Home
Support
Product Support
Routers
Cisco SD-WAN
Configuration Guides

Cisco Catalyst SD-WAN Policy Groups Configuration Guide, Releases 26.x and Later

View all Saved Content

PDF

Is this content helpful?

Helpful Unhelpful

Suggestions for Improvement

Thank you for your feedback. Your response has been recorded.

Ask about this content

Cisco Catalyst SD-WAN Policy Groups Configuration Guide, Releases 26.x and Later

Expand all sections

About this content

Policy groups

Feature history for policy groups
Policy groups
Add policy group
Policy group workflows
Objects and profiles
Policy validation for Cisco Catalyst SD-WAN
Troubleshooting policy group validations

Application Priority and SLA

Feature history for policy groups
Application Priority and SLA
Create an application priority and SLA policy
Configure traffic policy
Advanced layout
Policy sequence generation for match and action rules
Monitor traffic flow

Next-Generation Firewall (NGFW)

Feature history for NGFW
NGFW
Enable RBAC for NGFW policy
Restrictions for NGFW policy
Configure NGFW policy using a workflow
Configure policy objects for an NGFW policy

Secure Internet Gateway and Secure Service Edge

Feature history for Secure Internet Gateway and Secure Service Edge
Secure Internet Gateway
Configure a Secure Internet Gateway
Configure a Secure Service Edge

DNS Security

Feature history for DNS security
DNS security
DNS security routing and fallback
Configure DNS security
Verify DNS security configurations using CLI

Export and Import Cisco SD-WAN ManagerConfigurations

Export and import Cisco SD-WAN Manager configurations
Export and import Cisco SD-WAN Manager configurations
Prerequisites for export and import Cisco SD-WAN Manager configurations
Restrictions for exporting and importing Cisco SD-WAN Manager configurations
Cisco SD-WAN Manager configuration export and import use cases
Export Cisco SD-WAN Manager configurations
Import Cisco SD-WAN Manager configurations

Policy group workflows

Updated: March 10, 2026

Want to summarize with AI?

On this page

Policy group workflow features

Deploy policy group workflow

Cisco SD-WAN Controller tasks for policy group deployments
Policy group deployment previews in multitenant environments

Add devices to a policy group using rules

Describes the policy group workflow that guides you in creating a policy group for one or more sites or a single device at the site in the network managed by configuration groups.

A policy group workflow is a configuration management feature that

guides you in creating a policy group for one or more sites or a single device at the site in the network that is managed by configuration groups in Cisco Catalyst SD-WAN, and
provides you with an improved configuration and troubleshooting experience.

Policy group workflow features

The workflow has the following features:

allows you to review the various configuration values on a single page within the workflow, and
helps you easily identify and fix incorrect values that appear highlighted in red.

Deploy policy group workflow

You can access the workflow by choosing Workflows > Deploy Policy Group menu in Cisco SD-WAN Manager.

The Deploy Policy Group workflow enables you to associate devices with a previously created policy group and deploy the policy group to the selected devices. You can review device configurations to further add Site IDs and other variables that must be provided as part of a policy group before deploying the policy group.

An asterisk that is adjacent to a field name helps you identify the mandatory values within the workflow.

After deploying a policy group, any subsequent changes to the policy group will cause the Cisco SD-WAN Controller to appear in the deployment preview, even if no changes are being deployed to the controller itself.

Additionally, any modifications to the Application Priority and SLA policy are automatically pushed to all Cisco IOS XE Catalyst SD-WAN devices associated with the policy group, as well as the Cisco SD-WAN Controllers, regardless of which devices are selected in the deployment workflow. This behavior differs from NGFW, DNS Security, and SIG policies, where changes are only deployed to the selected Cisco IOS XE Catalyst SD-WAN device.

Cisco SD-WAN Controller tasks for policy group deployments

Starting with Cisco Catalyst SD-WAN Manager Release 26.1.1.1, deploying a policy group triggers a Cisco SD-WAN Controller task during the subsequent deployment in any of these scenarios:

A device that was previously part of a classic centralized policy is newly associated with any policy group.
A device is removed from a policy group that had Application Priority and SLA policies deployed.
A device associated with the policy group is included in an existing Cisco SD-WAN Controller policy configuration, even if neither of the preceding conditions applies.

Only the Cisco SD-WAN Controller intent for the current policy groups, as well as the intent for any policy group involved in a device migration is included in the CLI generation.

Policy group deployment previews in multitenant environments

Starting with Cisco Catalyst SD-WAN Manager Release 26.1.1.1, in multitenant environments, Cisco SD-WAN Manager no longer provides a preview diff for centralized policies, topology groups, policy groups, or device templates.

Instead, Cisco SD-WAN Manager shows the complete generated configuration as new. This configuration matches what is applied to the device because multitenant environments deploy the full configuration during each deployment.

In single-tenant environments, the preview diff behavior remains unchanged. Cisco SD-WAN Manager continues to show only the configuration differences.

Add devices to a policy group using rules

Before you begin

From SD-WAN Manager 26.1.1.1, you can add devices to a policy group using tags.

Ensure that you have added tags to devices. For more information about tagging, refer to the Device tagging section in the Cisco Catalyst SD-WAN Systems and Interfaces Configuration Guide.

Follow these steps to add devices to a policy group using rules:

Procedure

	1.	From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups.
	2.	Select a policy group from the available list.
	3.	Click the + Add option adjacent to Associated in the Deployment area.
	4.	Click Manage rule. You can select Modify rules or Remove rules. In the Rules section, choose values for the following options: Rule name: Enter a unique name for the rule. Rule names cannot be duplicated once you create it. Rule Conditions: Choose one of the two rules and configure the conditions: Match All or Match Any. Choose one of these operators: Equals Not equals Contains Not contains Starts with End with Note You cannot create a new rule if it conflicts with an existing rule.
	5.	Click Apply. Based on the rule, a list of devices that will be added to or removed from the policy group appears.
	6.	Click Confirm to apply the changes.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.