Clarification on how policies are applied

I’m trying to put together the policies for my organization but I’m not sure how the polices are parsed. For example:

  • Am I right in assuming policies are parsed in descending order, top to bottom as they appear in the list?
  • Does parsing of all policies stop when a deny policy matches? (I’d assume so)
  • Does parsing of all policies stop when an apply policy matches?

I need this to structure my policies. To give you an idea of the context, I have the following requirements:

  • DB team need direct access to production dbs (controlled via ports)
  • Developers and support team need access to test dbs (controlled via ports
  • Everyone in the company needs access to our web products (ris, rundeck, docs converter, etc)
  • SysAdmins and devs need access to SSH (port 22)
  • Everybody must be in one of a shortlist of 3 countries
  • Specific employees can be allowlisted to allow access from a country outside of the 3 country shortlist

You can see that there are some and/or relations between these rules that I need to understand how the policies are parsed in order to implement correctly. Any feedback welcome, even if there’s a different way of trying to accomplish the above.

As a note, the page on which policies are configured says this, which doesn’t tell the whole story:

Protect your users by creating policies that scan, filter, and log traffic. By default, Gateway allows all traffic and DNS queries unless a policy matches.Learn more

You can take a look at Order of enforcement · Cloudflare Zero Trust docs.

Thanks @hollynghiem , don’t know how I missed that page in the docs.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.