FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article explains how to block (Cloudflare. even when configuring Application control signature available in FortiGate to block WARP does not block it if the application is already downloaded and registered with Device ID.
Scope FortiGate.

It is found that when setting up the application control signature (Cloudflare. on the application profile and applying this in the firewall policy will only block the use of this application when the PC/Device is not yet registered and it has not got a Device ID yet.


When installing this application for the first time it tries to register the device to the WARP Cloudflare site and provides the device (PC) a Device ID.


WARP Cloudflare uses the below.


- IPv4 API Endpoint:  and 

- DNS:

- Traffic from the device to the Cloudflare edge will go through. these IP addresses IPv4 Range: .

- WARP utilizes UDP for all of its communications. By default, the UDP Port required for WARP is: UDP 2408. WARP can fallback to: UDP 500, UDP 1701, or UDP 4500.


In order to block the Application even after the application registers itself, for example, the PC/Device has already got its Device ID and the app is already existing in the user environment then follow the steps below.


1) Create a firewall address group with range:


2) Create 'Custom service' with UDP ports: 2408, 500, 1701, 4500.


3) Configure a firewall policy and set the address group created above to be the 'Destination' and Custom Service ports created on the 'Service' fields respectively.


4) Set the firewall policy Action to 'Deny'.


This configuration will block the Application (Cloudflare. to connect.