CF One UAT

Gateway HTTP Policy Analysis / Python Test Script Generator

Select an account to get started
Choose a Cloudflare account from the sidebar, then click "Fetch Policies" to analyze the Gateway configuration and generate UAT test scripts.
Fetching Gateway policies and Access apps...
Policies
Test Script
Campaigns
Recommended
No script generated yet
Click "Generate Python Script" in the sidebar to launch a UAT campaign and generate the test script.
cfone_uat.py

            

          


          
          

            
Loading campaigns...

            

              
No campaigns yet

              
Generate a Python script to launch your first UAT campaign.

            

            

            

          


          
          

            

              Curated best-practice policies from Cloudflare One documentation.
              Selected policies are created disabled at the top of the evaluation order — review each one in the Zero Trust dashboard before enabling.
              Existing policies (matched by name) are skipped automatically.
            

            

              

                
Standalone Python deployer

                
Interactive CLI that uses Global API Key auth (no scoped-token edit permission needed). Prompts for email + key, lists accounts, lets you pick policies.

              

              Download .py
              View source
            

            
Loading...

            

            

          

        

      

    

  







  

    

      CF1 UAT — How it works
      
    

    

      
        
          
          
          
          
          
          
          
        

        
        

        
        CF1 UAT Architecture — Dual-Mode Policy Testing Flow
        WARP & Clientless scripts, tester invites via email, auto results callback

        
        1 — ADMIN SIDE (Access-protected)

        
        
        Admin / SE
        Brixio Staff (browser)

        

        
        
        Cloudflare Access
        JWT + IdP groups

        

        
        
        brixio2 portal
        two.brixio.tech/cf1uat

        

        
        
        cfone-uat Worker
        uatcf1.brixio.tech (private)
        cf1uat.brixio.tech (public)

        
        
        UI assets
        SPA dashboard

        

        
        
        D1 Database
        campaigns · testers
        results · versions

        
        2 — FETCH POLICIES & APPS (Cloudflare API, user token)

        
        
        Gateway Rules
        HTTP · DNS · L4
        /gateway/rules

        
        
        DLP Profiles · Lists
        entries · regex
        domains/IPs lookup

        
        
        Access Apps & Policies
        include/exclude/require
        /access/apps + /policies

        
        
        DNS Locations (DoH)
        for clientless DNS tests
        /gateway/locations

        
        
        Intel API (Radar)
        verify test domains
        match expected category

        
        
        
        
        
        
        
        

        
        3 — BUILD 2 SCRIPTS & STORE IN CAMPAIGN (script_content + script_content_clientless)

        
        WARP script (.py)
        Tests DNS (system) · HTTP · L4 · DLP
        · Isolate (RBI) · Access apps
        Requires WARP client connected

        
        Clientless script (.py)
        Tests DNS via DoH + Access apps
        HTTP/L4/DLP/Isolate skipped
        No WARP required

        
        
        Resend (email provider)
        Branded invite with download link
        Per tester: warp / clientless / both
        from no-reply@cf1uat.brixio.tech

        
        4 — TESTER SIDE (public · cf1uat.brixio.tech)

        
        
        Tester Inbox
        Invite email
        (HTML, single-use link)

        
        

        

        
        
        /download/:token
        invite-token verified
        serves mode-appropriate .py

        
        
        
        
        

        
        
        Run WARP script
        Device with WARP connected
        Traffic → Cloudflare Gateway

        
        
        Run Clientless script
        Any device, no WARP
        DNS via DoH + Access over HTTPS

        
        
        Cloudflare Gateway
        • Enforces DNS / HTTP / L4
        • Block page / sinkhole / RBI
        • TLS decrypt (if enabled)
        • DoH resolver
        • Identity via Access JWT
        • DLP inspection

        
        

        
        
        Target Resources
        Public sites (HTTPS tests)
        Domain resolutions (DNS tests)
        TCP/UDP endpoints (L4)
        Access-protected apps
        httpbin.org (DLP tests)

        

        
        5 — RESULTS CALLBACK (public HMAC-verified endpoint)

        
        
        POST /callback/results
        campaign_id + token (HMAC) + report
        on cf1uat.brixio.tech (no Access)

        

        
        
        D1 results table
        test_results JSON · device_info
        summary · source_ip · user_email

        

        
        
        Campaign dashboard
        Tabs: DNS / Network / HTTP / Access
        Pass / Fail / Skip per policy

        
        
        Scoped
        by user's
        CF API token
        access scope

        

        
        LEGEND

        
        Request / UI flow

        
        Cloudflare Access / Gateway

        
        Storage / D1

        
        Email / DLP

        
        Callback / Data in

        
        Clientless / Access apps

        
        Async / scoped

        
        Results stored per account · each cfone-uat user sees only campaigns for accounts their API token can access