Skip to content

Cloudflare Docs

Products Learning Status Support Log in

GitHub X YouTube

Select theme

Cloudflare Zero Trust

Overview
Get started
Implementation guides
Identity
- Overview
- One-time PIN login
- Device posture
  - Overview
  - WARP client checks
    
    Overview
    Application check
    Carbon Black
    Client certificate
    Device serial numbers
    Device UUID
    Disk encryption
    Domain joined
    File check
    Firewall
    OS version
    Require Gateway
    Require WARP
    SentinelOne
  - Service providers
    
    Overview
    Custom integration
    CrowdStrike
    Kolide
    Microsoft Endpoint Manager
    SentinelOne
    Tanium
    Uptycs
    Workspace ONE
  - Access integrations
    
    Overview
    Mutual TLS
    Tanium
- User management
- Service tokens
- Authorization cookie
- SSO integration
Connections
- Overview
- Cloudflare Tunnel
  - Overview
  - Get started
    
    Overview
    Create a remotely-managed tunnel (dashboard)
    Create a locally-managed tunnel (CLI)
    Useful terms
  - Downloads
    
    Overview
    Update cloudflared
    License
    Copyrights
  - Configure a tunnel
    
    Overview
    Remotely-managed tunnel
    
    Locally-managed tunnel
    
    Overview
    Configuration file
    
    Run as a service
    
    Overview
    Linux
    macOS
    Windows
    
    Useful commands
    Tunnel permissions
    
    Origin configuration
    Tunnel run parameters
  - Deploy a tunnel
    
    Overview
    Tunnel with firewall
    Tunnel availability and failover
    System requirements
    
    Environments
    
    Overview
    Ansible
    AWS
    Azure
    GCP
    Kubernetes
    Terraform
  - Use cases
    
    Overview
    
    SSH
    
    Overview
    SSH with Access for Infrastructure New
    Self-managed SSH keys
    Browser-rendered SSH terminal
    SSH with client-side cloudflared (legacy)
    
    RDP
    SMB
    gRPC
  - Private networks
    
    Overview
    
    Connect private networks
    
    Overview
    Private DNS
    Virtual networks
    Load balancing
    
    Peer-to-peer connectivity
    
    WARP Connector
    
    Overview Beta
    Site-to-Internet
    Site-to-site
    User-to-site
    VPC deployments
  - Public hostnames
    
    Overview
    DNS records
    Load balancing
  - Monitor tunnels
    
    Overview
    Logs
    Notifications
    Metrics
  - Troubleshoot tunnels
    
    Overview
    Private network connectivity
    Common errors
  - Do more with Tunnel
    
    Overview
    Migrate legacy tunnels
    Quick Tunnels
- Connect devices
  - Overview
  - WARP
    
    Overview
    First-time setup
    
    Download WARP
    
    Overview
    Update WARP
    Migrate 1.1.1.1 app
    
    Deploy WARP
    
    Overview
    
    Managed deployment
    
    Overview
    
    Partners
    
    Overview
    Fleet
    Hexnode
    Intune
    Jamf
    JumpCloud
    Kandji
    
    Parameters
    Connect WARP before Windows login
    Multiple users on a Windows device Beta
    Switch between Zero Trust organizations
    
    Manual deployment
    Device enrollment permissions
    WARP with firewall
    WARP with legacy VPN
    
    Configure WARP
    
    Overview
    Device profiles
    
    WARP modes
    
    Overview
    Enable Device Information Only
    
    WARP settings
    
    Overview
    Captive portal detection
    
    Managed networks
    
    Route traffic
    
    Overview
    Local Domain Fallback
    Split Tunnels
    WARP architecture
    
    WARP sessions
    
    Troubleshoot WARP
    
    Overview
    Common issues
    Client errors
    Diagnostic logs
    Known limitations
    
    Remove WARP
  - Agentless options
    
    Overview
    
    DNS
    
    Locations
    
    Add locations
    DNS resolver IPs and hostnames
    
    DNS over TLS (DoT)
    DNS over HTTPS (DoH)
    
    HTTP
  - User-side certificates
    
    Overview
    Install certificate using WARP
    Install certificate manually
    Deploy custom certificate
Applications
- Overview
- Add web applications
- Non-HTTP applications
  - Overview
  - Add an infrastructure application New
  - Browser-rendered terminal
  - Client-side cloudflared
    
    Overview
    Enable automatic cloudflared authentication
    Arbitrary TCP
  - Short-lived certificates (legacy)
- Cloud Access Security Broker
  - Overview
  - Manage findings
  - Available integrations
    
    Overview
    Amazon Web Services (AWS) S3
    Atlassian Confluence
    Atlassian Jira
    Bitbucket Cloud
    Box
    Dropbox
    GitHub
    
