Split Tunnels can be configured to exclude or include IP addresses or domains from going through WARP. This feature is commonly used to run WARP alongside a VPN (in Exclude mode) or to provide access to a specific private network (in Include mode).Split Tunnels only impacts the flow of IP traffic. DNS requests are still resolved by Gateway and subject to DNS policies unless you add the domains to your Local Domain Fallback configuration.
Changes made to your Split Tunnel configuration are immediately propagated to clients. Because Split Tunnels controls what Gateway has visibility on at the network level, we recommend testing all changes before rolling out updates to end users.
Change Split Tunnels mode
- In Zero TrustOpen external link, go to Settings > WARP Client.
- Under Device settings, locate the device profile you would like to modify and select Configure.
- Scroll down to Split Tunnels.
- (Optional) To view your existing Split Tunnel configuration, select Manage. You will see a list of the IPs and domains Cloudflare Zero Trust excludes or includes, depending on the mode you have selected. We recommend making a copy of your Split Tunnel entries, as they will revert to the default upon switching modes.
- Under Split Tunnels, choose a mode:
- Exclude IPs and domains — (Default) All traffic will be sent to Cloudflare Gateway except for the IPs and domains you specify.
- Include IPs and Domains — Only traffic destined to the IPs or domains you specify will be sent to Cloudflare Gateway. All other traffic will bypass Gateway and will no longer be filtered by your network or HTTP policies. In order to use certain features, you will need to manually add Zero Trust domains.
All clients with this device profile will now switch to the new mode and its default route configuration. Next, add or remove routes from your Split Tunnel configuration.