https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4107807#M1071343 <P>Hi,</P> <P>You don't need to remove the policy-map in order to add a class-map. You just need to edit the policy-map, add the class-map and potentially temporarily remove/re-add a class-map until you get the order you desire. Editing the policy-map therefore won't remove the zone-pairs.</P> <P>&nbsp;</P> <P>HTH</P> Tue, 23 Jun 2020 07:46:18 GMT Rob Ingram 2020-06-23T07:46:18Z https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4107708#M1071341 <P>I have a ZBFW policy:</P><P>&nbsp;</P><P class="p1"><SPAN class="s1">policy-map type inspect mypolicy</SPAN></P><P class="p1"><SPAN class="s1">class type inspect whitelist</SPAN></P><P class="p1"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>pass</SPAN></P><P class="p1"><SPAN class="s1">class type inspect everything</SPAN></P><P class="p1"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">But what if I need to add a new class-map:</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">policy-map type inspect mypolicy</SPAN></P><P class="p1"><SPAN class="s1">class type inspect whitelist</SPAN></P><P class="p1"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>pass</SPAN></P><P class="p1"><STRONG><SPAN class="s1">class type inspect blacklist</SPAN></STRONG></P><P class="p1"><STRONG><SPAN class="s1">&nbsp; drop</SPAN></STRONG></P><P class="p1"><SPAN class="s1">class type inspect everything</SPAN></P><P class="p1"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">How can I do it without removing mypolicy and recreate it again? If I remove mypolicy, it will also remove its reference within zone pairs. It is a PITA.</SPAN></P> Tue, 23 Jun 2020 00:47:55 GMT https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4107708#M1071341 pingduck 2020-06-23T00:47:55Z https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4107807#M1071343 <P>Hi,</P> <P>You don't need to remove the policy-map in order to add a class-map. You just need to edit the policy-map, add the class-map and potentially temporarily remove/re-add a class-map until you get the order you desire. Editing the policy-map therefore won't remove the zone-pairs.</P> <P>&nbsp;</P> <P>HTH</P> Tue, 23 Jun 2020 07:46:18 GMT https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4107807#M1071343 Rob Ingram 2020-06-23T07:46:18Z https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4108039#M1071354 <P>You correctly pointed out that I don't need to remove the policy-map.</P><P>&nbsp;</P><P>However, in order do what I want, I still need to remove "<SPAN class="s1">class type inspect everything", leaving myself unprotected and also dropping traffic, add "</SPAN><SPAN class="s1">class type inspect blacklist" and add back&nbsp;"class type inspect everything". This will get significantly complicated if I have more than a few classes within policy-map. Is there no way to edit the policy-map by specifying the order?</SPAN></P> Tue, 23 Jun 2020 14:31:47 GMT https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4108039#M1071354 pingduck 2020-06-23T14:31:47Z https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4108169#M1071365 No, not for ZBFW policy-maps that I am aware of. If you need further clarification you should log a TAC call. Tue, 23 Jun 2020 17:46:41 GMT https://community.cisco.com/t5/network-security/how-to-update-zone-based-firewall-policy/m-p/4108169#M1071365 Rob Ingram 2020-06-23T17:46:41Z