Cloudflare Zero Trust (ZT) two-day Hands-on Course

  • Articulate the value of Cloudflare Zero Trust solution including Area 1
  • Describe the reference architecture
  • Demonstrate the capability of the solution (Access, Gateway, Browser Isolation and Area 1)
  • Effectively conduct a Proof of Concept (PoC) to showcase the value of the solution
  • Effectively onboard a customer on Cloudflare Zero Trust
  • Troubleshoot common issues while configuring/deploying the solution


Cloudflare Zero Trust 301 deepens knowledge of Zero Trust and how it can help customers. Each module provides essential background information and practical implementation training in a virtual lab environment.

This course will deepen and affirm your knowledge of Zero Trust opportunities and how Cloudflare can solve them. This course also describes Cloudflare ZT traffic forwarding services: Cloudflare Gateway and Remote Browser Isolation.

After completing this course, you will be able to:

  • Explain what Zero Trust is and what fundamental problems it solves.
  • Describe how corporate networks are implemented today.
  • Define how identity and access management are implemented today.
  • List Cloudflare’s core Zero Trust products.
  • Design a solution architecture that embeds Cloudflare into the prospect’s network architecture, including how Cloudflare integrates with or complements other vendors and technologies.
  • Demonstrate key capabilities of Cloudflare‘s Zero Trust platform focused on customer’s needs.
  • Define what Cloudflare Gateway is, what Remote Browser Isolation (RBI) is, and how the two interact.
  • Explain how Internet-bound traffic from end devices reaches Cloudflare Gateway and RBI.
  • Describe the basics of network packet encapsulation and the options available to customers using Cloudflare Gateway.
  • Design a solution architecture that embeds Cloudflare into the prospect’s network architecture, including how Cloudflare integrates with, or complements other vendors and technologies.
  • Demonstrate key capabilities of Cloudflare Gateway and Remote Browser Isolation focused on customer needs.
  • Describe how Zero Trust and how it can be used to help customers.

Course Objectives:

Upon completing this course, the learner will be able to meet these overall objectives:

  • Understand and be able to use the Cloudflare Dashboard
  • Describe how to deploy Couldflare Zero Trust for your business
  • Troubleshoot Cloudflare Zero Trust

Course Outline

  • Module 1: Getting Started with Zero Trust

This section will describe the course content, define ZT, and explain the resources you will use throughout the course, including the basic lab architecture.

  • Module 2: ZT Lab Introduction

This section will provide your role in the labs and show a high-level architecture of the solution you will implement throughout your hands-on labs.

  • Module 3: Integrating an Identity Provider policy

In this section, you will use your SAML authentication to integrate Cloudflare access with an Identity Provider (IdP).

  • Module 4: . Installing a WARP client and configuring Device Posture

Once your IdP is configured in the previous lab, you can enroll your client with a WARP supplicant. Like a VPN client, a WARP client allows you to protect user traffic by sending it securely and privately from the user’s device to Cloudflare’s edge network.

  • Module 5: Cloudflare Tunnel and Zero Trust Network Access

After your WARP client is connected to Cloudflare, this hands-on lab will have you onboard your fictitious company’s applications. This will provide granular access control to all your applications, including internal on-prem apps, apps hosted in private clouds, and SaaS apps.

  • Module 6: Zero Trust Private Network

This hands-on lab will teach you how to implement an intranet application. so only specific user access is granted to the resources.

  • Module 7: In-browser SSH terminal

In this last hands-on lab of section 1, we will use Cloudflare Access to render an SSH terminal in a web browser.

  • Module 8: Gateway policies (SWG)

This hands-on lab will have you set up Cloudflare Gateway, a comprehensive Secure Web Gateway (SWG)that allows you to configure policies to inspect DNS, Network, HTTP, and Egress traffic.

  • Module 9: Browser Isolation

This section will have you configured Internet-native Remote Browser Isolation (RBI), which allows you to layer additional threat defense and data protection controls across browsing activities. Also, you can insulate local devices from malware by running all browser codes on Cloudflare’s global network. All of this combines to deliver a lightning-fast browsing experience for end users.

  • Module 10: App Launcher

App Launcher lets your users conveniently view and open all secure applications they have access to, and bookmarks, they can access from a single dashboard.

  • Module 11: Non-identity on-ramp

This hands-on lab will have you configure your browser to forward traffic to a Gateway proxy endpoint. You can isolate HTTP traffic from on-ramps such as proxy endpoint or Magic WAN.

  • Module 12: Tenant control

For the final exercise, you will set up tenant control for a SaaS application. Your task is to authenticate to our SaaS application and retrieve a completion token by adding an HTTP header with a shared secret to your request.

Lab Outline:

Labs are designed to assure learners a whole practical experience through the following practical activities:

Lab 1: Accessing the Lab Resources for Cloudflare Zero Trust labs

  • Accessing your Virtual Machines
  • Accessing the Cloudflare Dashboard
  • Troubleshooting

Lab 2: Integrate Identity Provider

  • Retrieve your Team Domain and Lab Slug
  • Create a SAML provider
  • Add SAML provider to Zero Trust Dashboard

Lab 3. WARP client & device posture

  • Configure enrollment policy for WARP
  • Test your connection to the WARP device client
  • Create a device posture rule.
  • Observe how WARP enforces device posture.
  • Gather WARP logs
  • WARP Support Challenge (optional)
  1. Cloudflare Tunnel and Zero Trust Network Access
  • Connect to the Ubuntu Linux server VM
  • Create a tunnel and onboard public website.
  • Connector diagnostics
  • Test access to public website
  1. Zero Trust Private Network
  • Onboard intranet
  • Test access to the intranet
  • Onboard fileserver
  • Test access to fileserver
  1. In-browser SSH terminal
  • Update your tunnel configuration.
  • Configure an Access policy for the Browser SSH application
  • Start SSH session inside web browser
  1. Gateway Policies

Gateway DNS policy

  • Create a Customized Block Page that users will receive.
  • Create a DNS policy
  • Test the policy

Gateway network policy

  • Create a network policy
  • Test the policy

Gateway HTTP policy

  • Create an HTTP policy
  • Test the policy
  1. Browser Isolation

Transparent RBI with WARP

  • Add an Isolate policy
  • Test with WARP

Clientless remote browser

  • Enable clientless RBI
  • Gateway posture check
  • Have intranet require Gateway
  • Test with WARP
  • Test without WARP
  1. App Launcher

App Launcher

  • Enable launcher
  • Add a bookmark
  • Test
  1. Non-identity on-ramp
  • Get the public source IP of your Windows workstation
  • Create a Proxy Endpoint
  • Generate PAC file
  • Apply PAC file to your Windows network settings
  • Test the policy
  1. Tenant Control
  • Verify default behavior
  • Add HTTP header
  • Verify token is returned