Order of enforcement
1 min read
Order of precedence refers to the priority of individual policies within the policy builder (lowest value first, or from top to bottom as shown in the dashboard). You can modify the order of precedence by dragging and dropping individual policies in the dashboard.
In Gateway, the order of precedence follows the first match principle — once a site matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. Therefore, we recommend putting the most specific policies and exceptions at the top of the list and the most general policies at the bottom.
For example, suppose you have a list of DNS policies:
Precedence | Selector | Operator | Value | Action |
---|---|---|---|---|
1 | Host | is | example.com |
Block |
2 | Host | is | test.example.com |
Allow |
3 | Domain | matches regex | .\ |
Block |
When a user navigates to https://test.example.com
, Gateway evaluates the policies in the following order:
- Policy #1 does not match
test.example.com
— move on to check Policy #2. - Policy #2 matches, so DNS resolution is allowed.
- Policy #3 is not evaluated because there has already been an explicit match.