This four-day instructor-led bootcamp teaches Cloudflare Zero Trust and SASE architecture through a combination of lecture, live demonstration, and hands-on lab exercises. Students build a working Zero Trust deployment from scratch using a dedicated Cloudflare Enterprise lab environment, progressing from identity and endpoint configuration through private networking, application access, content filtering, and site connectivity.
Day 5 is a group presentation exercise where students apply the full stack to a real-world deployment scenario.
| Day | Focus | Modules | Labs |
|---|---|---|---|
| Day 1 | Foundation: Identity, Endpoints, and the Client | Modules 1–3 | Labs 1–5: Identity, profiles, client deployment, posture/DEX, internal DNS (29 exercises) |
| Day 2 | Connectivity: Tunnels, Access, and Private Networking | Modules 4–5 | Labs 6–13: Tunnel, DNS location, self-hosted apps, browser-rendered SSH/RDP, intranet, public-IP lockdown, App Launcher/JWT, private-network ZTNA (43 exercises) |
| Day 3 | Policy: Gateway Filtering, RBI, DLP, and DNS | Modules 6–7 | Labs 14–17: DNS/HTTP/Network policies, Browser Isolation, TLS handling, order-of-enforcement, DLP, SWG advanced (24 exercises) |
| Day 4 | Architecture: WAN, Mesh, Operations, and Project Delivery | Modules 8–10 | Lab 18: Cloudflare Mesh (3 exercises) / Group scenario assignment |
| Day 5 | Group Presentations | — | Teams present their deployment designs to the class |
Sets the foundation: why the perimeter model broke, the four use cases that drive every deployment (secure remote access, SWG, site connectivity, application security), the Cloudflare One reference architecture, the five SASE service categories, and the component vocabulary students will use for the rest of the course. Includes a guided tour of the Cloudflare One dashboard.
Deep dive into the endpoint agent: how the Cloudflare One Client connects to Cloudflare's edge, the five operational modes (Gateway with WARP, Gateway with DoH, Secure Web Gateway, Proxy Only, Device Information Only), Managed Networks for location-aware behavior, device profiles and split tunnel configuration, and production deployment via MDM/MSI with the mdm.xml override file.
Device posture checks (OS version, disk encryption, firewall state, domain membership), Digital Experience Monitoring (DEX) for synthetic probing and fleet health, captive portal detection and third-party agent coexistence, and the warp-diag troubleshooting toolkit for support escalations.
How cloudflared works as a proxy (not a router), scaling with replicas and load balancing, creating tunnels via the dashboard and CLI, global vs. per-datacenter tunnel architecture, hostname-based routing with CGNAT addressing, and tunnel diagnostics with cloudflared tunnel diag.
The three Access deployment patterns (self-hosted, SaaS, Infrastructure), Access policy evaluation logic, the CF_Authorization JWT cookie and how it enables SSO, service tokens for machine-to-machine authentication, the App Launcher for end-user discovery, Independent MFA, and Access for Infrastructure (browser-rendered SSH and RDP with command logging).
How Access and Gateway divide responsibility, the three enforcement layers (DNS, Network, HTTP), building an HTTP policy stack with recommended baselines, TLS decryption and Do Not Inspect bypass rules, Remote Browser Isolation for grey-area content, Data Loss Prevention with built-in and custom detection profiles, CASB integration, and antivirus sandboxing.
DNS resolver policies and DNS Override, egress policies with dedicated IPs and virtual networks, Protective DNS and DNS Locations for clientless branch-office security, Gateway troubleshooting methodology, and solving the overlapping-IP problem in M&A scenarios.
Architectural comparison of cloudflared tunnels, Cloudflare Mesh (formerly WARP Connector), and Cloudflare WAN (formerly Magic WAN). When to use each, how the routing tables interact, CGNAT addressing across accounts, WARP-to-WARP direct device communication, and SCIM provisioning that ties the identity layer to the network layer.
What the dashboard shows and what it hides, Gateway logs (DNS, HTTP, Network) and the Logs dashboard, Network Session Logs and Log Explorer for SQL-style queries, Logpush for long-term retention to R2 or third-party SIEMs, tunnel diagnostics, and the “start from the beginning of the connection” troubleshooting methodology that works for every escalation.
The six-phase project lifecycle (initiation, design, pilot, production, automation, validation), pre-sales to post-sales handover, High-Level Design documentation, pilot testing strategy, production rollout with phased enforcement, Terraform and API automation at scale, and RBAC roles for multi-team management. Concludes with group scenario assignment for Day 5 presentations.
Each student receives a dedicated Cloudflare Enterprise lab environment with:
Lab 1 — Identity & Account Baseline (7 exercises) — Integrate a SAML identity provider, configure account-wide baseline settings (TLS decryption, protocol detection, malware scanning), and stand up the Access organization.
Lab 2 — Device Profile & Enrollment Setup (6 exercises) — Build device profiles with split tunnel, local domain fallback, and managed-network rules. Set up enrollment policies tied to the IdP.
