Skip to content
Cloudflare Docs

Gateway analytics (DNS, HTTP, network sessions)

Gateway analytics are composed of three separate dashboards:

  1. HTTP request analytics.
  2. DNS query analytics.
  3. Network session analytics.

To view Gateway analytics, in Zero Trust, go to Analytics > Dashboards > select your desired dashboard.

HTTP request analytics

Cloudflare Gateway HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and optionally UDP) traffic sent over ports 80 and 443.

  • Actions: Policies can use a variety of actions, including Allow, Block, and Redirect. More advanced actions include Isolate (to run a website in a remote browser), Do Not Inspect (to bypass SSL decryption), and Do Not Scan (to bypass specific security features). The Do Not Inspect rules are always evaluated first to allow for critical exceptions.

  • Logical expressions: Policies are built with a wide range of selectors that provide granular control, such as Host, User Email, Destination IP, and File Type. Selectors allow for rules like Block all downloads of .exe files for all users or Redirect traffic from this specific user to a different URL.

Value of HTTP request traffic analytics

Provided analytics

  • HTTP Requests over Time
    • Time series view of HTTP requests
  • Top Actions
  • Top Countries
  • Top Blocked Users
  • Top Bandwidth Consumers
  • Top Devices
  • Top Source IPs

DNS query analytics

Cloudflare Gateway DNS policies allow administrators to filter and secure their organization's DNS traffic. When a user makes a DNS request, it is evaluated against a set of rules defined by an action and a logical expression known as a selector.

  • Actions: The policies can take actions such as Allow, which permits a request; Block, which prevents it; or Override, which reroutes the request to a different address.

  • Logical expressions: Policies are highly customizable using selectors (such as Content Categories, Security Categories, Source IP, or Resolved IP) and operators. Selectors and operators enable the creation of granular rules to control access to specific content or to block threats. Policies can be applied before or after DNS resolution is completed.

Value of DNS query analytics

Provided analytics

  • DNS Queries over Time
    • Time series view of DNS queries
  • Top Actions
  • Top Countries
  • Top Blocked Users
  • Top Allowed Users
  • Top Blocked Devices

Network session analytics

Cloudflare Gateway network policies allow administrators to control network-level traffic leaving their endpoints. Gateway network policies are identity-based, meaning they can be applied to individual users or groups to control access to non-HTTP resources.

  • Actions: The primary actions for network policies are Allow and Block. The Allow action permits traffic to specific IPs or ports, while the Block action denies it. When traffic is blocked, an optional notification can be sent to the user via the WARP client, often with a custom message.

  • Logical Expressions: Policies are created using a combination of selectors, operators, and values. Selectors include criteria such as Destination IP, Destination Port, Detected Protocol, and Source IP. This allows for granular control over network traffic.

Value of network session analytics

Provided analytics

  • Network Sessions over Time
    • Time series view of Network Sessions
  • Top Actions
  • Top Countries
  • Top Blocked Users
  • Top Bandwidth Consumers
  • Top Devices
  • Top Source IPs

GraphQL queries

You can use the GraphQL Analytics API to query your Gateway Analytics data. Available datasets for Gateway include:

DatasetDescription
gatewayL4DownstreamSessionsAdaptiveGroupsMetrics for Gateway network sessions from user devices to the Cloudflare global network.
gatewayL4UpstreamSessionsAdaptiveGroupsMetrics for Gateway network sessions from the Cloudflare global network to user devices.
gatewayL4SessionsAdaptiveGroupsMetrics for Gateway network sessions with adaptive sampling.
gatewayL7RequestsAdaptiveGroupsMetrics for Gateway HTTP requests with adaptive sampling.
gatewayResolverQueriesAdaptiveGroupsMetrics for Gateway DNS queries with adaptive sampling.
gatewayResolverByRuleExecutionPerformanceAdaptiveGroupsTime to execute Gateway DNS policies on the Cloudflare global network.
gatewayResolverByCustomResolverGroupsMetrics for Gateway DNS queries resolved using custom resolvers.
gatewayResolverByCategoryAdaptiveGroupsMetrics for Gateway DNS queries sorted by domain category with adaptive sampling.

To explore the schema, you can use a GraphQL client such as GraphiQL or Altair.

  1. Create an API token with the following permissions:

    TypeItemPermission
    AccountAccount AnalyticsRead

  2. In your GraphQL client, add your API token as an Authorization header.

  3. Compose a query to access your Gateway Analytics datasets. For example, you can query the gatewayResolverQueriesAdaptiveGroups dataset to return the adaptive groups of DNS queries resolved by Gateway:

    query GatewaySampleQuery($accountTag: string!, $start: Time) {
      viewer {
        accounts(filter: { accountTag: $accountTag }) {
          gatewayResolverQueriesAdaptiveGroups(
            filter: { datetime_gt: $start }
            limit: 10
          ) {
            count
            dimensions {
              queryNameReversed
              resolverDecision
            }
          }
        }
      }
    }
    Run in GraphQL API Explorer

For more information, refer to Compose a query in GraphiQL.