diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py
index ee563f9e1f..43af630016 100644
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@@ -3554,13 +3554,6 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
         sg_rules = security_group_rules['security_group_rules']
         sg_id = sg_rules[0]['security_group_rule']['security_group_id']
 
-        if (self._use_nsx_policies and
-            self._is_policy_security_group(context, sg_id)):
-            # If policies are enabled - creating rules is forbidden
-            msg = (_('Cannot create rules for security group %s with'
-                     ' a policy') % sg_id)
-            raise n_exc.InvalidInput(error_message=msg)
-
         self._prevent_non_admin_delete_provider_sg(context, sg_id)
 
         ruleids = set()
@@ -3568,6 +3561,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
 
         self._validate_security_group_rules(context, security_group_rules)
 
+        if self._is_policy_security_group(context, sg_id):
+            # If policies are/were enabled - creating rules is forbidden
+            msg = (_('Cannot create rules for security group %s with'
+                     ' a policy') % sg_id)
+            raise n_exc.InvalidInput(error_message=msg)
+
         # Querying DB for associated dfw section id
         section_uri = self._get_section_uri(context.session, sg_id)
         logging = self._is_security_group_logged(context, sg_id)