Cisco Cisco FirePOWER Appliance 8260
A-3
FireSIGHT System User Guide
Appendix A Importing and Exporting Configurations
Exporting Configurations
conditions, Security Intelligence, or file policies that include rules that use the Block Malware or
Malware Cloud Lookup action. Additionally, Series 2 devices do not support application rule
conditions.
Malware Cloud Lookup action. Additionally, Series 2 devices do not support application rule
conditions.
•
Health policies — A health policy comprises the criteria used when checking the health of
appliances in your deployment, that is, whether your Cisco hardware and software are working
correctly.
appliances in your deployment, that is, whether your Cisco hardware and software are working
correctly.
•
Intrusion policies — Intrusion policies include a variety of components that you can configure to
inspect your network traffic for intrusions and policy violations. These components include
preprocessors; intrusion rules that inspect the protocol header values, payload content, and certain
packet size characteristics; adaptive profile configurations; FireSIGHT recommended rules
configurations; and tools that allow you to control how often events are logged and displayed.
inspect your network traffic for intrusions and policy violations. These components include
preprocessors; intrusion rules that inspect the protocol header values, payload content, and certain
packet size characteristics; adaptive profile configurations; FireSIGHT recommended rules
configurations; and tools that allow you to control how often events are logged and displayed.
Exporting an intrusion policy exports all settings for the policy. For example, if you choose to set a
rule to generate events, or if you set SNMP alerting for a rule, or if you turn on the SMTP
preprocessor in a policy, those settings remain in place in the exported policy. Custom rules, custom
rule classifications, and user-defined variables are also exported with the policy.
rule to generate events, or if you set SNMP alerting for a rule, or if you turn on the SMTP
preprocessor in a policy, those settings remain in place in the exported policy. Custom rules, custom
rule classifications, and user-defined variables are also exported with the policy.
Note that if you export an intrusion policy that uses a layer that is shared by a second intrusion
policy, that shared layer is copied into the policy you are exporting and the sharing relationship is
broken. When you import the intrusion policy on another appliance, you can edit the imported policy
to suit your needs, including deleting, adding, and sharing layers.
policy, that shared layer is copied into the policy you are exporting and the sharing relationship is
broken. When you import the intrusion policy on another appliance, you can edit the imported policy
to suit your needs, including deleting, adding, and sharing layers.
If you export an intrusion policy from one Defense Center to another, the imported policy may
behave differently if the second Defense Center has differently configured default variables.
behave differently if the second Defense Center has differently configured default variables.
Note
You cannot use the Import/Export feature to update rules created by Cisco’s Vulnerability
Research Team (VRT). Instead, download and apply the latest rule update version; see
Research Team (VRT). Instead, download and apply the latest rule update version; see
•
Report templates — Reports are document files formatted in PDF, HTML, or CSV that collate
specific FireSIGHT System data. A report template specifies the data searches and formats for the
report and its sections. When you export a report template, all saved searches, images, network
objects, objects created in the object manager, and custom tables that are necessary for the report
are exported also.
specific FireSIGHT System data. A report template specifies the data searches and formats for the
report and its sections. When you export a report template, all saved searches, images, network
objects, objects created in the object manager, and custom tables that are necessary for the report
are exported also.
•
Saved searches — A saved search provides access to predefined FireSIGHT System data for users
with limited permissions. When you export a custom user role that requires saved searches, the
necessary saved searches are exported also. You can also export individual user-defined saved
searches.
with limited permissions. When you export a custom user role that requires saved searches, the
necessary saved searches are exported also. You can also export individual user-defined saved
searches.
•
System policies — A system policy controls the aspects of an appliance that are likely to be similar
to other FireSIGHT System appliances in your deployment, including database event limits, time
settings, login banners, and so on.
to other FireSIGHT System appliances in your deployment, including database event limits, time
settings, login banners, and so on.
If external authentication is enabled in the system policy you are exporting, the associated
authentication objects are exported as well.
authentication objects are exported as well.
Note that system policies on Defense Centers contain database settings that do not apply to managed
devices. If you export a system policy from a managed device and then import it onto a Defense
Center, the database limits that you could not configure on the device are set to the default values
on the Defense Center.
devices. If you export a system policy from a managed device and then import it onto a Defense
Center, the database limits that you could not configure on the device are set to the default values
on the Defense Center.
•
Third-party product mappings — If you import data from a third-party application, you must map
the product to the third-party name to assign vulnerabilities and perform impact correlation using
that data. Mapping the product associates Cisco vulnerability information with the third-party
product name, which allows the FireSIGHT System to perform impact correlation using that data.
the product to the third-party name to assign vulnerabilities and perform impact correlation using
that data. Mapping the product associates Cisco vulnerability information with the third-party
product name, which allows the FireSIGHT System to perform impact correlation using that data.