Lab 3 — Deploy the Cloudflare One Client (6 exercises) — Deploy the Cloudflare One Client via MSI with the organization parameter, enroll the Windows 11 client, and verify enrollment in the dashboard.
Lab 4 — Posture, DEX & warp-diag (6 exercises) — Create OS, disk-encryption, and firewall posture checks; configure DEX synthetic tests with alerting; collect and inspect warp-diag bundles.
Lab 5 — Internal DNS & Profile Lockdown (4 exercises) — Create internal DNS zones with views and resolver policies, then lock down the device profile so users can't disconnect or tamper.
Lab 6 — Cloudflare Tunnel & Routing (9 exercises) — Create a tunnel, install cloudflared on the Ubuntu origin, add private network routes, and verify IP-level and FQDN-based connectivity.
Lab 7 — DNS Location for Server-Side Filtering (1 exercise) — Create a DNS Location so the Ubuntu server's own DNS queries flow through Gateway.
Lab 8 — Self-Hosted Web & SSH Apps (7 exercises) — Publish the Ubuntu web server and intranet (two ports through one tunnel) as Access-protected HTTPS apps and publish browser-rendered SSH.
Lab 9 — Browser-Rendered RDP, Multi-User & Pre-Login (9 exercises) — Stand up browser-rendered RDP, exercise multi-user enrollment with per-user log attribution, and demonstrate the pre-login flow using service tokens.
Lab 10 — Intranet App Through Lab-Tunnel (3 exercises) — Publish the second intranet service through the same tunnel using a different hostname.
Lab 11 — Public-IP Lockdown (1 exercise) — Prove the tunnel is the only path by removing public-IP reachability from the origin.
Lab 12 — App Launcher, JWT Inspection & Policy Tester (3 exercises) — Enable the App Launcher, inspect the CF_Authorization JWT, and validate behavior with the Policy Tester.
Lab 13 — Private-Network ZTNA & Posture-Based Blocking (10 exercises) — Enable WARP Authentication Identity, build private-network Access apps for IP-based access, deploy a three-policy posture stack (posture-fail block, cleanup allow, implicit deny), and demonstrate posture-based access revocation.
Lab 14 — DNS & HTTP Policies with Browser Isolation (7 exercises) — Deploy DNS and HTTP recommended policy baselines and create Browser Isolation policies with clipboard, print, and upload restrictions.
Lab 15 — TLS Bypass, Cert Handling & Network Policies (7 exercises) — Configure TLS inspection bypass with certificate verification, create an untrusted-certificate isolation policy, and build targeted Network policies (e.g., SMTP port 25 block).
Lab 16 — Order-of-Enforcement, DLP Basics & Mode-Switch Prediction (4 exercises) — Run the order-of-enforcement prediction exercise across all three tiers, build a DLP policy for financial data, and run the mode-switch prediction across Gateway with WARP/DoH/Traffic-only modes.
Lab 17 — SWG Advanced (6 exercises) — Create a custom Gateway block page, enable clientless Remote Browser Isolation, build a custom DLP detection entry with regex pattern matching and payload encryption (and decrypt a match from the logs), configure a Gateway Authorization Proxy with PAC file for agentless devices, and verify tenant control via custom HTTP header injection.
Lab 18 — Cloudflare Mesh on the Ubuntu Server (3 exercises) — Create a dedicated device profile for the Mesh connector identity, install Cloudflare Mesh on the Ubuntu origin alongside the existing tunnel, and verify that Gateway DNS and HTTP policies apply to the server's own internet traffic.
On Day 4 afternoon, each team is assigned one of three real-world deployment scenarios to design and present on Day 5:
| Product | Course Coverage |
|---|---|
| Cloudflare One Client | Deployment, configuration, 5 modes, device profiles, split tunnel, MDM, posture, DEX, multi-user, pre-login |
| Cloudflare Tunnel | Creation, private routes, public hostnames, replicas, diagnostics, debug logging |
| Cloudflare Access | Self-hosted apps, browser-rendered SSH and RDP, private-network ZTNA, App Launcher, service tokens, Infrastructure Access, JWT inspection, Policy Tester |
| Cloudflare Gateway | DNS/HTTP/Network policies, recommended baselines, TLS decryption, Do Not Inspect, Browser Isolation (client and clientless), DLP (built-in and custom), custom block pages, proxy endpoints, PAC files, tenant control |
| Cloudflare Mesh | Connector deployment, device profile configuration, server-side Gateway policy enforcement |
| Cloudflare WAN | Architecture comparison, when to use vs. Tunnel/Mesh (lecture) |
| Internal DNS | Zones, views, resolver policies |
| DEX | Synthetic tests, remote diagnostics, alerting |
| Notifications | DEX alerts, tunnel health alerts |
| DLP | Built-in profiles, custom detection entries, regex patterns, payload encryption and decryption |
| CASB | Overview and integration patterns (lecture) |