Configuration Import/Export

About Configuration Import/Export

You can use the configuration export feature to export an XML file containing logical device and platform configuration settings for your Firepower 4100/9300 chassis to a remote server or your local computer. You can later import that configuration file to quickly apply the configuration settings to your Firepower 4100/9300 chassis to return to a known good configuration or to recover from a system failure.

Guidelines and Restrictions

  • Beginning with FXOS 2.6.1, the encryption key is now configurable. You must set the encryption key before you can export a configuration. The same encryption key must be set on the system when importing that configuration. If you modified the encryption key so that it no longer matches what was used during export, the import operation will fail. Make sure you keep track of the encryption key for each exported configuration.

  • Do not modify the contents of the configuration file. If a configuration file is modified, configuration import using that file might fail.

  • Application-specific configuration settings are not contained in the configuration file. You must use the configuration backup tools provided by the application to manage application-specific settings and configurations.

  • When you import a configuration to the Firepower 4100/9300 chassis, all existing configuration on the Firepower 4100/9300 chassis (including any logical devices) are deleted and completely replaced by the configuration contained in the import file.

  • Except in an RMA scenario, we recommend you only import a configuration file to the same Firepower 4100/9300 chassis where the configuration was exported.

  • The platform software version of the Firepower 4100/9300 chassis where you are importing should be the same version as when the export was taken. If not, the import operation is not guaranteed to be successful. We recommend you export a backup configuration whenever the Firepower 4100/9300 chassis is upgraded or downgraded.

  • The Firepower 4100/9300 chassis where you are importing must have the same Network Modules installed in the same slots as when the export was taken.

  • The Firepower 4100/9300 chassis where you are importing must have the correct software application images installed for any logical devices defined in the export file that you are importing.

  • If the configuration file being imported contains a logical device whose application has an End-User License Agreement (EULA), you must accept the EULA for that application on the Firepower 4100/9300 chassis before you import the configuration or the operation will fail.

  • To avoid overwriting existing backup files, change the file name in the backup operation or copy the existing file to another location.


Note

You must backup the logicl APP separately as the FXOS import/export will backup only the FXOS configuration. The FXOS configuration import will cause logical device reboot and it rebuilds the device with the factory default configuration.

Setting an Encryption Key for Configuration Import/Export

When exporting configurations, FXOS encrypts sensitive data such as passwords and keys.

Beginning with FXOS 2.6.1, the encryption key is now configurable. You must set the encryption key before you can export a configuration. The same encryption key must be set on the system when importing that configuration. If you have modified the encryption key so that it no longer matches what was used during export, the import operation will fail. Make sure that you keep track of the encryption key that is used for each exported configuration.

You can set the encryption key on either the Export page or the Import page. However, once set, the same key is used for both exporting and importing.

If you are importing a configuration into FXOS 2.6.1 or later that was exported from an FXOS release prior to 2.6.1, the system will not check the encryption key and will allow the import.


Note

If the platform software version to which you are importing is not the same version as when the export was taken, the import operation is not guaranteed to be successful. We recommend that you export a backup configuration whenever the Firepower 4100/9300 chassis is upgraded or downgraded.

Use the 'Set Version' option and export a backup configuration whenever the threat defense logical appliance is upgraded to a new software so that the new startup version matches the software release of the upgraded version.

Procedure

Step 1

Choose System > Configuration > Export.

Step 2

Under Encryption, enter a key to use for encrypting/decrypting sensitive data in the Key field. The encryption key must be 4-40 characters in length.

Step 3

Click Save Key.

The encryption key is set and will be used to encrypt/decrypt sensitive data when exporting and importing configurations. The system displays Set:Yes next to the Key field to indicate that the encryption key has been set.

Exporting an FXOS Configuration File

Use the configuration export feature to export an XML file containing logical device and platform configuration settings for your Firepower 4100/9300 chassis to a remote server or your local computer.

Before you begin

Review the Guidelines and Restrictions.

Procedure

Step 1

Choose System > Configuration > Export.

Step 2

To export a configuration file to your local computer, click Export Locally.

The configuration file is created and, depending on your browser, the file might be automatically downloaded to your default download location or you might be prompted to save the file.

Step 3

To export the configuration file to a previously configured remote server, click Export for the Remote Configuration you want to use.

The configuration file is created and exported to the specified location.

Step 4

To export the configuration file to a new remote server:

  1. Under On-Demand Export, click Add On-Demand Configuration.

  2. Choose the protocol to use when communicating with the remote server. This can be one of the following: FTP, TFTP, SCP, or SFTP.

  3. Enter the hostname or IP address of the location where the backup file should be stored. This can be a server, storage array, local drive, or any read/write media that the Firepower 4100/9300 chassis can access through the network.

    If you use a hostname rather than an IP address, you must configure a DNS server.

  4. If you are using a non-default port, enter the port number in the Port field.

  5. Enter the username the system should use to log in to the remote server. This field does not apply if the protocol is TFTP.

  6. Enter the password for the remote server username. This field does not apply if the protocol is TFTP.

    Note

     

    The password must not exceed 64 characters. If you enter a password more than 64 character, chassis manager will display an error stating that property pwd of org-root/cfg-exp-policy-default is out of range.

  7. In the Location field, enter the full path to where you want the configuration file exported including the filename.

  8. Click OK.

    The Remote Configuration is added to the On-Demand Export table.

  9. Click Export for the Remote Configuration you want to use.

    The configuration file is created and exported to the specified location.

