A packet-based computer network is a group of network devices, such as routers, switches, endpoint devices, and servers, which are interconnected in such a manner as to permit the exchange of network packets between any two or more of the network devices. Network devices typically include a mechanism, referred to herein as a management interface, for directly or remotely configuring the network devices. By interacting with the management interface, a device management system can configure a network device with a policy having a number of policy rules that each specify an action for the device to perform on the occurrence of some condition. For example, a security policy rule may cause a network device to drop packets that match certain criteria specified by the rule, such as packets received from a particular source. In many instances, a policy may define a number of different rules, where each of the rules specify certain matching criteria and one or more actions to take in the event the criteria is met. The network device applies the rules in accordance with a defined ordering specified by the policy. In many instances, the ordering of the policy rules within a policy affects the operation and performance of a network device that applies the policy.