Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff

Created on ‎05-27-2022 12:30 AM Edited on ‎06-12-2025 11:00 PM By Moderator

Article Id 213214

Technical Tip: How to Block Cloudflare WARP

Description This article explains how to block (Cloudflare.1.1.1.1.VPN) even when configuring Application Control signature available in FortiGate to block WARP does not block it if the application is already downloaded and registered with Device ID.
Scope FortiGate.
Solution

It is found that when setting up the application control signature (Cloudflare.1.1.1.1.VPN) on the application profile and applying this in the firewall policy will only block the use of this application when the PC/Device is not yet registered and it has not got a Device ID yet. Additionally, a deep inspection is needed to effectively block this.

 

When installing this application for the first time, it tries to register the device to the WARP Cloudflare site and provides the device (PC) a Device ID.

 

WARP Cloudflare uses the below.

 

  • IPv4 API Endpoint:  162.159.137.105  and 162.159.138.105.
  • DNS: 162.159.36.1.
  • Traffic from the device to the Cloudflare edge will go through. these IP addresses IPv4 Range: 162.159.193.0/24 .
  • WARP utilizes UDP for all of its communications. By default, the UDP Port required for WARP is: UDP 2408. WARP can fallback to: UDP 500, UDP 1701, or UDP 4500.

 

In order to block the Application even after the application registers itself, for example, the PC/Device has already got its Device ID and the app is already existing in the user environment, then follow the steps below.

 

  1. Create a firewall address group with range: 162.159.0.0/16.

  2. Create 'Custom service' with UDP ports: 2408, 500, 1701, 4500.

  3. Configure a firewall policy and set the address group created above to be the 'Destination' and Custom Service ports created on the 'Service' fields, respectively.

  4. Set the firewall policy Action to 'Deny'.

 

This configuration will block the Application (Cloudflare.1.1.1.1.VPN) from connecting.


If, despite performing above, Cloudflare Warp is still able to connect, consider adding the following address services to the deny policy.


TCP: 443

TCP: 80

UDP: 443
UDP: 4443
UDP: 8443
UDP: 8095
UDP: 500
UDP: 4500
UDP: 1701
UDP: 2408
12491
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.