WARP modes
You can deploy the WARP client in different modes to control the types of traffic sent to Cloudflare Gateway. The WARP mode determines which Zero Trust features are available on the device.
The WARP client routes device traffic for all ports and protocols, and forwards DNS resolution to the client DNS resolver.
Use when you want to enforce advanced firewall/proxy functionalities and device posture rules.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| Yes | Yes | Yes | DNS policies, network policies, HTTP policies, Browser Isolation, identity-based policies, device posture checks, AV scanning, and Data Loss Prevention |
The WARP client forwards DNS resolution to the Cloudflare account resolver, but does not route device traffic. Network and HTTP traffic is handled by the default mechanisms on your devices.
Use when you only want to apply DNS filtering to outbound traffic from your company devices.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| Yes | No | No | DNS policies |
The WARP client routes device traffic for all ports and protocols. DNS resolution remains managed by the device operating system.
Use when you want to proxy network and HTTP traffic but keep your existing DNS filtering software.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| No | Yes | Yes | Network policies, HTTP policies, Browser Isolation, identity-based policies, device posture checks, AV scanning, and Data Loss Prevention |
The WARP client only forwards explicitly-directed local HTTP traffic.
Use when you want to filter traffic directed to specific applications.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| No | No | Yes | HTTP policies, Browser Isolation, identity-based policies, AV scanning, and Data Loss Prevention for traffic sent through localhost proxy |
When you create a Cloudflare One account, a default device profile is created in Traffic and DNS mode. To set up Local proxy mode, you will need to edit the default device profile or create a new device profile and set the WARP service mode to Local proxy mode.
The default profile is used for all devices that are not assigned to a specific profile. If you want to apply Local proxy mode to a specific group of devices, you will need to create a new device profile and assign it to those devices.
To set up Local proxy mode:
- In Cloudflare One ↗, go to Teams & Resources > Device profiles.
- Decide whether you would like to edit the default profile or create a new device profile.
- Select the device profile you want to configure > Edit (If you only see View, you lack the permissions required to modify profiles).
- Ensure the Device tunnel protocol is set to
MASQUE. - Under Service mode, select Local proxy mode.
- Select Save profile.
For devices using Local proxy mode, the WARP client listens on the configured port at the address 127.0.0.1 (localhost). Cloudflare uses 40000 as the default port for WARP in Local proxy mode, but you can modify this to any available port. You must explicitly configure individual applications or your system proxy settings to use this proxy.
Once configured, traffic to and from these applications will securely tunnel through WARP.
To make more complex routing decisions (such as, routing traffic directly to the Internet or other proxies), you can use a PAC file.
- Local proxy mode can only be used by applications/operating systems that support SOCKS5/HTTP proxy communication.
- Requires the MASQUE device tunnel protocol. Wireguard is not supported.
- Only available on Windows, Linux, and macOS.
- Local proxy mode has a timeout limit of 10 seconds for requests. If a request goes above the 10 second limit, Cloudflare will drop the connection.
The WARP client only provides asynchronous information to provide device health and posture data, which can be referenced in security policies. The client does not control device routing or forward DNS resolution.
Use when you only want to enforce WARP client device posture checks for zones in your account. To set up Posture only mode, refer to the dedicated page.
| DNS filtering | Network filtering | HTTP filtering | Features enabled |
|---|---|---|---|
| No | No | No | Device posture rules in Access policies |
Each WARP mode offers a different set of Zero Trust features.
| WARP Mode | Best for | DNS Filtering | Network Filtering | HTTP Filtering | Service mode (displayed in warp-cli settings) |
|---|---|---|---|---|---|
| Traffic and DNS mode (default) | Full security with all filtering capabilities | ✅ | ✅ | ✅ | WarpWithDnsOverHttps |
| DNS only mode | DNS filtering without routing device traffic | ✅ | ❌ | ❌ | DnsOverHttps |
| Traffic only mode | Traffic routing with existing DNS infrastructure | ❌ | ✅ | ✅ | TunnelOnly |
| Local proxy mode | Filtering traffic to specific applications | ❌ | ❌ | ✅ | WarpProxy on port 40000 |
| Posture only mode | Device posture checks without traffic routing | ❌ | ❌ | ❌ | PostureOnly |
- Connectivity status - Learn about the status messages displayed by the WARP client during its connection process, and understand each stage as WARP establishes a secure tunnel to Cloudflare.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
