Skip to content

2025-06-18-new-order-of-enforcement.mdx #23087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 18, 2025
Merged

2025-06-18-new-order-of-enforcement.mdx #23087

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2d6f8e8
2025-06-17-new-order-of-enforcement.mdx
Encore-Encore Jun 17, 2025
fc19770
Update 2025-06-17-new-order-of-enforcement.mdx
nikitacano Jun 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025
description: Gateway Network policies (Layer 4) will be evaluated before HTTP (Layer 7) policies from July 14th, 2025
products:
- gateway
hidden: false
date: 2025-06-18T11:00:00Z
---
[Gateway](/cloudflare-one/policies/gateway/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/policies/gateway/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/policies/gateway/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.

This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.

### Updated order of enforcement

**Previous order:**
1. DNS policies
2. HTTP policies
3. Network policies

**New order:**
1. DNS policies
2. **Network policies**
3. **HTTP policies**

### Action required: Review your Gateway HTTP policies

This change may affect block notifications. For example:

- You have an **HTTP policy** to block `example.com` and display a block page.
- You also have a **Network policy** to block `example.com` silently (no client notification).

With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page.

To ensure users still receive a block notification, you can:
- Add a client notification to your Network policy, or
- Use only the HTTP policy for that domain.

---

### Why we’re making this change

This update is based on user feedback and aims to:

- Create a more intuitive model by evaluating network-level policies before application-level policies.
- Minimize [526 connection errors](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection.

---

To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/policies/gateway/order-of-enforcement/).
Loading