Let’s work on the Cloudflare warp firewall as a part of establishing the WARP connection. Bobcares, as a part of our Server Management Services offers solutions to all your Cloudflare queries.

Cloudflare WARP with firewall

If any organization uses a firewall or other policies to restrict and intercept Internet traffic, may need to exempt the following IP addresses and domains to allow WARP clients to connect.

​​ Client orchestration API

Now the WARP client talks with an edge through a standard HTTPS connection outside the tunnel for operations like registration or settings changes. Further, to perform these operations. You must allow zero-trust-client.cloudflareclient.com as this will lookup the below IP addresses:

• IPv4 API Endpoint: 162.159.137.105 and 162.159.138.105

• IPv6 API Endpoint: 2606:4700:7::a29f:8969 and 2606:4700:7::a29f:8a69

​​ DoH IP

All DNS requests through WARP are sent outside the tunnel through DoH (DNS over HTTPS). The below IP addresses must be reachable for DNS to work correctly.

• IPv4 DoH Address: 162.159.36.1

• IPv6 DoH Address: 2606:4700:4700::1111

​​ WARP ingress IP

The given IP addresses WARP client will connect to all traffic from the device to Cloudflare edge through these IP addresses.

• IPv4 Range: 162.159.193.0/24

• IPv6 Range: 2606:4700:100::/48

​​ WARP UDP ports

WARP utilizes UDP for all communications. The UDP port required for WARP is UDP 2408 by default. The WARP can fallback to UDP 500, UDP 1701, or UDP 4500.

​​ Creating firewall rules

If the organization does not allow inbound/outbound communication over the IP addresses and ports from given above. Then you must manually add an exception. The rule at a minimum needs to be scoped to the below process based on the platform:

• Windows: C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe

• macOS: /Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP

​​ Captive portal

The following domains used as part of the captive portal check:

• cloudflareportal.com

• cloudflareok.com

• cloudflarecp.com

​​ Connectivity check

As part of establishing the WARP connection. The client will check the URLs to validate a successful connection:

• engage.cloudflareclient.com. This applies to routes excluded from WARP in Split Tunnel configuration.

• connectivity.cloudflareclient.com. This applies to routes included in WARP in Split Tunnel configuration.

[Looking for a solution to another query? We are just a click away.]

Conclusion

The WARP’s network is highly secured. So this isn’t much of a dealbreaker. Cloudflare’s website network is secure as a security company with roots in DDOS protection services and improving online privacy.