[Gateway] 526 order of enforcement (cloudflare#22621)

maxvp · sdnts · commit 113ed120e0cb · 2025-07-24T16:06:03.000-04:00
diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx
@@ -2,7 +2,77 @@
 {}
 ---
 
-import { Render } from "~/components";
+import { Render, Details } from "~/components";
+
+:::caution[Order of enforcement changing on 2025-07-14]
+On 2025-07-14, Gateway will begin evaluating network-level policies before application-level policies and verify the network path to an origin server before accepting a connection. This will only affect your policies if you are applying HTTP policies in your account. For example:
+
+<Details header="Comparison of old and new order of enforcement">
+
+|                                                | Old order of enforcement                                                                                               | New order of enforcement                                                                                                                |
+| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
+| **Network Block policy and HTTP Block policy** | Gateway blocks traffic and displays the block page and/or follows the client notification settings on the HTTP policy. | Gateway blocks traffic. Gateway does not display the block page but will follow the client notification settings on the Network policy. |
+| **Network Allow policy and HTTP Block policy** | Gateway blocks traffic and displays the block page and follows the client notification settings on the HTTP policy.    | No change.                                                                                                                              |
+| **Network Block policy and HTTP Allow policy** | Gateway blocks traffic and follows the client notification settings on the Network policy.                             | No change.                                                                                                                              |
+
+```mermaid
+flowchart TB
+    %% Accessibility
+    accTitle: Gateway order of enforcement
+    accDescr: Flowchart describing the order of enforcement for Gateway policies.
+
+ subgraph Resolution["Resolution"]
+        dns2["1.1.1.1"]
+        dns4["Custom resolver"]
+        dns3["Resolver policies <br>(Enterprise users only)"]
+        internal["Internal DNS"]
+  end
+ subgraph DNS["DNS"]
+        dns1["DNS policies"]
+        Resolution
+  end
+ subgraph HTTP["HTTP policies"]
+        http1{{"Do Not Inspect policies"}}
+        http2["Isolate policies  <br>(with Browser Isolation add-on)"]
+        http3["Allow, Block, Do Not Scan, Quarantine, and Redirect policies, DLP, and anti-virus scanning"]
+        https["HTTP (port 80) or<br>HTTPS (port 443)?"]
+  end
+ subgraph Proxy["Proxy"]
+        HTTP
+        network1["Network policies"]
+        nonhttp["Non-HTTP(S) traffic"]
+  end
+ subgraph Egress["Egress"]
+        egress1["Egress policies <br>(Enterprise users only)"]
+  end
+    start(["Traffic"]) --> dns0[/"DNS query"/] & http0["Network connections"]
+    dns0 ----> dns1
+    dns1 -- Resolved by --> dns2
+    dns1 --> dns3
+    dns3 -- Resolved by --> dns4
+    dns2 -----> internet(["Internet"])
+    dns4 -----> internet
+    dns4 ---> cloudflare["Private network services <br>(Cloudflare Tunnel, Magic WAN, WARP Connector)"]
+    http1 -- Do Not Inspect --> internet
+    http1 -- Inspect --> http2
+    http2 --> http3
+    http0 --> magic["Magic Firewall (Enterprise users only)"]
+    magic --> egress1
+    egress1 --> tcp["Check for origin availability (TCP SYN)"]
+    tcp --> network1
+    http3 --> internet
+    https -- HTTPS --> http1
+    https -- HTTP --> http2
+    network1 --> https & nonhttp
+    dns3 -- Resolved by --> internal & dns2
+    nonhttp -----> internet
+
+    https@{ shape: hex}
+    http0@{ shape: lean-r}
+```
+
+</Details>
+:::
 
 ```mermaid
 flowchart TB
@@ -118,11 +188,11 @@ Gateway applies HTTP policies based on a combination of [action type](/cloudflar
 1. All Do Not Inspect policies are evaluated first, in order of precedence.
 2. If no policies match, all Isolate policies are evaluated in order of precedence.
 3. All Allow, Block and Do Not Scan policies are evaluated in order of precedence.
+4. The body of the HTTP request, including Data Loss Prevention (DLP), AV scanning, and file sandboxing, is evaluated.
 
 This order of enforcement allows Gateway to first determine whether decryption should occur. If a site matches a Do Not Inspect policy, it is automatically allowed through Gateway and bypasses all other HTTP policies.
 
 :::note
-
 The only exception is if you are using [Clientless Web Isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) — all sites within the clientless remote browser are implicitly isolated even if they match a Do Not Inspect policy.
 :::
 
