Exporting Configurations
License: Any
You can export a single configuration, or you can export a set of configurations (of the same type or of different types) at once. When you later import the package onto another appliance, you can choose which configurations in the package to import.
When you export a configuration, the appliance also exports revision information for that configuration. The ASA FirePOWER module uses that information to determine whether you can import that configuration onto another appliance; you cannot import a configuration revision that already exists on an appliance.
In addition, when you export a configuration, the appliance also exports system configurations that the configuration depends on.
Tip |
Many list pages in the ASA FirePOWER module include an export icon next to list items. Where this icon is present, you can use it as a quick alternative to the export procedure that follows. |
You can export the following configurations:
-
Alert responses — An alert response is a set of configurations that allows the ASA FirePOWER module to interact with the external system where you plan to send the alert.
-
Access control policies — Access control policies include a variety of components that you can configure to determine how the system manages traffic on your network. These components include access control rules; associated intrusion, file, and network analysis, and SSL policies; and objects the rules and policies use, including intrusion variable sets. Exporting an access control policy exports all settings and components for the policy except (where present) URL reputations and categories, which are equivalent across appliances and which users cannot change. Note that to import an access control policy, the rule update version on the exporting and importing ASA FirePOWER module must match.
If an access control policy that you export, or the SSL policy it invokes, contains rules that reference geolocation data, the importing module’s geolocation database (GeoDB) update version is used.
-
Intrusion policies — Intrusion policies include a variety of components that you can configure to inspect your network traffic for intrusions and policy violations. These components are intrusion rules that inspect the protocol header values, payload content, and certain packet size characteristics, and other advanced settings.
Exporting an intrusion policy exports all settings for the policy. For example, if you choose to set a rule to generate events, or if you set SNMP alerting for a rule, or if you turn on the sensitive data preprocessor in a policy, those settings remain in place in the exported policy. Custom rules, custom rule classifications, and user-defined variables are also exported with the policy.
Note that if you export an intrusion policy that uses a layer that is shared by a second intrusion policy, that shared layer is copied into the policy you are exporting and the sharing relationship is broken. When you import the intrusion policy on another appliance, you can edit the imported policy to suit your needs, including deleting, adding, and sharing layers.
If you export an intrusion policy from one ASA FirePOWER module to another, the imported policy may behave differently if the second ASA FirePOWER module has differently configured default variables.
Note |
You cannot use the Import/Export feature to update rules created by the Vulnerability Research Team (VRT). Instead, download and apply the latest rule update version; see Importing Rule Updates and Local Rule Files. |
-
System policies — A system policy controls the aspects of an ASA FirePOWER module that are likely to be similar to other ASA FirePOWER modules in your deployment, including time settings, SNMP settings, and so on.
Note |
Depending on the number of configurations being exported and the number of objects those configurations reference, the export process may take several minutes. |
To export one or more configurations:
Procedure
Step 1 |
Make sure that the ASA FirePOWER module where you are exporting the configurations and the ASA FirePOWER module where you plan to import the configurations are running the same version. If you are exporting an intrusion or access control policy, make sure that the rule update versions match. If the versions of the ASA FirePOWER module (and, if applicable, the rule update versions) do not match, the import will fail. |
||
Step 2 |
Select .The Import/Export page appears, including a list of the configurations on the ASA FirePOWER module. Note that configuration categories with no configurations to export do not appear in this list.
|
||
Step 3 |
Select the check boxes next to the configurations you want to export and click Export. |
||
Step 4 |
Follow the prompts to save the exported package to your computer. |