    Google Workspace
    
    Overview
    Google Drive
    Gmail
    Google Admin
    Google Calendar
    
    Microsoft 365
    
    Overview
    Admin Center
    OneDrive
    SharePoint
    Outlook
    
    Salesforce
    ServiceNow
    Slack
  - Scan for sensitive data
  - Troubleshoot integrations
- Login page
- Block page
- Add bookmarks
- App Launcher
Policies
- Overview
- Secure Web Gateway
  - Overview
  - Get started
    
    DNS filtering
    Network filtering
    HTTP filtering
  - DNS policies
    
    Overview
    Common policies
    Test DNS filtering
    Timed DNS policies
  - Network policies
    
    Overview
    Common policies
    Protocol detection
    SSH proxy and command logs (legacy)
  - HTTP policies
    
    Overview
    Common policies
    TLS decryption
    HTTP/3 inspection
    Tenant control
    AV scanning
    File sandboxing
    WebSocket traffic
  - Egress policies
    
    Overview
    Dedicated egress IPs
  - Resolver policies Beta
  - Global policies
  - Applications and app types
  - Domain categories
  - Identity-based policies
  - Block page
  - Order of enforcement
  - Lists
  - Proxy
- Access
- Browser Isolation
  - Overview
  - Set up Browser Isolation
    
    Get started
    Clientless Web Isolation
    Non-identity on-ramps
  - Isolation policies
  - Extensions
  - Accessibility
  - Browser Isolation with firewall
  - Known limitations
- Data Loss Prevention
  - Overview
  - Scan HTTP traffic
    
    Create DLP policies
    Common policies
    Logging options
  - Scan SaaS apps ↗
  - DLP profiles
    
    Configure DLP profiles
    Predefined profiles
    Integration profiles
    Profile settings
  - DLP datasets
Insights
- Analytics
  - Shadow IT Discovery
  - Gateway analytics
- Email monitoring
- Digital Experience Monitoring
- Logs
  - Overview
  - User logs
  - Access audit logs
  - Gateway activity logs
    
    Overview
    Manage PII
  - Tunnel audit logs
  - Posture logs
  - Logpush integration
- Risk score
Email Security
- Overview
- Setup
  - Overview
  - Post-delivery deployment
    
    API deployment
    
    Overview
    Set up with Microsoft 365
    
    BCC/Journaling
    
    BCC setup
    
    Gmail BCC setup
    
    Overview
    Enable Gmail BCC integration
    Connect your domains
    Enable auto-moves
    
    Microsoft Exchange BCC setup
    
    Journaling setup
    
    Office 365 journaling setup
    Manually add domains
    Manage domains
- Directories
  - Overview
  - Manage Microsoft directories
    
    Overview
    Manage groups in your directory
    Manage users in your directory
  - Manage Email Security directories
- Detection settings
- Auto-move events
- PhishGuard
- Outbound Data Loss Prevention (DLP) Beta
- Reference
API and Terraform
- Overview
- Access API examples
- Gateway API examples
- Scoped API tokens
- Terraform
Reference architecture ↗
Tutorials
Account limits
Roles and permissions
Glossary
Changelog
FAQ

Products Learning Status Support Log in

GitHub X YouTube

Select theme

On this page

Overview
Prerequisites
Configure the SentinelOne check

On this page

Overview
Prerequisites
Configure the SentinelOne check

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!

Products
Cloudflare Zero Trust
Identity
Device posture
WARP client checks
SentinelOne

SentinelOne

Cloudflare Zero Trust can check if SentinelOne ↗ is running on a device to determine if a request should be allowed to reach a protected resource.

Prerequisites

SentinelOne agent is deployed on the device.
Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to WARP Client Checks.

Configure the SentinelOne check

In Zero Trust ↗, go to Settings > WARP Client.
Scroll down to WARP client checks and select Add new.
Select SentinelOne.
You will be prompted for the following information:
1. Name: Enter a unique name for this device posture check.
2. Operating system: Select your operating system. You will need to configure one posture check per operating system.
3. Application Path: Enter the full path to the SentinelOne process to be checked (for example, C:\Program Files\SentinelOne\Sentinel Agent 21.7.4.1043\SentinelAgent.exe).
  
  The path of the SentinelOne process may change between updates. Make sure to edit Application Path to match the new path, or use %PATH% variables.
4. Signing certificate thumbprint (recommended): Enter the thumbprint of the publishing certificate used to sign the binary. This proves the binary came from SentinelOne and is the recommended way to validate the process.
5. SHA-256 (optional): Enter a SHA-256 value. This is used to validate the SHA256 signature of the binary and ensures the integrity of the binary file on the device. Note: do not fill out this field unless you strictly control updates to SentinelOne, as this will change between versions.

Next, go to Logs > Posture and verify that the SentinelOne check is returning the expected results.

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!

Cloudflare Dashboard Discord Community Learning Center Support Portal