Device posture checks with Split Tunnel (Include IPs and Domains)

Looking for some direction. I'd like to setup device posture checks (specifically Warp client checks) with Split tunnels configured to Include mode. If the Split tunnel is configured to the default Exclude mode, then everything works as expected. Going to https://help.one.cloudflare.com/ will show that the Device has Warp enabled and HTTP filtering has Warp and Gateway. In Include mode, however, it does not seem to work even after including the Zero Trust domains mentioned in the documentation. Doing a Test run with a Policy that uses the Warp client checks succeeds, but going to https://help.one.cloudflare.com/ will show that the Device does not have Warp installed. Running warp-cli debug posture also returns nothing. Also potentially relevant, TLS decryption is enabled and the root certificate is installed manually on the device (Linux). Is there something I can do to debug this? My assumption is there are more routes that are actually needed to be included in the Split Tunnel configuration if Warp client checks are desired.
1 Reply
alvin
alvinOP4mo ago
Ah never mind, it was my mistake. I realize now that every domain where the warp client checks can be done should be added to the list of domains included. So https://help.one.cloudflare.com/ for example does not show the correct diagnostics unless I also include that in the Split Tunnel. I overlooked the importance of the entry that mentions that The application protected by the Access or Gateway policy needs to be added to the Split Tunnel.

Did you find this page helpful?