Thanks.

But in my environment there are nearly more than 200 rules in which i need to change the settings to distributed firewall.

So it is not able to create the rules above the existing since it will be very difficult.

My plan is as below.

1. To all the existing 200 rules add the Distributed firewall in teh applied to field

2. Publish the changes. By this all the VMs will receive all the firewall rules.

3. Then remove the security groups from the applied to field in all 200 rules

My understanding is that it should not have any impact since it is already configured for DFW & because of this all the VMs will have the rule already.

Correct me if i am wrong. Also the concern is that the existing flow or the session should not disconnect ?

Adding any rule to the DFW is a complete mine field and as Bayu mentioned it is a good idea to create a duplicate rule and stick on monitoring so you can monitor the traffic. Once it is passing via that rule you can DISABLE (later remove) the two rules you have. Assuming that your new rule works no traffic should be disconnected you are only working with the firewall and not virtual network that might impact the routing.

There is obviously no guarantee that once you do enable the rule some other DFW rule might block it.

I am not adding any rule. I need to change the Applied To field settings.

At present it is applied to a specific security group. I need to change it to Distributed firewall.

There is no change to the source & destination for the ACL policies. Need to change only the distributed firewall.

If i do this will there be any impact to the existing flow.

My understanding is that the VMs already have the firewall policies applied. Since there is no change in the rule ID, if I change to  distributed firewall , it will still have the same rules.

Later i will remove the specific security group from each rule.