Move or Clone a Security Rule or Object to a Different Virtual System
Focus
Focus
Network Security

Move or Clone a Security Rule or Object to a Different Virtual System

Table of Contents

Move or Clone a Security Rule or Object to a Different Virtual System

Where Can I Use This?What Do I Need?
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Managed by Panorama)
Check for any license or role requirements for the products you're using.
On a firewall that has more than one virtual system (vsys), you can move or clone policy rules and objects to a different vsys or to the Shared location. Moving and cloning save you the effort of deleting, recreating, or renaming rules and objects. If the security rule or object that you will move or clone from a vsys has references to objects in that vsys, move or clone the referenced objects also. If the references are to shared objects, you do not have to include those when moving or cloning. You can Use Global Find to Search the Firewall or Panorama Management Server for references.
When cloning multiple security rules, the order by which you select the rules will determine the order they are copied to the device group. For example, if you have rules 1-4 and your selection order is 2-1-4-3, the device group where these rules will be cloned will display the rules in the same order you selected. However, you can reorganize the rules as you see fit once they have been successfully copied.
  1. Select the policy type (for example, PolicySecurity) or object type (for example, ObjectsAddresses).
  2. Select the Virtual System and select one or more security rules or objects.
  3. Perform one of the following steps:
    • Select MoveMove to other vsys (for security rules).
    • Click Move (for objects).
    • Click Clone (for security rules or objects).
  4. In the Destination drop-down, select the new virtual system or Shared.
  5. (security rules only) Select the Rule order:
    • Move top (default)—The rule will come before all other rules.
    • Move bottom—The rule will come after all other rules.
    • Before rule—In the adjacent drop-down, select the rule that comes after the Selected Rules.
    • After rule—In the adjacent drop-down, select the rule that comes before the Selected Rules.
  6. The Error out on first detected error in validation check box is selected by default. The firewall stops performing the checks for the move or clone action when it finds the first error, and displays just this error. For example, if an error occurs when the Destination vsys doesn’t have an object that the security rule you are moving references, the firewall will display the error and stop any further validation. When you move or clone multiple items at once, selecting this check box will allow you to find one error at a time and troubleshoot it. If you clear the check box, the firewall collects and displays a list of errors. If there are any errors in validation, the object is not moved or cloned until you fix all the errors.
  7. Click OK to start the error validation. If the firewall displays errors, fix them and retry the move or clone operation. If the firewall doesn’t find errors, the object is moved or cloned successfully. After the operation finishes, click Commit.