Cloudflare Docs
Learning Paths
Visit Learning Paths on GitHub
Set theme to dark (⇧+D)

Order of enforcement

  1 min read

Order of precedence refers to the priority of individual policies within the policy builder (lowest value first, or from top to bottom as shown in the dashboard). You can modify the order of precedence by dragging and dropping individual policies in the dashboard.

In Gateway, the order of precedence follows the first match principle — once a site matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. Therefore, we recommend putting the most specific policies and exceptions at the top of the list and the most general policies at the bottom.

For example, suppose you have a list of DNS policies:

Precedence Selector Operator Value Action
1 Host is Block
2 Host is Allow
3 Domain matches regex .\ Block

When a user navigates to, Gateway evaluates the policies in the following order:

  1. Policy #1 does not match — move on to check Policy #2.
  2. Policy #2 matches, so DNS resolution is allowed.
  3. Policy #3 is not evaluated because there has already been an explicit match.