From 2d6f8e8e26a9e2838c08cb983ad52fc203b06b74 Mon Sep 17 00:00:00 2001 From: Ankur Aggarwal Date: Tue, 17 Jun 2025 15:49:19 -0700 Subject: [PATCH 1/2] 2025-06-17-new-order-of-enforcement.mdx Notify customers of the upcoming order of enforcement change. --- .../2025-06-17-new-order-of-enforcement.mdx | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx diff --git a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx new file mode 100644 index 000000000000000..836a25cf7f887eb --- /dev/null +++ b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx @@ -0,0 +1,56 @@ +--- +title: Cloudflare One Gateway New Order of Enforcement +description: Gateway Network policies (Layer 4) will be evaluated before HTTP (Layer 7) policies +products: + - gateway +hidden: false +date: 2025-06-18T11:00:00Z +--- +Gateway will now evaluate **Network (Layer 4) policies before HTTP (Layer 7) policies**. This change will not weaken your security posture or change the traffic filtered by your policies. However, for a smooth transition, we ask that you review your policy configuration ahead of the rollout. **A review of your policies is only required if you have HTTP policies applied in your account.** + +Starting the **week of July 14th, 2025 through July 18th, 2025** we will begin progressively rolling out this change across our data centers worldwide. + +**Previous Order of Enforcement:** + +1. DNS Policies +2. HTTP Policies +3. Network Policies + +**New Order of Enforcement:** + +1. DNS Policies +2. **Network Policies** +3. **HTTP Policies** + +**Importantly, this change will not weaken your security posture. Gateway will continue to filter all traffic filtered by your policies today.** The fundamental logic of your policies will not change. The new order simply ensures that Gateway evaluates network-level policies before application-level HTTP policies. + +--- + +### Action Required if using HTTP policies: Review Policy Notifications + +While your security is unaffected, this change may alter the notification your users see when traffic is blocked. **We recommend customers with HTTP policies review their configuration.** + +**Example Scenario:** +Consider if you have: + +- An **HTTP policy** to block `example.com` that is configured to **show a block page**. +- A **Network policy** to block traffic to `example.com` with **no block notification** enabled. + +Under the new order, the Network policy will be evaluated first, and the traffic will be blocked silently. Your user will **not** see the block page from the HTTP policy. + +To ensure users continue to receive a notification, you can either **add a client notification to your Network policy** or rely solely on your HTTP policy for that traffic. + +--- + +### Why We're Making This Change + +This update is based on user feedback and aims to: + +- Create a more intuitive model by evaluating network-level policies before application-level policies. +- Minimize 526 connection errors by verifying the network path to an origin before attempting to establish a decrypted TLS connection. + +--- + +If applying HTTP policies, please review them before **July 14, 2025,** to ensure your user experience remains as intended. + +For more details, please see our [updated documentation on the order of enforcement](https://developers.cloudflare.com/cloudflare-one/policies/gateway/order-of-enforcement/). From fc197701fc34f6a6ba33565a1ddaf2c8666e666e Mon Sep 17 00:00:00 2001 From: Nikita Cano <48366124+nikitacano@users.noreply.github.com> Date: Wed, 18 Jun 2025 11:07:25 +0100 Subject: [PATCH 2/2] Update 2025-06-17-new-order-of-enforcement.mdx --- .../2025-06-17-new-order-of-enforcement.mdx | 55 ++++++++----------- 1 file changed, 24 insertions(+), 31 deletions(-) diff --git a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx index 836a25cf7f887eb..061c9c98d7cf4f1 100644 --- a/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx +++ b/src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx @@ -1,56 +1,49 @@ --- -title: Cloudflare One Gateway New Order of Enforcement -description: Gateway Network policies (Layer 4) will be evaluated before HTTP (Layer 7) policies +title: Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025 +description: Gateway Network policies (Layer 4) will be evaluated before HTTP (Layer 7) policies from July 14th, 2025 products: - gateway hidden: false date: 2025-06-18T11:00:00Z --- -Gateway will now evaluate **Network (Layer 4) policies before HTTP (Layer 7) policies**. This change will not weaken your security posture or change the traffic filtered by your policies. However, for a smooth transition, we ask that you review your policy configuration ahead of the rollout. **A review of your policies is only required if you have HTTP policies applied in your account.** +[Gateway](/cloudflare-one/policies/gateway/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/policies/gateway/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/policies/gateway/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. -Starting the **week of July 14th, 2025 through July 18th, 2025** we will begin progressively rolling out this change across our data centers worldwide. +This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. -**Previous Order of Enforcement:** +### Updated order of enforcement -1. DNS Policies -2. HTTP Policies -3. Network Policies +**Previous order:** +1. DNS policies +2. HTTP policies +3. Network policies -**New Order of Enforcement:** +**New order:** +1. DNS policies +2. **Network policies** +3. **HTTP policies** -1. DNS Policies -2. **Network Policies** -3. **HTTP Policies** +### Action required: Review your Gateway HTTP policies -**Importantly, this change will not weaken your security posture. Gateway will continue to filter all traffic filtered by your policies today.** The fundamental logic of your policies will not change. The new order simply ensures that Gateway evaluates network-level policies before application-level HTTP policies. +This change may affect block notifications. For example: ---- - -### Action Required if using HTTP policies: Review Policy Notifications - -While your security is unaffected, this change may alter the notification your users see when traffic is blocked. **We recommend customers with HTTP policies review their configuration.** +- You have an **HTTP policy** to block `example.com` and display a block page. +- You also have a **Network policy** to block `example.com` silently (no client notification). -**Example Scenario:** -Consider if you have: +With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page. -- An **HTTP policy** to block `example.com` that is configured to **show a block page**. -- A **Network policy** to block traffic to `example.com` with **no block notification** enabled. - -Under the new order, the Network policy will be evaluated first, and the traffic will be blocked silently. Your user will **not** see the block page from the HTTP policy. - -To ensure users continue to receive a notification, you can either **add a client notification to your Network policy** or rely solely on your HTTP policy for that traffic. +To ensure users still receive a block notification, you can: +- Add a client notification to your Network policy, or +- Use only the HTTP policy for that domain. --- -### Why We're Making This Change +### Why we’re making this change This update is based on user feedback and aims to: - Create a more intuitive model by evaluating network-level policies before application-level policies. -- Minimize 526 connection errors by verifying the network path to an origin before attempting to establish a decrypted TLS connection. +- Minimize [526 connection errors](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection. --- -If applying HTTP policies, please review them before **July 14, 2025,** to ensure your user experience remains as intended. - -For more details, please see our [updated documentation on the order of enforcement](https://developers.cloudflare.com/cloudflare-one/policies/gateway/order-of-enforcement/). +To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/policies/gateway/order-of-enforcement/).