https://live.paloaltonetworks.com/t5/panorama-discussions/can-i-migrate-policy-rules-from-pre-rules-to-post-rules-category/m-p/542556#M1549 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/282220">@fbarnard</a> ,</P> <P>&nbsp;</P> <P>I have moved rules between pre- and post- many times with no down time.&nbsp; HOWEVER, with that said there is always a chance of an outage when you change the order or rules.&nbsp; Verify the new order of rules is good, and you should be fine.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>Edit:&nbsp; I just moved my outbound rule to the Internet from each device group to Shared.&nbsp; I was doing an outbound ping, and I dropped one packet.</P> Fri, 19 May 2023 13:22:09 GMT TomYoung 2023-05-19T13:22:09Z https://live.paloaltonetworks.com/t5/panorama-discussions/can-i-migrate-policy-rules-from-pre-rules-to-post-rules-category/m-p/542555#M1548 <P>So, I am new to palo-alto and I created some pretty general policies for internal-to-dmz communication, I now wanted to create a policy that would target specific host-to-destinations for testing, however, I noticed that the primary "Allow All" policy was set in the pre-rules, which takes precedence in the hierarchy. (Top to bottom). So what I need to do is migrate my "Allow All" policy to the Post-rules section so that my test policy can be hit before the first rule comes in play.&nbsp;<BR /><BR />SO, now that's out of the way, my real question is; If I apply these changes in Panorama then push to my firewalls, will there be a loss in connection, sessions etc when the policy is moved down in the hierarchy?&nbsp;<BR />I did a test from one of my sandbox environments, looked like there was no hiccup with ping, but ping is no stateful connection if you know what I mean ;).&nbsp;</P> Thu, 18 May 2023 00:27:17 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/can-i-migrate-policy-rules-from-pre-rules-to-post-rules-category/m-p/542555#M1548 fbarnard 2023-05-18T00:27:17Z https://live.paloaltonetworks.com/t5/panorama-discussions/can-i-migrate-policy-rules-from-pre-rules-to-post-rules-category/m-p/542556#M1549 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/282220">@fbarnard</a> ,</P> <P>&nbsp;</P> <P>I have moved rules between pre- and post- many times with no down time.&nbsp; HOWEVER, with that said there is always a chance of an outage when you change the order or rules.&nbsp; Verify the new order of rules is good, and you should be fine.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>Edit:&nbsp; I just moved my outbound rule to the Internet from each device group to Shared.&nbsp; I was doing an outbound ping, and I dropped one packet.</P> Fri, 19 May 2023 13:22:09 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/can-i-migrate-policy-rules-from-pre-rules-to-post-rules-category/m-p/542556#M1549 TomYoung 2023-05-19T13:22:09Z https://live.paloaltonetworks.com/t5/panorama-discussions/can-i-migrate-policy-rules-from-pre-rules-to-post-rules-category/m-p/542631#M1552 <P><SPAN>Thank you for the confirmation! Yes, I am keeping in mind the rules currently set, we are still in the phase of policy control setup, right now we are testing the communication between zones. I just wanted to make sure I was putting my more broad policy in the right hierarchy before implementing more stringent or specific policy.&nbsp;</SPAN></P> Thu, 18 May 2023 16:10:21 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/can-i-migrate-policy-rules-from-pre-rules-to-post-rules-category/m-p/542631#M1552 fbarnard 2023-05-18T16:10:21Z