Moving up frequently-hit Access Control policy rules will have little effect on rulebase lookup performance in R80.10+ due to the advent of Column-based matching.
NAT rules did pick up a hit counter in R81+, however the position of NAT rules in the policy once again has little impact on NAT rulebase lookup performance in most cases due to the caching of NAT rulebase lookups in a table called fwx_cache. This table can store up to 10,000 source/dst cached NAT rule matches, so in the case that the cache becomes completely full (fw tab -t fwx_cache -s) additional NAT rule lookups will need to occur, and in that specific case NAT rulebase lookup performance will be improved by moving rules up as the NAT policy matching is still top-down, first fit and not Column-based matching. So unless you have thousands of NAT rules there is generally little to be gained by moving them up.
Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com