Order Of Operations When Applying A Policy

When Gateway receives a DNS query and the query matches with a policy, the policy follows the order outlined below:

StepCheck IfIf MatchesElse
1Domain is in CSAM categoryBlock domain, return REFUSEDGo to step 2
2Domain in Allow listAllow domain, return NOERROR with IP address of the domainGo to step 3
3Domain in Block listBlock domain, return REFUSEDGo to step 4
4Domain in SafeSearchOverride domain, return NOERROR with safe CNAMEGo to step 5
5Domain blocked by categoryBlock domain, return REFUSEDGo to step 6
6N/AAllow domain, return NOERROR with IP address of the domainN/A

In each step, Gateway checks if the domain matches with the rule stated in the Check If column. If it matches with the rule, Gateway triggers the action in the If Matches column. If it does not match the check moves to the next step outlined in the Else column.