Business Continuity Guide
This guide helps you build business continuity strategies for the Cloudflare One Client by documenting available disconnection mechanisms and providing decision guidance for handling service degradation or infrastructure unavailability.
The Cloudflare One Client operates on Cloudflare's globally distributed network with 300+ points of presence (PoPs) worldwide. Anycast routing automatically directs client connections to the nearest healthy PoP without manual intervention. The client maintains locally cached policies and continues enforcing security controls even when unable to reach Cloudflare's management systems.
For detailed architecture information, refer to the Cloudflare One Client documentation and the Cloudflare Network and Service Resilience Whitepaper ↗.
The mechanisms below help you execute fail-open decisions when needed. Document your decision criteria in advance and ensure appropriate stakeholders have authorization to trigger disconnection.
| Scenario | Mechanism | Guidance | Prerequisites and limitations |
|---|---|---|---|
Complete unavailability during Cloudflare infrastructure outage Example: Cloudflare management systems unreachable; Global Disconnection unavailable but users need Internet access to maintain business operations. | A customer-hosted HTTPS endpoint that clients poll for disconnect signals, operating independently of Cloudflare infrastructure. | Use when: Cloudflare's management systems are unreachable but you need to disconnect clients to restore Internet access. Guidance: Pre-configure this mechanism before outages occur. During an incident, update your endpoint to return Expected outcome: Clients disconnect within 1–2 polling intervals (configurable, default 60 seconds); users regain direct Internet access without security controls. | Prerequisites:
Limitations:
Security impact: Loss of all Zero Trust controls (same as Global Disconnection). |
Complete unavailability of client connectivity Example: Client cannot establish secure tunnel; users unable to access protected applications or filtered Internet. | Global Disconnection Instantly disconnect all Cloudflare One Clients from the secure tunnel via Dashboard or API. | Use when: You need immediate fleet-wide disconnection and Cloudflare's management systems are reachable. Guidance: Check the Cloudflare status page first. If Cloudflare infrastructure is experiencing issues, this mechanism may be unavailable — use External Emergency Disconnect instead. Expected outcome: All clients disconnect within seconds; users have direct Internet access without filtering, threat protection, or private application connectivity. | Prerequisites:
Limitations:
Security impact:
|
Individual device issue requiring immediate local override Example: Single user locked out due to policy misconfiguration; client switch disabled but user needs emergency access. | Admin Override Codes Time-limited, single-use codes allowing IT administrators to temporarily unlock client settings on a specific device. | Use when: An individual device requires immediate attention. This is the only option for iOS and Android users when External Emergency Disconnect is unavailable. Guidance: Generate the code in the Dashboard, provide it to the user over a secure channel, and have the user enter it locally to temporarily bypass the locked switch. Expected outcome: Temporary local override allowing the user to disconnect the client for one hour. | Prerequisites:
Limitations:
Security impact: Single device loses Zero Trust controls for one hour. |
Degraded performance impacting user productivity Example: High latency through client tunnel; intermittent connection drops affecting work quality. | Graduated response strategy Use a combination of mechanisms based on scope and severity. Use Digital Experience (DEX) to determine scope and severity. | Guidance by scope:
Decision factors: Balance user productivity needs against security requirements. For regulated industries, consult your compliance team before disconnecting. Expected outcome: Restored user productivity with a documented security trade-off. | Prerequisites:
Limitations:
Security impact: Scope-dependent — refer to individual mechanism entries above. |
Management dashboard unavailable, traffic processing normally Example: Dashboard and API unreachable; edge services and client connections remain functional with cached policies. | No action required Edge services continue operating using cached configurations. New configuration changes will be unavailable until management systems recover. | Use when: Cloudflare's management systems are unavailable but user traffic continues processing normally. Guidance: Monitor the Cloudflare status page. No customer action is typically required — edge services enforce cached policies until management systems recover. Expected outcome: Existing configuration continues to apply; configuration changes resume when management systems recover. | Prerequisites:
Limitations:
Security impact: None — security controls remain active. |
- Turn on the Global Disconnection feature in the Dashboard.
- Configure an External Emergency Disconnect endpoint and upload the certificate fingerprint.
- Test all mechanisms in a non-production environment.
- Document fail-open vs. fail-closed decision criteria and create an authorization matrix.
- Validate that IT and Security staff have backup mechanisms to access critical infrastructure.
- Practice using backup mechanisms regularly across departments and geographies.
Access and credentials needed during incidents:
- Cloudflare Dashboard administrator access
- API token with device settings permissions (for programmatic control)
- MDM administrator credentials (for group-differentiated responses)
- Use a dedicated test organization or tenant for initial validation.
- Test with a small pilot group before fleet-wide deployment.
- Conduct quarterly testing of all three disconnection mechanisms.
- Run an annual full business continuity exercise including decision-making scenarios.
Common testing issues:
- External Emergency Disconnect changes take 1–2 polling intervals to take effect (default 60 seconds).
- Split Tunnel Include mode automatically excludes emergency endpoint IPs.
- Certificate fingerprint changes require MDM re-deployment to all affected devices.
When you disconnect the Cloudflare One Client, the following controls are affected:
- Web filtering and threat protection: DNS and HTTP policies stop enforcing; users have direct, unfiltered Internet access.
- Data loss prevention (DLP): Content inspection stops; sensitive data uploads and downloads occur without DLP controls.
- Private application access: Connectivity to applications protected by Cloudflare Tunnel is lost. Consider alternative access methods such as a direct VPN for critical applications.
- Gateway logging and analytics: No visibility into user traffic during disconnection.
Contact support immediately if:
- A suspected Cloudflare infrastructure issue is affecting multiple customers.
- You are unable to access the Dashboard during a critical security incident.
- An External Emergency Disconnect misconfiguration has caused a fleet-wide stuck state.
Information to provide when opening a ticket:
- Account ID and organization name
- Affected device count and platform distribution
- Results of your Cloudflare status page check
- Client diagnostic logs (
warp-diag) - Timeline and troubleshooting steps already taken
| Resource | Link |
|---|---|
| Product documentation | Cloudflare One Client documentation |
| API reference | Zero Trust Devices Settings API ↗ |
| Global Disconnection | Global Disconnection settings |
| External Emergency Disconnect | External Emergency Disconnect documentation |
| Admin Override Codes | Admin Override Codes |
| MDM deployment | MDM Deployment Guide |
| Terraform provider | Cloudflare Terraform Provider – Zero Trust Devices ↗ |
| Status page | cloudflarestatus.com ↗ |
| Troubleshooting | Client Troubleshooting Guide |
| Resilience Whitepaper | Cloudflare Network and Service Resilience Whitepaper ↗ |