03-24-2026 09:20 PM
Hi,
I created all security zones in Panorama and pushed them to all firewalls. Now I need to change the names of a few security zones.
All firewall policies are based on the current security zone names. Do I need to create new policies with the new security zone names, or is that not required?
Can someone share their experience and advise how to do this?
Best regards,
03-25-2026 07:37 AM
Hi @alirezabtf ,
In this case you can edit the templates and device groups in Panorama, and then push the changes to the firewalls:
1. Update the names of the security zones under the relevant templates.
2, Update the names of the security zones as referenced in security policy rules under the relevant device groups.
3. Commit to Panorama, and push your changes to the firewalls.
03-25-2026 08:44 AM
Hi @alirezabtf ,
Technically, you can try to do it that way as @nohash4u describes.
However, I usually advise against the all-at-once approach because of how the firewall handles the cutover. I've seen scenarios where it didn't go right so if this is a production firewall with live users, I would use more of a Side-by-Side method (adding the new zones to the rules first, then swapping, like you mentioned).
Why:
Even if the push is successful, renaming a zone is a disruptive event. When you rename a zone in Panorama and push it, the firewall sees the old ID go away and a new ID created. The result is that active sessions currently flowing through those zones will be dropped and users will have to reconnect.
I believe the process is explained in detail in this post:
Hope this jelps !
Cheers,
03-25-2026 12:01 PM
Hi @alirezabtf ,
Panorama pushes the config twice to the NGFWs. Once for device groups, and once for templates. This is 2 separate commits on the NGFW. I have always seen the device group pushed 1st. That fails since the zone does not yet exist in the template. If you don't want the change to be disruptive, follow @kiwi's process. If you don't mind a short outage (maintenance window) AND the zone change will not impact Panorama connectivity, try this process:
When the device group commit is done, the new zone already name exists, but with no interfaces. When the template commit is done, connectivity is restored.
Thanks,
Tom
PS I have seen the device group commit fail, but then work when the template changes are committed. It appears the DG changes remain in the candidate config. I have always seen zone changes fail completely unless I follow a process similar to the ones above.
03-26-2026 07:20 AM
Thank you very much for sharing your experience and the links; they were really helpful.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
