20 posts · RSS
← All postsEmail Security deep-dive for Cloudflare One: MX inline vs API journaling, the DMARC forwarder/subdomain trap, homoglyph FP calibration, user-report → retract under 1h....
KhaVan DLP deep-dive for Cloudflare One: tuning from 55% to 3% false positives, regex vs Luhn vs context vs EDM, custom CCCD profile, Gateway HTTP inline vs CASB API....
KhaVan CASB deep-dive for Cloudflare One from 3 rollouts: the 4 Gartner pillars, inline vs API, 8,000-finding first-scan shock, shadow IT, tenant-lock, when not to use CASB....
KhaVan Browser Isolation deep dive for Cloudflare One: remote browser architecture (NVR), isolation triggers, data controls (copy/paste/print/download/keyboard), compliance, cost model....
KhaVan Device posture deep dive for Zero Trust: WARP checks (OS, disk encryption, firewall), EDR integration, continuous verification in Access policy, and response to posture loss....
KhaVan DEX deep dive for Cloudflare One: when control plane says UP but users say SLOW, latency-leg diagnosis (DNS/TCP/TLS/TTFB), SLO framework, and 5 failure modes DEX misses....
KhaVan Logs deep dive for Cloudflare One: datasets, Logpush destinations (R2/S3/Splunk/Sentinel), cross-layer correlation, tiered retention, cost control, sample SIEM detection rules....
KhaVan Network policy deep dive: blocking non-HTTP (SSH, RDP, SMTP), preventing DoH bypass, app rules for SaaS, WARP keeping user traffic on Gateway, prod checklist, hardening playbook....
KhaVan HTTP inspection deep dive: installing the root CA (MDM, GPO), cert pinning gotchas, DLP patterns, CASB tenant control, legal/privacy guardrails, staged rollout, prod checklist....
KhaVan Gateway DNS deep dive: resolver architecture, policy order, DoH per-device vs DNS location per-site, threat categories, custom lists, OS bypasses, SIEM pipeline, prod checklist....
KhaVan Magic WAN deep dive: a network-layer replacement for SD-WAN/MPLS. Four tunnel options (IPsec, GRE, Anycast IP, CNI), BGP peering, multi-cloud, realistic migration playbook....
KhaVan WARP architecture, enrollment flow, device posture checkers (built-in vs CrowdStrike/Intune), split tunnel modes, Local Domain Fallback, DNS, MDM deployment, troubleshooting....
KhaVan cloudflared daemon, ingress rules, HA replicas, non-HTTP (SSH/RDP/SMB), VPN migration, and troubleshooting six common cases. Tunnel is the connectivity foundation for Zero Trust....
KhaVan SCIM closes the stale window: the IdP pushes updates in near-real time instead of Cloudflare pulling claims at login. Okta/Entra/Google setup, lifecycle phases, conflicts....
KhaVan When the client is not a user. Service tokens vs mTLS, setup for both, a zero-downtime rotation strategy, audit logs, and common anti-patterns....
KhaVan A matrix of the four most common IdPs with Cloudflare Access: OIDC vs SAML, per-IdP group claim pitfalls, claim mapping, group sync timing, multi-IdP patterns, prod checklist....
KhaVan Replacing VPN for internal apps with Cloudflare Access: anatomy, login flow, 5-step setup (application, IdP, policy, Tunnel, test), policy evaluation order, and troubleshooting....
KhaVan A framework for reasoning about every Cloudflare One feature: every request traverses four layers producing signals, and policy yields one of five outcomes. Rollout and debugging....
KhaVan Four terms routinely conflated in RFPs, design docs, and vendor marketing. Their scope, when Gartner/Forrester defined them, how to use each correctly, and a decision tree....
KhaVan A practical overview of Cloudflare One: SASE, SSE, Zero Trust, the six main product groups, how it compares to Zscaler and Netskope, and the mental model to have before deployment....
KhaVan AI answers grounded in ~75 published posts with citations. Ask about Cloudflare, AWS, Zero Trust, cloud security.
