Stacked Security Policies | You can continue to use both original security
policies and stacked security policies after upgrading your ION
device to Release 5.6 or higher. You can access the Security
Policies (Original) tab, only if you have already configured original
security policies. If you have started using Prisma SD-WAN with
Release 5.6 or later, you will not be able to view or access the Security
Policies (Original) tab.
Before upgrading your device, ensure
that there is no stacked policy set having the same name as the
original policy set. In case there is a name duplication, change
the name of your stacked policy set and then upgrade the
device.
When you upgrade a device
running versions lower than 5.6 to version 5.6, and there are original
security policy sets on the device, the device transforms the original
security policies to stacked security policies. The device creates
a new policy set stack for the original security policy set. The device
also creates a default policy set from the default rules in the
original policies. The default policy set contains three different
rules—default-deny, intra-zone-allow, self-zone-allow. | You cannot downgrade ION devices running
version 5.6 or higher if you have attached a security stack to the
sites having these devices. To downgrade, remove the security
stack and then downgrade the device. | 
