|
| 1 | +--- |
| 2 | +title: Cloudflare One Gateway New Order of Enforcement |
| 3 | +description: Gateway Network policies (Layer 4) will be evaluated before HTTP (Layer 7) policies |
| 4 | +products: |
| 5 | + - gateway |
| 6 | +hidden: false |
| 7 | +date: 2025-06-18T11:00:00Z |
| 8 | +--- |
| 9 | +Gateway will now evaluate **Network (Layer 4) policies before HTTP (Layer 7) policies**. This change will not weaken your security posture or change the traffic filtered by your policies. However, for a smooth transition, we ask that you review your policy configuration ahead of the rollout. **A review of your policies is only required if you have HTTP policies applied in your account.** |
| 10 | + |
| 11 | +Starting the **week of July 14th, 2025 through July 18th, 2025** we will begin progressively rolling out this change across our data centers worldwide. |
| 12 | + |
| 13 | +**Previous Order of Enforcement:** |
| 14 | + |
| 15 | +1. DNS Policies |
| 16 | +2. HTTP Policies |
| 17 | +3. Network Policies |
| 18 | + |
| 19 | +**New Order of Enforcement:** |
| 20 | + |
| 21 | +1. DNS Policies |
| 22 | +2. **Network Policies** |
| 23 | +3. **HTTP Policies** |
| 24 | + |
| 25 | +**Importantly, this change will not weaken your security posture. Gateway will continue to filter all traffic filtered by your policies today.** The fundamental logic of your policies will not change. The new order simply ensures that Gateway evaluates network-level policies before application-level HTTP policies. |
| 26 | + |
| 27 | +--- |
| 28 | + |
| 29 | +### Action Required if using HTTP policies: Review Policy Notifications |
| 30 | + |
| 31 | +While your security is unaffected, this change may alter the notification your users see when traffic is blocked. **We recommend customers with HTTP policies review their configuration.** |
| 32 | + |
| 33 | +**Example Scenario:** |
| 34 | +Consider if you have: |
| 35 | + |
| 36 | +- An **HTTP policy** to block `example.com` that is configured to **show a block page**. |
| 37 | +- A **Network policy** to block traffic to `example.com` with **no block notification** enabled. |
| 38 | + |
| 39 | +Under the new order, the Network policy will be evaluated first, and the traffic will be blocked silently. Your user will **not** see the block page from the HTTP policy. |
| 40 | + |
| 41 | +To ensure users continue to receive a notification, you can either **add a client notification to your Network policy** or rely solely on your HTTP policy for that traffic. |
| 42 | + |
| 43 | +--- |
| 44 | + |
| 45 | +### Why We're Making This Change |
| 46 | + |
| 47 | +This update is based on user feedback and aims to: |
| 48 | + |
| 49 | +- Create a more intuitive model by evaluating network-level policies before application-level policies. |
| 50 | +- Minimize 526 connection errors by verifying the network path to an origin before attempting to establish a decrypted TLS connection. |
| 51 | + |
| 52 | +--- |
| 53 | + |
| 54 | +If applying HTTP policies, please review them before **July 14, 2025,** to ensure your user experience remains as intended. |
| 55 | + |
| 56 | +For more details, please see our [updated documentation on the order of enforcement](https://developers.cloudflare.com/cloudflare-one/policies/gateway/order-of-enforcement/). |
0 commit comments