Let’s work on the Cloudflare warp firewall as a part of establishing the WARP connection. Bobcares, as a part of our Server Management Services offers solutions to all your Cloudflare queries.

Cloudflare WARP with firewall

If any organization uses a firewall or other policies to restrict and intercept Internet traffic, may need to exempt the following IP addresses and domains to allow WARP clients to connect.

​​ Client orchestration API

Now the WARP client talks with an edge through a standard HTTPS connection outside the tunnel for operations like registration or settings changes. Further, to perform these operations. You must allow

zero-trust-client.cloudflareclient.comCopy Code

as this will lookup the below IP addresses:

• IPv4 API Endpoint:

  162.159.137.105Copy Code

  and

  162.159.138.105Copy Code

• IPv6 API Endpoint:

  2606:4700:7::a29f:8969Copy Code

  and

  2606:4700:7::a29f:8a69Copy Code

​​ DoH IP

All DNS requests through WARP are sent outside the tunnel through DoH (DNS over HTTPS). The below IP addresses must be reachable for DNS to work correctly.

• IPv4 DoH Address:

  162.159.36.1Copy Code

• IPv6 DoH Address:

  2606:4700:4700::1111Copy Code

​​ WARP ingress IP

The given IP addresses WARP client will connect to all traffic from the device to Cloudflare edge through these IP addresses.

• IPv4 Range:

  162.159.193.0/24Copy Code

• IPv6 Range:

  2606:4700:100::/48Copy Code

​​ WARP UDP ports

WARP utilizes UDP for all communications. The UDP port required for WARP is

UDP 2408Copy Code

by default. The WARP can fallback to

UDP 500Copy Code

,

UDP 1701Copy Code

, or

UDP 4500Copy Code

.

​​ Creating firewall rules

If the organization does not allow inbound/outbound communication over the IP addresses and ports from given above. Then you must manually add an exception. The rule at a minimum needs to be scoped to the below process based on the platform:

• Windows:

  C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exeCopy Code

• macOS:

  /Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARPCopy Code

​​ Captive portal

The following domains used as part of the captive portal check:

• cloudflareportal.comCopy Code

• cloudflareok.comCopy Code

• cloudflarecp.comCopy Code

​​ Connectivity check

As part of establishing the WARP connection. The client will check the URLs to validate a successful connection:

• engage.cloudflareclient.com.Copy Code

  This applies to routes excluded from WARP in Split Tunnel configuration.

• connectivity.cloudflareclient.com.Copy Code

  This applies to routes included in WARP in Split Tunnel configuration.

[Looking for a solution to another query? We are just a click away.]

Conclusion

The WARP’s network is highly secured. So this isn’t much of a dealbreaker. Cloudflare’s website network is secure as a security company with roots in DDOS protection services and improving online privacy.