Upgrade a Firewall Policy
A new version of the firewall policy is available. The upgrade contains new features that give you greater flexibility and higher component limits for policies.
New features for upgraded policies
- Increased limits for policy components: Policy components were previously configured as attributes of the policy. The new version refactors policy components as separate objects with their own names. This allows for an increase in the number of components you can have in each associated policy, and the ability to move components between lists within the policy. See the table later in this topic that shows details about each component and its limits.
- Operational improvements: Updating a firewall no longer causes a connection reset.
- Bulk import policy components: You can now bulk import policy components using a
.json
file. You can import the maximum allowed components in one file. The Network Firewall service provides a.json
template for each component type that you can download and use to construct an import file. See Bulk Import Firewall Policy Components for more information. - Easily reorder security and decryption rules: When you create or edit a rule, you can specify its position of the rule in relation to other rules in the policy. In addition to specifying the rule as the first or last rule in the list, you can specify a custom position for the rule. A custom position lets you set the rule position as being before or after another rule in the list. You can reorder rules during creation, when editing a rule, or you can reorder rules within the list shown in the policy details page. See Create a Decryption Rule and Create a Security Rule for more information.
- Search for components: Because components are now independent objects, you can use the Search function to find them by Name.
- Easy migration: Use the following workflow to upgrade your policies to the new version. When you upgrade a policy, any associated firewalls are also upgraded.
Policy component details
Component | Previous max | New max | APIs |
---|---|---|---|
Security rule | 25 for each policy | 10,000 for each policy |
|
Decryption rule | 25 for each policy | 1,000 for each policy |
|
Application Lists | 25 for each policy | 2,500 for each policy |
|
Applications | NOT APPLICABLE (New component: previously an attribute of application lists) | 1,000 for each application list. 6,000 applications for each policy. |
|
Service Lists | NOT APPLICABLE (New component) | 2,500 for each policy |
|
Services | NOT APPLICABLE (New component) | 1,000 for each service list. 1,900 services for each policy. |
|
URL Lists | 25 for each policy |
|
|
Address Lists | 25 for each policy |
|
|
Mapped Secrets | 25 for each policy | 300 for each policy |
|
Decryption Profiles | 25 for each policy | 500 for each policy |
|
Avoiding policy upgrade problems
Firewall policies with the following attributes might cause a problem and the upgrade can't continue:
- If a firewall policy contains an application list with a name more than 24 characters long. Consider renaming application lists to 24 characters or less to avoid this problem.
- If a firewall policy contains security rules where any of the list applications, URLs, sources, or destinations contains more than 25 elements. Consider splitting security rules into multiple rules with less than 25 elements each to avoid this problem.
- If a firewall policy contains decryption rules where any of the list sources, or destinations contains more than 25 elements. Consider splitting decryption rules into multiple rules with less than 25 elements each to avoid this problem.
If a firewall policy is attached to a firewall, consider cloning the policy, making the suggested changes, then changing the firewall to use the new cloned policy before upgrading. To clone a policy, see Clone the policy. To change the firewall, see Change a Firewall.
Upgrade firewall policies
All new firewalls and policies that you create automatically use the new version of the service. Firewalls and policies that existed before the new version was released continue to use the old version of the service until you upgrade them. Each policy that uses the previous version has a notation next to it in the Policy List page so you can tell which policies are using the old or new version.
- During the upgrade process, you can't change the policy or its components.
- After you upgrade a policy to use the new version, it can't be downgraded back to the old version.
- When you upgrade a policy, any associated firewall is also upgraded automatically. After the upgrade is complete, the attached firewalls can no longer use old versions of policies.
- After a firewall is upgraded, it can't be downgraded back to the old version. A firewall is upgraded when its attached policy is upgraded, or when it's switched from an old policy to an upgraded policy.