Upgrade a Firewall Policy

A new version of the firewall policy is available. The upgrade contains new features that give you greater flexibility and higher component limits for policies.

New features for upgraded policies

  • Increased limits for policy components: Policy components were previously configured as attributes of the policy. The new version refactors policy components as separate objects with their own names. This allows for an increase in the number of components you can have in each associated policy, and the ability to move components between lists within the policy. See the table later in this topic that shows details about each component and its limits.
  • Operational improvements: Updating a firewall no longer causes a connection reset.
  • Bulk import policy components: You can now bulk import policy components using a .json file. You can import the maximum allowed components in one file. The Network Firewall service provides a .json template for each component type that you can download and use to construct an import file. See Bulk Import Firewall Policy Components for more information.
  • Easily reorder security and decryption rules: When you create or edit a rule, you can specify its position of the rule in relation to other rules in the policy. In addition to specifying the rule as the first or last rule in the list, you can specify a custom position for the rule. A custom position lets you set the rule position as being before or after another rule in the list. You can reorder rules during creation, when editing a rule, or you can reorder rules within the list shown in the policy details page. See Create a Decryption Rule and Create a Security Rule for more information.
  • Search for components: Because components are now independent objects, you can use the Search function to find them by Name.
  • Easy migration: Use the following workflow to upgrade your policies to the new version. When you upgrade a policy, any associated firewalls are also upgraded.

Policy component details

The following table shows the different components with previous and current maximum and API object name. For more information about the attributes and dependencies of each component and instructions about how to create them, see Firewall Policy Rules.
Component Previous max New max APIs
Security rule 25 for each policy 10,000 for each policy
  • SecurityRule
  • CreateSecurityRule
  • UpdateSecurityRule
  • DeleteSecurityRule
  • GetSecurityRule
  • ListSecurityRules
  • BulkUploadSecurityRules
Decryption rule 25 for each policy 1,000 for each policy
  • DecryptionRule
  • CreateDecryptionRule
  • UpdateDecryptionRule
  • DeleteDecryptionRule
  • GetDecryptionRule
  • ListDecryptionRules
  • BulkUploadDecryptionRules
Application Lists 25 for each policy 2,500 for each policy
  • ApplicationGroup
  • CreateApplicationGroup
  • UpdateApplicationGroup
  • DeleteApplicationGroup
  • GetApplicationGroup
  • ListApplicationGroups
  • BulkUploadApplicationGroups
Applications NOT APPLICABLE (New component: previously an attribute of application lists) 1,000 for each application list. 6,000 applications for each policy.
  • Application
  • CreateApplication
  • UpdateApplication
  • DeleteApplication
  • GetApplication
  • ListApplications
  • BulkUploadApplications
Service Lists NOT APPLICABLE (New component) 2,500 for each policy
  • ServiceList
  • CreateServiceList
  • UpdateServiceList
  • DeleteServiceList
  • GetServiceList
  • ListServiceLists
  • BulkUploadServiceLists
Services NOT APPLICABLE (New component) 1,000 for each service list. 1,900 services for each policy.
  • Service
  • CreateService
  • UpdateService
  • DeleteService
  • GetService
  • ListServices
  • BulkUploadServices
URL Lists 25 for each policy
  • 1,000 URL lists for each policy
  • 1,000 URLs for each list.
  • UrlList
  • CreateUrlList
  • UpdateUrlList
  • DeleteUrlList
  • GetUrlList
  • ListUrlLists
  • BulkUploadUrlLists
Address Lists 25 for each policy
  • 20,000 total address lists for each policy
  • 2,000 FQDN-type address for each policy
  • 1,000 addresses for each list
  • AddressList
  • CreateAddressList
  • UpdateAddressList
  • DeleteAddressList
  • GetAddressList
  • ListAddressLists
  • BulkUploadAddressLists
Mapped Secrets 25 for each policy 300 for each policy
  • MappedSecret
  • CreateMappedSecret
  • UpdateMappedSecret
  • DeleteMappedSecret
  • GetMappedSecret
  • ListMappedSecrets
  • BulkUploadMappedSecrets
Decryption Profiles 25 for each policy 500 for each policy
  • DecryptionProfile
  • CreateDecryptionProfile
  • UpdateDecryptionProfile
  • DeleteDecryptionProfile
  • GetDecryptionProfile
  • ListDecryptionProfiles
  • BulkUploadDecryptionProfiles

Avoiding policy upgrade problems

Firewall policies with the following attributes might cause a problem and the upgrade can't continue:

  • If a firewall policy contains an application list with a name more than 24 characters long. Consider renaming application lists to 24 characters or less to avoid this problem.
  • If a firewall policy contains security rules where any of the list applications, URLs, sources, or destinations contains more than 25 elements. Consider splitting security rules into multiple rules with less than 25 elements each to avoid this problem.
  • If a firewall policy contains decryption rules where any of the list sources, or destinations contains more than 25 elements. Consider splitting decryption rules into multiple rules with less than 25 elements each to avoid this problem.

If a firewall policy is attached to a firewall, consider cloning the policy, making the suggested changes, then changing the firewall to use the new cloned policy before upgrading. To clone a policy, see Clone the policy. To change the firewall, see Change a Firewall.

Upgrade firewall policies

All new firewalls and policies that you create automatically use the new version of the service. Firewalls and policies that existed before the new version was released continue to use the old version of the service until you upgrade them. Each policy that uses the previous version has a notation next to it in the Policy List page so you can tell which policies are using the old or new version.

The upgrade process takes several minutes to complete but does not affect the traffic on any firewalls that use the policy.
Important

  • During the upgrade process, you can't change the policy or its components.
  • After you upgrade a policy to use the new version, it can't be downgraded back to the old version.
  • When you upgrade a policy, any associated firewall is also upgraded automatically. After the upgrade is complete, the attached firewalls can no longer use old versions of policies.
  • After a firewall is upgraded, it can't be downgraded back to the old version. A firewall is upgraded when its attached policy is upgraded, or when it's switched from an old policy to an upgraded policy.

Using the Console

  1. On the navigation menu, select Identity & Security. Go to Firewalls, select Network Firewall Policies.
  2. Find a policy in the list that shows the notation that it's ready to upgrade.
  3. Select the policy.
  4. In the Upgrade policy to use new features information message, select Upgrade policy.
    When the upgrade is complete, a message appears on the policy details page letting you know you can start using the new features. Any firewall attached to the policy is also upgraded and can only be attached to upgraded policies.