Scheduling Automatic Configuration Export

Use the scheduled export feature to automatically export an XML file containing logical device and platform configuration settings for your Firepower 4100/9300 chassis to a remote server or your local computer. You can schedule the exports to be run daily, weekly, or every two weeks. The configuration export will be executed according to the schedule based on the when the scheduled export feature is enabled. So, for example, if you enable weekly scheduled export on a Wednesday at 10:00pm, the system will trigger a new export every Wednesday at 10:00pm.

Please review the Guidelines and Restrictions for important information about using the configuration export feature.

Procedure

Step 1

Choose System > Configuration > Export.

Step 2

Click Schedule Export.

You see the Configure Scheduled Export dialog box.

Step 3

Choose the protocol to use when communicating with the remote server. This can be one of the following: FTP, TFTP, SCP, or SFTP.

Step 4

To enable the scheduled export, check the Enable check box.

Note

 

You can enable or disable the schedule export at a later time using this check box; however, you will need to specify the password again when enabling or disabling the scheduled export.

Step 5

Enter the hostname or IP address of the location where the backup file should be stored. This can be a server, storage array, local drive, or any read/write media that the Firepower 4100/9300 chassis can access through the network.

If you use a hostname rather than an IP address, you must configure a DNS server.

Step 6

If you are using a non-default port, enter the port number in the Port field.

Step 7

Enter the username the system should use to log in to the remote server. This field does not apply if the protocol is TFTP.

Step 8

Enter the password for the remote server username. This field does not apply if the protocol is TFTP.

Step 9

In the Location field, enter the full path to where you want the configuration file exported including the filename. If you omit the filename, the export procedure assigns a name to the file.

Step 10

Choose the schedule on which you would like to have the configuration automatically exported. This can be one of the following: Daily, Weekly, or BiWeekly.

Step 11

Click OK.

The scheduled export is created. If you enabled the scheduled export, the system will automatically export a configuration file to the specified location according to the schedule that you selected.

Setting a Configuration Export Reminder

Use the Export Reminder feature to have the system generate a fault when a configuration export hasnʼt been executed in a certain number of days.

By default, the export reminder is enabled with a frequency of 30 days.


Note

If the reminder frequency is smaller than the number of days in the scheduled export policy (daily, weekly, or bi-weekly), you will receive an export-reminder fault message (“Config backup may be outdated”). For example, if your export schedule is weekly, and the reminder frequency is five days, this fault message will be issued every five days if no configuration has been exported in that time.

Procedure

Step 1

Choose System > Configuration > Export.

Step 2

To enable the configuration export reminder, check the check box under Reminder to trigger an export.

Step 3

Enter the number of days, between 1 and 365, that the system should wait between configuration exports before generating a reminder fault.

Step 4

Click Save Reminder.

Importing a Configuration File

You can use the configuration import feature to apply configuration settings that were previously exported from your Firepower 4100/9300 chassis. This feature allows you to return to a known good configuration or to recover from a system failure.

Before you begin

Review the Guidelines and Restrictions.

Procedure

Step 1

Choose System > Tools > Import/Export.

Step 2

To import from a local configuration file:

  1. Click Choose File to navigate to and select the configuration file that you want to import.

  2. Click Import.

    A confirmation dialog box opens asking you to confirm that you want to proceed and warning you that the chassis might need to restart.

  3. Click Yes to confirm that you want to import the specified configuration file.

    The existing configuration is deleted and the configuration specified in the import file is applied to the Firepower 4100/9300 chassis. If there is a breakout port configuration change during the import, the Firepower 4100/9300 chassis will need to restart.

Step 3

To import the configuration file from a previously configured remote server:

  1. In the Remote Import table, click Import for the Remote Configuration you want to use.

    A confirmation dialog box opens asking you to confirm that you want to proceed and warning you that the chassis might need to restart.

  2. Click Yes to confirm that you want to import the specified configuration file.

    The existing configuration is deleted and the configuration specified in the import file is applied to the Firepower 4100/9300 chassis. If there is a breakout port configuration change during the import, the Firepower 4100/9300 chassis will need to restart.

Step 4

To import from a configuration file on a new remote server:

  1. Under Remote Import, click Add Remote Configuration.

  2. Choose the protocol to use when communicating with the remote server. This can be one of the following: FTP, TFTP, SCP, or SFTP.

  3. If you are using a non-default port, enter the port number in the Port field.

  4. Enter the hostname or IP address of the location where the backup file is stored. This can be a server, storage array, local drive, or any read/write media that the Firepower 4100/9300 chassis can access through the network.

    If you use a hostname rather than an IP address, you must configure a DNS server.

  5. Enter the username the system should use to log in to the remote server. This field does not apply if the protocol is TFTP.

  6. Enter the password for the remote server username. This field does not apply if the protocol is TFTP.

    Note

     

    The password must not exceed 64 characters. If you enter a password more than 64 character, chassis manager will display an error stating that property pwd of org-root/cfg-exp-policy-default is out of range.

  7. In the File Path field, enter the full path to the configuration file including the file name.

  8. Click Save.

    The Remote Configuration is added to the Remote Import table.

  9. Click Import for the Remote Configuration you want to use.

    A confirmation dialog box opens asking you to confirm that you want to proceed and warning you that the chassis might need to restart.

  10. Click Yes to confirm that you want to import the specified configuration file.

    The existing configuration is deleted and the configuration specified in the import file is applied to the Firepower 4100/9300 chassis. If there is a breakout port configuration change during the import, the Firepower 4100/9300 chassis will need to restart.