Moving Prefilter Rules to an Access Control Policy

Note the following conditions before you proceed:

• Only prefilter rules can be moved to an access control policy. Tunnel rules cannot be moved.

• The prefilter rules can be moved only to the associated access control policy.

• The prefilter rules with configured interface groups cannot be moved.

• The Action parameter in the prefilter rule is changed to a suitable action in the access control rule when moved. To know what each action in the prefilter rule maps to, see the following table:

  Action in the prefilter rule	Action in the access control rule
  Analyze	Allow
  Block	Block
  Fastpath	Trust

• Similarly, based on the action configured in the prefilter rule, the logging configuration is set to an appropriate setting after the rule is moved, as mentioned in the following table.

  Action in the prefilter rule	Enabled Logging configurations in the access control rule
  Analyze	None of the log settings are enabled.
  Block	Log at Beginning of Connection Event Viewer Syslog Server SNMP Trap
  Fastpath	Log at Beginning of Connection Log at End of Connection Event Viewer Syslog Server SNMP Trap

• The comments in the prefilter rule configuration are lost after moving the rule. However, a new comment is added in the moved rule mentioning the source prefilter policy.

• While moving rules from the source policy, if another user modifies those rules, the management center displays a message. You may continue with the process after refreshing the page.