About Import/Export
You can use the Import/Export feature to copy configurations between Firewall Management Centers. Import/Export is not a backup tool but can simplify the process of adding a new Firewall Management Center.
You can export a single configuration, or you can export a set of configurations (of the same type or of different types) with a single action. When you later import the package onto another Firewall Management Center, you can choose which configurations in the package to import.
An exported package contains revision information for that configuration, which determines whether you can import that configuration onto another Firewall Management Center. When the Firewall Management Center are compatible, but the package includes a duplicate configuration, the Firewall Management Center offers resolution options.
Exceptions to Export Behavior
When you export a configuration, the Firewall Management Center also exports other required configurations. For example, exporting an access control policy also exports any subpolicies it invokes, objects and object groups it uses, ancestor policies, and so on. As another example, if you export a platform settings policy with external authentication enabled, the authentication object is exported as well.
There are some exceptions, however:
-
System-provided databases and feeds—The Firewall Management Center does not export URL filtering category and reputation data, Cisco Intelligence Feed data, or the geolocation database (GeoDB). Each Firewall Management Center needs to obtain up-to-date information from Cisco.
-
Global Security Intelligence lists—The Firewall Management Center exports Global Security Intelligence Block and Do Not Block lists associated with exported configurations. The import process converts these lists to user-created lists, then uses those new lists in the imported configurations. This ensures that imported lists do not conflict with existing Global Block and Do Not Block lists. To use Global lists on the importing Firewall Management Center, manually add the lists to your imported configurations.
-
Intrusion policy shared layers—The export process breaks intrusion policy shared layers. The previously shared layer is included in the package, and imported intrusion policies do not contain shared layers.
-
Intrusion policy default variable set—The export package includes a default variable set with custom variables and system-provided variables with user-defined values. The import process updates the default variable set on the importing Firewall Management Center with the imported values. However, the import process does not delete custom variables not present in the export package. The import process also does not revert user-defined values on the importing Firewall Management Center, for values not set in the export package. Therefore, an imported intrusion policy may behave differently than expected if the importing Firewall Management Center has differently configured default variables.
-
Custom user objects—If you have created custom user groups or objects in your Firewall Management Center, and if such a custom user object is a part of any rule in your access control policy, note that the export file (.sfo) does not carry the user object information, and therefore while importing such a policy, any reference to such custom user objects will be removed and will not be imported to the destination Firewall Management Center. To avoid detection issues due to the missing user group, add the customized user objects manually to the new Firewall Management Center, and re-configure the access control policy after import.
Importing Objects and Object Groups
When you import objects and object groups:
-
Generally, the import process imports objects and groups as new, and you cannot replace existing objects and groups. However, if network and port objects or groups in an imported configuration match existing objects or groups, the imported configuration reuses the existing objects/groups, rather than creating new objects/groups. The Firewall Management Center determines a match by comparing the name (minus any autogenerated number) and content of each network and port object/group.
-
If the names of imported objects match existing objects on the importing Firewall Management Center, the Firewall Management Center appends autogenerated numbers to the imported object and group names to make them unique.
-
You must map any security zones and interface groups used in the imported configurations to matching-type zones and groups managed by the importing Firewall Management Center.
-
If you export a configuration that uses PKI objects containing private keys, the Firewall Management Center decrypts the private keys before export. On import, the Firewall Management Center encrypts the keys with a randomly generated key.
Conflict Resolution for Duplicate Configurations
Default Resolution Behavior
When you attempt to import a configuration, the Firewall Management Center determines whether a configuration of the same name and type already exists. When an import includes a duplicate configuration, the Firewall Management Center offers resolution options:
-
Keep existing
The Firewall Management Center does not import that configuration.
-
Replace existing
The Firewall Management Center overwrites the current configuration with the configuration selected for import. This option is not available if the duplicate is in ancestor or descendant domain.
-
Keep newest
The Firewall Management Center imports the selected configuration only if its timestamp is more recent than the timestamp on the current configuration. This option is not available if the duplicate is in ancestor or descendant domain.
Note
If you import a configuration that contains Microsoft Active Directory users and groups we strongly recommend you download all users and groups after the import to avoid issues in decryption policies, access control policies, and possibly other policies. (, then click Download Now(
) (Download Now).
-
Import as new
The Firewall Management Center imports the selected duplicate configuration, appending a system-generated number to the name to make it unique. (You can change this name before completing the import process.) The original configuration remains unchanged.
![]() Note |
If you modify an imported configuration on the Firewall Management Center and later re-import that configuration to the same Firewall Management Center, you must choose which version of the configuration to keep. |
File List Resolution Behavior
When you import an access control policy with a file policy that uses clean or custom detection file lists, and a file list presents a duplicate name conflict, the Firewall Management Center offers conflict resolution options as described, but the action taken varies as described in the table:
Resolution Option |
Resolution Behavior for the Access Control Policy |
---|---|
Keep existing |
Unchanged |
Replace existing |
Imported as new; file lists are merged |
Import as new |
Imported as new; file lists are merged |
Keep newest and access control policy being imported is the newest |
Imported as new; file lists are merged |
Keep newest and existing access control policy is the newest |
Unchanged |