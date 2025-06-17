Gateway will now evaluate Network (Layer 4) policies before HTTP (Layer 7) policies. This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users.

This change will roll out progressively between July 14–18, 2025. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent.

Previous order:

DNS policies HTTP policies Network policies

New order:

DNS policies Network policies HTTP policies

Action required: Review your Gateway HTTP policies

This change may affect block notifications. For example:

You have an HTTP policy to block example.com and display a block page.

to block and display a block page. You also have a Network policy to block example.com silently (no client notification).

With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page.

To ensure users still receive a block notification, you can:

Add a client notification to your Network policy, or

Use only the HTTP policy for that domain.

Why we’re making this change

This update is based on user feedback and aims to:

Create a more intuitive model by evaluating network-level policies before application-level policies.

Minimize 526 connection errors by verifying the network path to an origin before attempting to establish a decrypted TLS connection.

To learn more, visit the Gateway order of enforcement documentation.