|
1 | 1 | --- |
2 | | -title: Cloudflare One Gateway New Order of Enforcement |
3 | | -description: Gateway Network policies (Layer 4) will be evaluated before HTTP (Layer 7) policies |
| 2 | +title: Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025 |
| 3 | +description: Gateway Network policies (Layer 4) will be evaluated before HTTP (Layer 7) policies from July 14th, 2025 |
4 | 4 | products: |
5 | 5 | - gateway |
6 | 6 | hidden: false |
7 | 7 | date: 2025-06-18T11:00:00Z |
8 | 8 | --- |
9 | | -Gateway will now evaluate **Network (Layer 4) policies before HTTP (Layer 7) policies**. This change will not weaken your security posture or change the traffic filtered by your policies. However, for a smooth transition, we ask that you review your policy configuration ahead of the rollout. **A review of your policies is only required if you have HTTP policies applied in your account.** |
| 9 | +[Gateway](/cloudflare-one/policies/gateway/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/policies/gateway/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/policies/gateway/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. |
10 | 10 |
|
11 | | -Starting the **week of July 14th, 2025 through July 18th, 2025** we will begin progressively rolling out this change across our data centers worldwide. |
| 11 | +This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. |
12 | 12 |
|
13 | | -**Previous Order of Enforcement:** |
| 13 | +### Updated order of enforcement |
14 | 14 |
|
15 | | -1. DNS Policies |
16 | | -2. HTTP Policies |
17 | | -3. Network Policies |
| 15 | +**Previous order:** |
| 16 | +1. DNS policies |
| 17 | +2. HTTP policies |
| 18 | +3. Network policies |
18 | 19 |
|
19 | | -**New Order of Enforcement:** |
| 20 | +**New order:** |
| 21 | +1. DNS policies |
| 22 | +2. **Network policies** |
| 23 | +3. **HTTP policies** |
20 | 24 |
|
21 | | -1. DNS Policies |
22 | | -2. **Network Policies** |
23 | | -3. **HTTP Policies** |
| 25 | +### Action required: Review your Gateway HTTP policies |
24 | 26 |
|
25 | | -**Importantly, this change will not weaken your security posture. Gateway will continue to filter all traffic filtered by your policies today.** The fundamental logic of your policies will not change. The new order simply ensures that Gateway evaluates network-level policies before application-level HTTP policies. |
| 27 | +This change may affect block notifications. For example: |
26 | 28 |
|
27 | | ---- |
28 | | - |
29 | | -### Action Required if using HTTP policies: Review Policy Notifications |
30 | | - |
31 | | -While your security is unaffected, this change may alter the notification your users see when traffic is blocked. **We recommend customers with HTTP policies review their configuration.** |
| 29 | +- You have an **HTTP policy** to block `example.com` and display a block page. |
| 30 | +- You also have a **Network policy** to block `example.com` silently (no client notification). |
32 | 31 |
|
33 | | -**Example Scenario:** |
34 | | -Consider if you have: |
| 32 | +With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page. |
35 | 33 |
|
36 | | -- An **HTTP policy** to block `example.com` that is configured to **show a block page**. |
37 | | -- A **Network policy** to block traffic to `example.com` with **no block notification** enabled. |
38 | | - |
39 | | -Under the new order, the Network policy will be evaluated first, and the traffic will be blocked silently. Your user will **not** see the block page from the HTTP policy. |
40 | | - |
41 | | -To ensure users continue to receive a notification, you can either **add a client notification to your Network policy** or rely solely on your HTTP policy for that traffic. |
| 34 | +To ensure users still receive a block notification, you can: |
| 35 | +- Add a client notification to your Network policy, or |
| 36 | +- Use only the HTTP policy for that domain. |
42 | 37 |
|
43 | 38 | --- |
44 | 39 |
|
45 | | -### Why We're Making This Change |
| 40 | +### Why we’re making this change |
46 | 41 |
|
47 | 42 | This update is based on user feedback and aims to: |
48 | 43 |
|
49 | 44 | - Create a more intuitive model by evaluating network-level policies before application-level policies. |
50 | | -- Minimize 526 connection errors by verifying the network path to an origin before attempting to establish a decrypted TLS connection. |
| 45 | +- Minimize [526 connection errors](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection. |
51 | 46 |
|
52 | 47 | --- |
53 | 48 |
|
54 | | -If applying HTTP policies, please review them before **July 14, 2025,** to ensure your user experience remains as intended. |
55 | | - |
56 | | -For more details, please see our [updated documentation on the order of enforcement](https://developers.cloudflare.com/cloudflare-one/policies/gateway/order-of-enforcement/). |
| 49 | +To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/policies/gateway/order-of-enforcement/). |
0 commit comments