Global rules
Cloudflare Zero Trust applies a set of global rules to all accounts.
| Criteria | Value | Action | Description | 
|---|---|---|---|
| Hostname | *.cloudflareclient.com | bypass | engage.cloudflareclient.comis used by client for registration | 
| Hostname | *.assets.browser.run | bypass | Do not inspect assets.browser.runor*.assets.browser.run | 
| Hostname | *.cloudflare-gateway.com | bypass | Ensure we bypass requests to cloudflare-gateway.comDNS endpoint | 
| Hostname | *.cloudflarestatus.com | bypass | Bypass cloudflarestatus.comso customers can reach the page in case of Gateway outage | 
| Hostname | *.net.cloudflare.com | bypass | Bypass *.nel.cloudflarestatus.comfor Cloudflare’s network error logging feature | 
| Hostname | client.wns.windows.com | bypass | Temp cert pinning global bypass | 
| Hostname | api.apple-cloudkit.com | bypass | Temp cert pinning global bypass | 
| Hostname | gateway.icloud.com | bypass | Temp cert pinning global bypass | 
| Hostname | *.edge.browser.run | isolate | Anything bound for *.edge.browser.runneeds to go the isolation browser | 
| Hostname | help.teams.cloudflare.com | allow | Zero Trust client will use this to check if Gateway is on by inspecting cert. Also will check if certificate is properly installed on client machine | 
| Request Header | Accept: text/html | noisolate | Browsers issue an Accept:header that begins withtext/html. Do not isolate if we don’t see such a header because this is not a browser |