Cisco Cisco Firepower Management Center 4000

conditions, Security Intelligence, or file policies that include rules that use the Block Malware or 
Malware Cloud Lookup action. Additionally, Series 2 devices do not support application rule 
conditions.

Health policies — A health policy comprises the criteria used when checking the health of 
appliances in your deployment, that is, whether your Cisco hardware and software are working 
correctly.

Intrusion policies — Intrusion policies include a variety of components that you can configure to 
inspect your network traffic for intrusions and policy violations. These components include 
preprocessors; intrusion rules that inspect the protocol header values, payload content, and certain 
packet size characteristics; adaptive profile configurations; FireSIGHT recommended rules 
configurations; and tools that allow you to control how often events are logged and displayed.

Exporting an intrusion policy exports all settings for the policy. For example, if you choose to set a 
rule to generate events, or if you set SNMP alerting for a rule, or if you turn on the SMTP 
preprocessor in a policy, those settings remain in place in the exported policy. Custom rules, custom 
rule classifications, and user-defined variables are also exported with the policy.

Note that if you export an intrusion policy that uses a layer that is shared by a second intrusion 
policy, that shared layer is copied into the policy you are exporting and the sharing relationship is 
broken. When you import the intrusion policy on another appliance, you can edit the imported policy 
to suit your needs, including deleting, adding, and sharing layers.

If you export an intrusion policy from one Defense Center to another, the imported policy may 
behave differently if the second Defense Center has differently configured default variables.

You cannot use the Import/Export feature to update rules created by Cisco’s Vulnerability 
Research Team (VRT). Instead, download and apply the latest rule update version; see 

Report templates — Reports are document files formatted in PDF, HTML, or CSV that collate 
specific FireSIGHT System data. A report template specifies the data searches and formats for the 
report and its sections. When you export a report template, all saved searches, images, network 
objects, objects created in the object manager, and custom tables that are necessary for the report 
are exported also.

Saved searches — A saved search provides access to predefined FireSIGHT System data for users 
with limited permissions. When you export a custom user role that requires saved searches, the 
necessary saved searches are exported also. You can also export individual user-defined saved 
searches.

System policies — A system policy controls the aspects of an appliance that are likely to be similar 
to other FireSIGHT System appliances in your deployment, including database event limits, time 
settings, login banners, and so on.

If external authentication is enabled in the system policy you are exporting, the associated 
authentication objects are exported as well.

Note that system policies on Defense Centers contain database settings that do not apply to managed 
devices. If you export a system policy from a managed device and then import it onto a Defense 
Center, the database limits that you could not configure on the device are set to the default values 
on the Defense Center.

Third-party product mappings — If you import data from a third-party application, you must map 
the product to the third-party name to assign vulnerabilities and perform impact correlation using 
that data. Mapping the product associates Cisco vulnerability information with the third-party 
product name, which allows the FireSIGHT System to perform impact correlation using that data.