: Migrate Original Policy Sets to Stacked Policy Sets
Focus
Focus

Migrate Original Policy Sets to Stacked Policy Sets

Table of Contents

Migrate Original Policy Sets to Stacked Policy Sets

Learn how to migrate original policy sets to stacked policy sets.
Where Can I Use This?What Do I Need?
  • Prisma SD-WAN
  • Active Prisma SD-WAN license
Prisma SD-WAN supports stacked network and security policies. If you are a new user starting with Release 6.0.1, you can configure only stacked network and security policies. If you have configured original or legacy policies, you have to convert these legacy policies to stacked policies before you can upgrade your device to Release 6.0.1.
If you try to upgrade your device to version 6.0.1 or higher using original policies, you will get an error and the device upgrade will fail.
Stacked Policies provide a common administrative domain for a set of sites, contain policy rules, and are stacked and attached to a site. With stacked policies you can enable, disable, update, or manage policies, including performance, priority, path selection, and security without configuring individual ION devices at a branch or a data center.
  1. Select ManagePoliciesStacked PoliciesBindings/Path/QoS/Security/NAT.
  2. Select SecuritySecurity StacksAdvancedSecurity SetsAdd Set.
    The example shows how to convert an original security policy set to a stacked security policy set. You can extend this to converting Path and QoS sets also.
    To migrate from original network policies to stacked network policies, you can clone an original network policy set into two types of stacked policy sets—stacked path policy set (for original network policies) and stacked QoS policy set (for original priority policies) and bind them separately to a site.
  3. On the Add Security Policy Set screen, enter a Name for the security policy set, and optionally enter description and tags.
    While adding a name, ensure that there is no stacked policy set having the same name as the original policy set.
  4. Select the Clone From an Original Policy Set check box to clone a policy set created under original policies and select a policy set to clone from the Choose an Original Policy Set drop-down.
  5. Click Done to submit your changes.
    The clone operation creates a new policy set stack for the original security policy set. As part of the clone operation, a policy set containing custom rules from the original policy set and a Default Rule Policy set from the default rules in the original policies is created. The Default Rule Policy set contains three different rules—default-deny, intra-zone-allow, self-zone-allow.
    In order for stacked security policy rules to be active, bind security policy set stacks to a site.