diff --git a/doc/source/admin_util.rst b/doc/source/admin_util.rst
index 5ae77372c8..c4caedc4db 100644
--- a/doc/source/admin_util.rst
+++ b/doc/source/admin_util.rst
@@ -181,6 +181,10 @@ Security Groups, Firewall and Spoofguard
 
     nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39
 
+- Reorder the nsx L3 firewall sections to correctly support the policy security groups
+
+    nsxadmin -r firewall-sections -o nsx-reorder
+
 Metadata
 ~~~~~~~~
 
diff --git a/vmware_nsx/plugins/nsx_v/vshield/vcns.py b/vmware_nsx/plugins/nsx_v/vshield/vcns.py
index f0cdde4116..99087dd65e 100644
--- a/vmware_nsx/plugins/nsx_v/vshield/vcns.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/vcns.py
@@ -641,6 +641,12 @@ class Vcns(object):
         uri = FIREWALL_PREFIX
         return self.do_request(HTTP_GET, uri, decode=False, format='xml')
 
+    def update_dfw_config(self, request, h):
+        uri = FIREWALL_PREFIX
+        headers = self._get_section_header(None, h)
+        return self.do_request(HTTP_PUT, uri, request, format='xml',
+                               decode=False, encode=False, headers=headers)
+
     def get_section_id(self, section_name):
         """Retrieve the id of a section from nsx."""
         h, firewall_config = self.get_dfw_config()
diff --git a/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py b/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py
index e34911d75d..cc8c2e3038 100644
--- a/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py
@@ -128,6 +128,38 @@ class NsxFirewallAPI(object):
                              'id': sec_id})
         return sections
 
+    def reorder_fw_sections(self):
+        # read all the sections
+        h, firewall_config = self.vcns.get_dfw_config()
+        root = et.fromstring(firewall_config)
+
+        for child in root:
+            if str(child.tag) == 'layer3Sections':
+                # go over the L3 sections and reorder them.
+                # policy sections should come first
+                sections = list(child.iter('section'))
+                regular_sections = []
+                policy_sections = []
+
+                for sec in sections:
+                    if sec.attrib.get('managedBy') == 'NSX Service Composer':
+                        policy_sections.append(sec)
+                    else:
+                        regular_sections.append(sec)
+                    child.remove(sec)
+
+                if not policy_sections:
+                    LOG.info(_LI("No need to reorder the firewall sections."))
+                    return
+
+                # reorder the sections to have the policy sections first
+                reordered_sections = policy_sections + regular_sections
+                child.extend(reordered_sections)
+
+                # update the new order of sections in the backend
+                self.vcns.update_dfw_config(et.tostring(root), h)
+                LOG.info(_LI("L3 Firewall sections were reordered."))
+
 
 neutron_sg = NeutronSecurityGroupDB()
 nsxv_firewall = NsxFirewallAPI()
@@ -219,6 +251,12 @@ def list_missing_firewall_sections(resource, event, trigger, **kwargs):
     return bool(missing_sections_info)
 
 
+@admin_utils.list_mismatches_handler(constants.FIREWALL_SECTIONS)
+@admin_utils.output_header
+def reorder_firewall_sections(resource, event, trigger, **kwargs):
+    nsxv_firewall.reorder_fw_sections()
+
+
 @admin_utils.fix_mismatches_handler(constants.SECURITY_GROUPS)
 @admin_utils.output_header
 def fix_security_groups(resource, event, trigger, **kwargs):
@@ -325,3 +363,7 @@ def migrate_sg_to_policy(resource, event, trigger, **kwargs):
 registry.subscribe(migrate_sg_to_policy,
                    constants.SECURITY_GROUPS,
                    shell.Operations.MIGRATE_TO_POLICY.value)
+
+registry.subscribe(reorder_firewall_sections,
+                   constants.FIREWALL_SECTIONS,
+                   shell.Operations.NSX_REORDER.value)
diff --git a/vmware_nsx/shell/resources.py b/vmware_nsx/shell/resources.py
index f3eba67e0d..5ad207e7de 100644
--- a/vmware_nsx/shell/resources.py
+++ b/vmware_nsx/shell/resources.py
@@ -47,6 +47,7 @@ class Operations(enum.Enum):
     NSX_UPDATE_ALL = 'nsx-update-all'
     NSX_UPDATE_SECRET = 'nsx-update-secret'
     NSX_RECREATE = 'nsx-recreate'
+    NSX_REORDER = 'nsx-reorder'
     MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria'
     NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3'
     MIGRATE_TO_POLICY = 'migrate-to-policy'
@@ -132,7 +133,8 @@ nsxv_resources = {
                                          Operations.MIGRATE_TO_POLICY.value]),
     constants.FIREWALL_SECTIONS: Resource(constants.FIREWALL_SECTIONS,
                                           [Operations.LIST.value,
-                                           Operations.LIST_MISMATCHES.value]),
+                                           Operations.LIST_MISMATCHES.value,
+                                           Operations.NSX_REORDER.value]),
     constants.FIREWALL_NSX_GROUPS: Resource(
         constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value,
                                         Operations.LIST_MISMATCHES.value]),