Can I migrate policy rules from pre-rules to post-rules category and push to Firewalls without causing downtime?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can I migrate policy rules from pre-rules to post-rules category and push to Firewalls without causing downtime?

L0 Member

So, I am new to palo-alto and I created some pretty general policies for internal-to-dmz communication, I now wanted to create a policy that would target specific host-to-destinations for testing, however, I noticed that the primary "Allow All" policy was set in the pre-rules, which takes precedence in the hierarchy. (Top to bottom). So what I need to do is migrate my "Allow All" policy to the Post-rules section so that my test policy can be hit before the first rule comes in play. 

SO, now that's out of the way, my real question is; If I apply these changes in Panorama then push to my firewalls, will there be a loss in connection, sessions etc when the policy is moved down in the hierarchy? 
I did a test from one of my sandbox environments, looked like there was no hiccup with ping, but ping is no stateful connection if you know what I mean ;). 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @fbarnard ,

 

I have moved rules between pre- and post- many times with no down time.  HOWEVER, with that said there is always a chance of an outage when you change the order or rules.  Verify the new order of rules is good, and you should be fine.

 

Thanks,

 

Tom

 

Edit:  I just moved my outbound rule to the Internet from each device group to Shared.  I was doing an outbound ping, and I dropped one packet.

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @fbarnard ,

 

I have moved rules between pre- and post- many times with no down time.  HOWEVER, with that said there is always a chance of an outage when you change the order or rules.  Verify the new order of rules is good, and you should be fine.

 

Thanks,

 

Tom

 

Edit:  I just moved my outbound rule to the Internet from each device group to Shared.  I was doing an outbound ping, and I dropped one packet.

Help the community: Like helpful comments and mark solutions.

Thank you for the confirmation! Yes, I am keeping in mind the rules currently set, we are still in the phase of policy control setup, right now we are testing the communication between zones. I just wanted to make sure I was putting my more broad policy in the right hierarchy before implementing more stringent or specific policy. 

  • 1 accepted solution
  • 2051 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!