Restrictions for NGFW policy

IPv6 rules or rulesets do not support identity.

Only IPv4 rules with an NGFW policy support Identity. IPv4 rules with rulesets are not supported.

From Cisco IOS XE Catalyst SD-WAN Release 17.14.1a and Cisco Catalyst SD-WAN Manager Release 20.14.1, security policy supports matching traffic using a custom application in a custom-defined application list. In earlier releases, this is not supported.

When a security policy was deployed with zones configured to include specific VPNs or interfaces, the system would gracefully handle situations where some of these VPNs or interfaces were not present on the target device. SD-WAN Manager automatically filters out the non-existent VPNs or interfaces before pushing the configuration, allowing the policy to deploy successfully to the device for the available elements.

For policy groups, this behavior has changed. The system now strictly mandates the presence of all VPNs and interfaces specified within a zone configuration on the target device. If any configured VPN or interface is missing on the device, the security policy deployment will fail, requiring the user to ensure all referenced VPNs and interfaces exist on the device before deployment.

Example:

Consider a zone named zoneA configured to include vlan10, gigabitethernet20, and vlan1.

For security policy: If the target device only had vlan10 configured, SD-WAN Manager would filter out gigabitethernet20 and vlan1, and the policy would successfully deploy for vlan10.

For policy groups: If the target device only has vlan10, the deployment of the security policy will now fail because gigabitethernet20 and vlan1 are mandated but not present on the device.

Replacing a SIG or SSE feature policy within the same policy group is not supported.

Data policy does not support both of these conditions together: