Contact | RSS | EN → VI
Series

Cloudflare One Handbook

A Cloudflare One handbook — foundations through advanced, with real-world deployment context.

20 posts · ~1 post/week · RSS

  1. 01
    What is Cloudflare One, and why SASE matters

    A practical overview of Cloudflare One: SASE, SSE, Zero Trust, the six main product groups, how it compares to Zscaler and Netskope, and the mental model to have before deployment.

    KhaVan · · 22 min read
  2. 02
    SASE, SSE, Zero Trust, ZTNA: getting the terminology right

    Four terms routinely conflated in RFPs, design docs, and vendor marketing. Their scope, when Gartner/Forrester defined them, how to use each correctly, and a decision tree.

    KhaVan · · 13 min read
  3. 03
    The four-layer mental model — Client, Identity, Policy, Resource

    A framework for reasoning about every Cloudflare One feature: every request traverses four layers producing signals, and policy yields one of five outcomes. Rollout and debugging.

    KhaVan · · 14 min read
  4. 04
    Cloudflare Access — ZTNA fundamentals in 30 minutes

    Replacing VPN for internal apps with Cloudflare Access: anatomy, login flow, 5-step setup (application, IdP, policy, Tunnel, test), policy evaluation order, and troubleshooting.

    KhaVan · · 14 min read
  5. 05
    IdP integration — Okta, Entra ID, Google Workspace, generic SAML

    A matrix of the four most common IdPs with Cloudflare Access: OIDC vs SAML, per-IdP group claim pitfalls, claim mapping, group sync timing, multi-IdP patterns, prod checklist.

    KhaVan · · 15 min read
  6. 06
    Service tokens and mTLS: auth for CI/CD, bots, devices

    When the client is not a user. Service tokens vs mTLS, setup for both, a zero-downtime rotation strategy, audit logs, and common anti-patterns.

    KhaVan · · 12 min read
  7. 07
    SCIM and group sync: automated off-boarding for leavers

    SCIM closes the stale window: the IdP pushes updates in near-real time instead of Cloudflare pulling claims at login. Okta/Entra/Google setup, lifecycle phases, conflicts.

    KhaVan · · 15 min read
  8. 08
    Cloudflare Tunnel deep dive — safely exposing internal services

    cloudflared daemon, ingress rules, HA replicas, non-HTTP (SSH/RDP/SMB), VPN migration, and troubleshooting six common cases. Tunnel is the connectivity foundation for Zero Trust.

    KhaVan · · 12 min read
  9. 09
    WARP client and the device enrollment flow

    WARP architecture, enrollment flow, device posture checkers (built-in vs CrowdStrike/Intune), split tunnel modes, Local Domain Fallback, DNS, MDM deployment, troubleshooting.

    KhaVan · · 12 min read
  10. 10
    Magic WAN: connecting sites and clouds over the backbone

    Magic WAN deep dive: a network-layer replacement for SD-WAN/MPLS. Four tunnel options (IPsec, GRE, Anycast IP, CNI), BGP peering, multi-cloud, realistic migration playbook.

    KhaVan · · 14 min read
  11. 11
    Gateway DNS filtering — the first layer of a Secure Web Gateway

    Gateway DNS deep dive: resolver architecture, policy order, DoH per-device vs DNS location per-site, threat categories, custom lists, OS bypasses, SIEM pipeline, prod checklist.

    KhaVan · · 16 min read
  12. 12
    Gateway HTTP filtering and TLS decryption — when DNS isn't enough

    HTTP inspection deep dive: installing the root CA (MDM, GPO), cert pinning gotchas, DLP patterns, CASB tenant control, legal/privacy guardrails, staged rollout, prod checklist.

    KhaVan · · 17 min read
  13. 13
    Network policy L4 — blocking non-HTTP, DoH bypass, and app rules

    Network policy deep dive: blocking non-HTTP (SSH, RDP, SMTP), preventing DoH bypass, app rules for SaaS, WARP keeping user traffic on Gateway, prod checklist, hardening playbook.

    KhaVan · · 13 min read
  14. 14
    End-to-end logs pipeline: Logpush, R2, SIEM correlation

    Logs deep dive for Cloudflare One: datasets, Logpush destinations (R2/S3/Splunk/Sentinel), cross-layer correlation, tiered retention, cost control, sample SIEM detection rules.

    KhaVan · · 10 min read
  15. 15
    DEX — Digital Experience Monitoring: reactive to SLOs

    DEX deep dive for Cloudflare One: when control plane says UP but users say SLOW, latency-leg diagnosis (DNS/TCP/TLS/TTFB), SLO framework, and 5 failure modes DEX misses.

    KhaVan · · 12 min read
  16. 16
    Device posture and continuous verification: every request

    Device posture deep dive for Zero Trust: WARP checks (OS, disk encryption, firewall), EDR integration, continuous verification in Access policy, and response to posture loss.

    KhaVan · · 14 min read
  17. 17
    Browser Isolation (RBI) — rendering risky web in a remote sandbox

    Browser Isolation deep dive for Cloudflare One: remote browser architecture (NVR), isolation triggers, data controls (copy/paste/print/download/keyboard), compliance, cost model.

    KhaVan · · 12 min read
  18. 18
    CASB: SaaS posture for Google Workspace, M365, Salesforce

    CASB deep-dive for Cloudflare One from 3 rollouts: the 4 Gartner pillars, inline vs API, 8,000-finding first-scan shock, shadow IT, tenant-lock, when not to use CASB.

    KhaVan · · 17 min read
  19. 19
    DLP — patterns, classification, and the 55% false positive

    DLP deep-dive for Cloudflare One: tuning from 55% to 3% false positives, regex vs Luhn vs context vs EDM, custom CCCD profile, Gateway HTTP inline vs CASB API.

    KhaVan · · 13 min read
  20. 20
    Email Security: phishing, BEC, and the DMARC forwarder

    Email Security deep-dive for Cloudflare One: MX inline vs API journaling, the DMARC forwarder/subdomain trap, homoglyph FP calibration, user-report → retract under 1h.

    KhaVan · · 13 min read