Cisco Cisco Firepower Management Center 4000
A-5
FireSIGHT System User Guide
Appendix A Importing and Exporting Configurations
Importing Configurations
•
You must make sure that the appliance where you import a configuration is running the same version
of the FireSIGHT System as the appliance you used to export the configuration. If you are importing
an intrusion policy (or an access control policy that incorporates an intrusion policy), the rule update
versions on both appliances must also match. If the versions do not match, the import will fail.
of the FireSIGHT System as the appliance you used to export the configuration. If you are importing
an intrusion policy (or an access control policy that incorporates an intrusion policy), the rule update
versions on both appliances must also match. If the versions do not match, the import will fail.
•
When you import a custom user role that requires saved searches, the necessary saved searches are
imported also.
imported also.
•
The dashboard widgets that you can view depend on the type of appliance you are using and on your
user role. For example, a dashboard created on the Defense Center and imported onto a managed
device may display some invalid, disabled widgets.
user role. For example, a dashboard created on the Defense Center and imported onto a managed
device may display some invalid, disabled widgets.
•
If you import an access control policy that evaluates traffic based on zones, you must map the zones
in the imported policy to zones on devices managed by the importing Defense Center. When you
map zones, their types must match. Therefore, you must create any zone types you need on the
importing Defense Center before you begin the import. For more information about security zones,
see
in the imported policy to zones on devices managed by the importing Defense Center. When you
map zones, their types must match. Therefore, you must create any zone types you need on the
importing Defense Center before you begin the import. For more information about security zones,
see
.
•
If you import an access control policy or saved search that includes an object or object group that
has an identical name to an existing object or group, you must rename the object or group.
has an identical name to an existing object or group, you must rename the object or group.
•
If you import an access control policy or an intrusion policy, the import process replaces existing
default variables in the default variable set with the imported default variables. If your existing
default variable set contains a custom variable not present in the imported default variable set, the
unique variable is preserved.
default variables in the default variable set with the imported default variables. If your existing
default variable set contains a custom variable not present in the imported default variable set, the
unique variable is preserved.
•
If you import an intrusion policy that used a shared layer from a second intrusion policy, the export
process breaks the sharing relationship and the previously shared layer is copied into the package.
In other words, imported intrusion policies do not contain shared layers.
process breaks the sharing relationship and the previously shared layer is copied into the package.
In other words, imported intrusion policies do not contain shared layers.
Note
You cannot use the Import/Export feature to update rules created by Cisco’s Vulnerability
Research Team (VRT). Instead, download and apply the latest rule update version; see
Research Team (VRT). Instead, download and apply the latest rule update version; see
•
When you import a system policy that was exported from a Defense Center where external
authentication is enabled, you also import the authentication objects on which the system policy
depends.
authentication is enabled, you also import the authentication objects on which the system policy
depends.
Because you can export several configurations in a single package, when you import the package you
must choose which configurations in the package to import. You can only import configurations that are
supported on the destination appliance.
must choose which configurations in the package to import. You can only import configurations that are
supported on the destination appliance.
When you attempt to import a configuration, your appliance determines whether that configuration
already exists on the appliance. If a conflict exists, you can:
already exists on the appliance. If a conflict exists, you can:
•
keep the existing configuration,
•
replace the existing configuration with a new configuration,
•
keep the newest configuration, or
•
import the configuration as a new configuration.
If you import a configuration and then later make a modification to the configuration on the destination
system, and then re-import the configuration, you must choose which version of the configuration to
keep.
system, and then re-import the configuration, you must choose which version of the configuration to
keep.
Depending on the number of configurations being imported and the number of objects those
configurations reference, the import process may take several minutes.
configurations reference, the import process may take several minutes.
For information on using imported configurations, see the following sections: