Security Policy Migration

Learn how to migrate between Security Policies (Original) and Stacked Security Policies.
Prisma SD-WAN supports original security policies and stacked security policies. If you are already using original security policies, you can configure original security policies and stacked security policies. If you are a new user starting with Release 5.6.1, you can configure only stacked security policies. You will not be able to view or access
Security Policies (Original)
.
See the relationship between Security Policies (Original) and Stacked Security Policies based on the ION device versions. If you are:
  • Using ION device version 5.5 or lower and you have configured Security Policies (Original)
    You can configure stacked security policies, but unless you upgrade your device to version 5.6 or higher, you cannot use the stacked security policies. You can continue using the original security policies.
  • Using ION device version 5.5 or lower and you have not configured Security Policies (Original)
    You can configure stacked security policies, but unless you upgrade your device to version 5.6, you cannot use stacked policies. You will not be able to view or access
    Security Policies (Original)
    .
  • Using ION device version 5.6 or higher and you have configured Security Policies (Original)
    You can continue working with
    Security Policies (Original)
    . You can clone original policies to stacked policies by using the
    Clone From an Original Policy Set
    check box to clone a policy set created under
    Security Policies (Original)
    . The clone operation creates a new policy set stack for the original security policy set. As part of the clone operation, a policy set containing custom rules from the original policy set and a Default Rule Policy set from the default rules in the original policies is created. The Default Rule Policy set contains three different rules—default-deny, intra-zone-allow, self-zone-allow.
  • Using ION device version 5.6 or higher and you have not configured Security Policies (Original)
    You will have to configure stacked security policies. You will not be able to view or access
    Security Policies (Original)
    .
ION Device Upgrade to Release 5.6
  • You can continue to use both
    Security Policies (Original)
    and Stacked Security Policies after upgrading your ION device to Release 5.6 or higher.
    You can access the
    Security Policies (Original)
    tab, only if, you have already configured original security policies. If you have started using Prisma SD-WAN with Release 5.6 or later, you will not be able to view or access the
    Security Policies (Original)
    tab.
  • When a device running versions lower than 5.6 upgrades to version 5.6, and there are original security policy sets on the device, the device transforms the original security policies to stacked security policies. The device creates a new policy set stack for the original security policy set. The device also creates a default policy set from the default rules in the original policies. The default policy set contains 3 different rules—default-deny, intra-zone-allow, self-zone-allow).
ION Device Downgrade from Release 5.6
You cannot downgrade ION devices running version 5.6 or higher if you have attached a security stack to the sites having these devices. In order to downgrade, you have to first remove the security stack and then downgrade the device.

Recommended For You