About Configuration Import/Export
When you manage the threat defense device locally, with the device manager or through the CDO, you can export the configuration of the device using the threat defense API. This method does not work with a device managed by the Secure Firewall Management Center.
When you export the configuration, the system creates a zip file. You can then download the zip file to your workstation. The configuration itself is represented as objects defined using attribute-value pairs in a JSON-formatted text file. You can edit the file prior to importing it back into the same device or a different device.
Thus, you can use an export file to create a template that you can deploy to other devices in your network.
When importing objects, you also have the option of defining the objects directly in the import command rather than in a configuration file. However, you should directly define objects only in cases where you are importing a small number of changes.
The following topics explain more about configuration import/export.
What is Included in the Export File
When you do an export, you specify which configurations to include in the export file. A full export includes everything in the export zip file. Based on what you choose to export, the export zip file might include the following:
-
Attribute-value pairs that define each configured object. All configurable items are modeled as objects, not just those that are called “objects” in the device manager.
-
If you configured remote access VPN, the AnyConnect packages and any other referenced files, such as client profile XML files, the DAP XML file, and Hostscan packages.
-
If you configured custom file policies, any referenced clean list or custom detection list.
Comparing Import/Export and Backup/Restore
Configuration import/export is not the same as backup/restore.
-
Backup/restore is for disaster recovery. You can restore a backup to a device only if the device is the same model, and running the same software version, as the device from which the backup was taken. Primarily, this is for recovering the “last good” configuration to the same device, or to restore the configuration to a replacement device.
-
Import/export is for preserving all or part of a configuration. You can use an export file to restore the configuration to a device after you reimage it. Or, you can use the export file as a template, editing the contents before importing it into another device. With import/export, you can quickly get a new device up to a certain baseline configuration, so you can deploy it more rapidly into your network. Within limits, you can even import a file to different device models, for example, from a Firepower 2120 to a 2130. If the import file only includes objects that are supported on all device models, there should be very few restrictions on import. The one restriction is that the device needs to use the same API version used for the export file.
Strategies for Import/Export
Following are some ways you can use import/export.
-
Create a template for new devices. Configure your model device to the baseline you need, then export the full configuration. Subsequently, you can import that configuration into new devices, then use the device manager or the threat defense API to make whatever modifications are needed. You can also edit the template prior to import to make these modifications, for example, to the IP addresses for each interface. Note that the full export includes the ManagementIP object (type=managementip); assuming that you have already configured the management address and gateway on the target device, you should remove this object from the export file when you create the template for the new device, or you will overwrite the management addressing information.
-
Deploy configuration changes from one device to other similar devices. For example, when editing the configuration of device A, you create a few new network objects and access control rules. You can then export the pending changes, and import those changes into device B. After you deploy the configuration on both devices, they are running the same new rules.
-
Reapply the configuration after a system reimage. Reimaging a device erases the configuration. If you first export the full configuration, you can them import it after you complete the reimage.
-
Apply targeted configurations. Because you can edit or even manually create an export file, you can remove all objects except those you want to import into another device. For example, you could create a configuration file that contains a set of network objects, and use it to import the same group of network objects into all of your threat defense devices.