Block page
Gateway responds to any domain blocked at the DNS level with 0.0.0.0 for IPv4 queries or :: for IPv6 queries, and does not return that blocked domain's IP address. As a result, the browser will show a browser default error page, and users will not be able to reach that website. This may cause confusion and lead some users to think that their Internet connection is not working.
Configuring a custom block page in Zero Trust helps avoid this confusion. Your block page will display information such as the rule ID of the policy blocking the website, a policy-specific block message, your organization's name, and a global message you may want to show — for example, a message explaining that the website has been blocked by Gateway and providing any points of contact for support within the organization.
Gateway supports custom block pages for DNS and HTTP policies.
In order to display the block page as the URL of the blocked domain, your devices must have a Cloudflare certificate installed. Enterprise users can also deploy their own root CA certificate. If you do not install a certificate, the block page will not display correctly.
To configure the block page:
- In Zero Trust ↗, go to Settings > Custom Pages.
- Under Account Gateway block page, select Customize.
Instead of displaying the Cloudflare block page, you can configure Gateway to return a 307 (Temporary Redirect) HTTP response code and redirect to a custom URL.
To redirect users to a non-Cloudflare block page:
- In Zero Trust ↗, go to Settings > Custom Pages.
- Under Account Gateway block page, select Customize.
- Choose URL redirect
- Select Save.
Gateway will now redirect users to a custom page when user traffic matches a Block policy with the block page configured.
You can customize the block page by making global changes that Gateway will display every time a user reaches your block page. Customizations will apply regardless of the type of policy (DNS or HTTP) that blocks the traffic.
To customize your block page:
- In Zero Trust ↗, go to Settings > Custom Pages.
- Under Account Gateway block page, select Customize.
- Choose Custom Gateway block page. Gateway will display a preview of your custom block page. Available global customizations include:
- Your organization's name
- Logo
- Header text
- Global block message, which will be displayed above the policy-specific block message
- Mailto link
- Background color
- Select Save.
Users will now get a custom block page when visiting a blocked website.
You can include an external logo image to display on your custom block page. The block page resizes all images to 146x146 pixels. The URL must be valid and no longer than 2048 characters. Accepted file types include SVG, PNG, JPEG, and GIF.
You can add a Mailto link to your custom block page, which allows users to directly email you about the blocked site. When users select Contact your Administrator on your block page, an email template opens with the email address and subject line you configure, as well as the following diagnostic information:
| Field | Description |
|---|---|
| Site URL | The URL of the blocked page. |
| Rule ID | The ID of the Gateway policy that blocked the page. |
| Source IP | The public source IP of the user device. |
| Account ID | The Cloudflare account associated with the block policy. |
| User ID | The ID of the user who visited the page. Currently, User IDs are not surfaced in the dashboard and can only be viewed by calling the API. |
| Device ID | The ID of the device that visited the page. This is generated by the WARP client. |
| Block Reason | Your policy-specific block message. |
For DNS Block policies, you will need to turn on the block page for each policy. For HTTP Block policies, Gateway automatically displays your global block page setting by default. You can override the global setting for HTTP policies on a per-policy basis.
To turn on the block page for an individual policy:
- In Zero Trust ↗, go to Gateway > Firewall policies > DNS.
- Select Add a policy to create a new policy, or choose the policy you want to customize and select Edit. You can only edit the block page for policies with a Block action.
- Under Configure policy settings, turn on Modify Gateway block behavior.
- Choose your block behavior:
- Use account-level block setting: Use the global block page setting configured in your account settings. The global setting can be either an HTTP redirect or a custom Cloudflare block page.
- Override account setting with URL redirect: Redirect users with a
307HTTP redirect to a URL you specify on a policy level.
- Select Save policy.
Depending on your settings, Gateway will display a block page in your users' browsers or redirect them to a specified URL when they are blocked by this policy.
- In Zero Trust ↗, go to Gateway > Firewall policies > HTTP.
- Select Add a policy to create a new policy, or choose the policy you want to customize and select Edit. You can only edit the block page for policies with a Block action.
- Under Configure policy settings, go to Modify Gateway block behavior.
- Choose your block behavior:
- Use account-level block setting: Use the global block page setting configured in your account settings. The global setting can be either an HTTP redirect or a custom Cloudflare block page.
- Override account setting with URL redirect: Redirect users with a
307HTTP redirect to a URL you specify on a policy level.
- Select Save policy.
Depending on your settings, Gateway will display a block page in your users' browsers or redirect them to a specified URL when they are blocked by this policy.
If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly installed a certificate on their devices. If a certificate is not installed or the installed certificate is invalid or expired, your user's browser may:
- Display an HTTP Response Code: 526 error page, indicating an insecure upstream.
- Close the connection and fail to display any pages.
For more information on fixing certificate issues, refer to Troubleshooting.
Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as iCloud Private Relay ↗. To ensure your DNS policies apply to your traffic, Cloudflare recommends turning off software that may interfere with Gateway.
To turn off iCloud Private Relay, refer to the Apple user guides for macOS ↗ or iOS ↗.
If an HTTP request that matches a block policy does not arrive at the same Cloudflare data center as its DNS query, Gateway will display the default block page instead of your custom block page.
If the HTTP request comes from a different IP address than the DNS request, Gateway may not display the rule ID, custom message, or other fields on the block page. This can happen when a recursive DNS resolver's source IP address differs from the user device's IP address.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark