Exceptions to Export Behavior

When you export a configuration, the Firewall Management Center also exports other required configurations. For example, exporting an access control policy also exports any subpolicies it invokes, objects and object groups it uses, ancestor policies, and so on. As another example, if you export a platform settings policy with external authentication enabled, the authentication object is exported as well.

There are some exceptions, however:

  • System-provided databases and feeds—The Firewall Management Center does not export URL filtering category and reputation data, Cisco Intelligence Feed data, or the geolocation database (GeoDB). Each Firewall Management Center needs to obtain up-to-date information from Cisco.

  • Global Security Intelligence lists—The Firewall Management Center exports Global Security Intelligence Block and Do Not Block lists associated with exported configurations. The import process converts these lists to user-created lists, then uses those new lists in the imported configurations. This ensures that imported lists do not conflict with existing Global Block and Do Not Block lists. To use Global lists on the importing Firewall Management Center, manually add the lists to your imported configurations.

  • Intrusion policy shared layers—The export process breaks intrusion policy shared layers. The previously shared layer is included in the package, and imported intrusion policies do not contain shared layers.

  • Intrusion policy default variable set—The export package includes a default variable set with custom variables and system-provided variables with user-defined values. The import process updates the default variable set on the importing Firewall Management Center with the imported values. However, the import process does not delete custom variables not present in the export package. The import process also does not revert user-defined values on the importing Firewall Management Center, for values not set in the export package. Therefore, an imported intrusion policy may behave differently than expected if the importing Firewall Management Center has differently configured default variables.

  • Custom user objects—If you have created custom user groups or objects in your Firewall Management Center, and if such a custom user object is a part of any rule in your access control policy, note that the export file (.sfo) does not carry the user object information, and therefore while importing such a policy, any reference to such custom user objects will be removed and will not be imported to the destination Firewall Management Center. To avoid detection issues due to the missing user group, add the customized user objects manually to the new Firewall Management Center, and re-configure the access control policy after import.