| pcx_content_type | title | weight |
|---|---|---|
reference |
Scheduled DNS policies |
3 |
Cloudflare Gateway allows you to configure any DNS policy to activate or deactivate on a regular time interval.
By default, Gateway policies are unscheduled and apply at all times. You can use the Gateway Rules API to create a new DNS policy with a schedule or add a schedule to an existing policy. To schedule a policy, send a POST or PUT request with the schedule parameter set to your desired days of the week, times of day, and an optional time zone. The schedule will appear in Zero Trust under Gateway > Firewall Policies > DNS when you expand the row for the policy.
If you assign a time zone to your schedule, Gateway will always use the current time at that time zone regardless of the user's location. This allows you to enable a policy during a certain fixed time period.
If you do not specify a time zone, Gateway will enable the DNS policy based on the user's local time zone. The user's time zone is inferred from the IP geolocation of their source IP address. If Gateway is unable to determine the time zone from the source IP, we will fall back to the time zone of the data center where the query was received.
The following command creates a DNS policy to block facebook.com only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone.
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"name": "office-no-facebook-policy",
"action": "block",
"traffic": "dns.fqdn == \"facebook.com\"",
"enabled": true,
"schedule": {
"time_zone": "America/Chicago",
"mon": "08:00-12:30,13:30-17:00",
"tue": "08:00-12:30,13:30-17:00",
"wed": "08:00-12:30,13:30-17:00",
"thu": "08:00-12:30,13:30-17:00",
"fri": "08:00-12:30,13:30-17:00"
}
}'Refer to this table for a list of all time zones.
The following command creates a DNS policy to block clockin.com only on weekends, in the time zone where the user is currently located.
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"name": "clock-in-policy",
"action": "block",
"traffic": "dns.fqdn == \"clockin.com\"",
"enabled": true,
"schedule": {
"sat": "00:00-24:00",
"sun": "00:00-24:00"
}
}'{{
}} Gateway will not change the policy'senabled status when inside or outside of the time period specified. When enabled, Gateway activates or deactivates the policy according to its schedule. When disabled, the policy is always deactivated.
{{}}