser",  "conditions": [    {      "type": "traffic",      "expression": {        "in": {          "lhs": "http.request.host",          "rhs": [            "internal.site.com"          ]        }      }    },    {      "type": "device_posture",      "expression": {        "any": {          "in": {            "lhs": {              "splat": "device_posture.checks.passed"            },            "rhs": [              "<SERIAL_NUMBER_LIST_UUID>"            ]          }        }      }    }  ],  "action": "isolate",  "precedence": 14002,  "enabled": true,  "description": "",  "rule_settings": {    "block_page_enabled": false,    "block_reason": "",    "biso_admin_controls": {      "dcp": false,      "dcr": false,      "dd": true,      "dk": false,      "dp": false,      "du": false    }  },  "filters": [    "http"  ]
}'

To create a list of serial numbers, refer to Create Zero Trust list.

Block file downloads of sensitive data

Block users on unmanaged devices from downloading files that contain credit card numbers. This logic requires two policies:

Policy 1: Disable file downloads in isolated browser
Policy 2: Block credit card numbers

Selector	Operator	Value	Logic	Action
Host	in	`internal.site.com`	And	Block
DLP Profile	in	Financial Information	And
Passed Device Posture Checks	not in	Corporate serial numbers

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{  "name": "Block credit card numbers",  "conditions": [    {      "type": "traffic",      "expression": {        "and": [          {            "in": {              "lhs": "http.request.host",              "rhs": [                "internal.site.com"              ]            }          },          {            "any": {              "in": {                "lhs": {                  "splat": "dlp.profiles"                },                "rhs": [                  "<DLP_PROFILE_UUID>"                ]              }            }          }        ]      }    },    {      "type": "device_posture",      "expression": {        "any": {          "in": {            "lhs": {              "splat": "device_posture.checks.passed"            },            "rhs": [              "<SERIAL_NUMBER_LIST_UUID>"            ]          }        }      }    }  ],  "action": "block",  "precedence": 14003,  "enabled": true,  "description": "",  "rule_settings": {    "block_page_enabled": false,    "block_reason": "",    "biso_admin_controls": null  },  "filters": [    "http"  ]}'

To configure a DLP profile, refer to Update predefined profile or Create custom profile.

Previous Next module

Isolate Access applications

​​ Prerequisites

​​ Enable Browser Isolation

​​ Example Access policies

​​ Example HTTP policies

​​ Disable file downloads in isolated browser

​​ Block file downloads of sensitive data