Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit a960a3a

Browse files
Encore-Encorenikitacano
Encore-Encore
and
nikitacano
authored
2025-06-18-new-order-of-enforcement.mdx (#23087)
* 2025-06-17-new-order-of-enforcement.mdx Notify customers of the upcoming order of enforcement change. * Update 2025-06-17-new-order-of-enforcement.mdx --------- Co-authored-by: Nikita Cano <[email protected]>
1 parent eaaec2d commit a960a3a

File tree

1 file changed

+49
-0
lines changed

1 file changed

+49
-0
lines changed

src/content/changelog/gateway/2025-06-17-new-order-of-enforcement.mdx

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
---
2+
title: Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025
3+
description: Gateway Network policies (Layer 4) will be evaluated before HTTP (Layer 7) policies from July 14th, 2025
4+
products:
5+
- gateway
6+
hidden: false
7+
date: 2025-06-18T11:00:00Z
8+
---
9+
[Gateway](/cloudflare-one/policies/gateway/) will now evaluate [Network (Layer 4) policies](/cloudflare-one/policies/gateway/network-policies/) **before** [HTTP (Layer 7) policies](/cloudflare-one/policies/gateway/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.
10+
11+
This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.
12+
13+
### Updated order of enforcement
14+
15+
**Previous order:**
16+
1. DNS policies
17+
2. HTTP policies
18+
3. Network policies
19+
20+
**New order:**
21+
1. DNS policies
22+
2. **Network policies**
23+
3. **HTTP policies**
24+
25+
### Action required: Review your Gateway HTTP policies
26+
27+
This change may affect block notifications. For example:
28+
29+
- You have an **HTTP policy** to block `example.com` and display a block page.
30+
- You also have a **Network policy** to block `example.com` silently (no client notification).
31+
32+
With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page.
33+
34+
To ensure users still receive a block notification, you can:
35+
- Add a client notification to your Network policy, or
36+
- Use only the HTTP policy for that domain.
37+
38+
---
39+
40+
### Why we’re making this change
41+
42+
This update is based on user feedback and aims to:
43+
44+
- Create a more intuitive model by evaluating network-level policies before application-level policies.
45+
- Minimize [526 connection errors](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection.
46+
47+
---
48+
49+
To learn more, visit the [Gateway order of enforcement documentation](/cloudflare-one/policies/gateway/order-of-enforcement/).

0 commit comments

Comments
 (0)