- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Importing and Exporting Configurations
You can use the Import/Export feature to copy several types of configurations, including policies, from one appliance to another appliance of the same type. Configuration import and export is not intended as a backup tool, but can be used to simplify the process of adding new appliances to your FireSIGHT System.
You can import and export the following configurations:
- access control policies and their associated network analysis, SSL, and file policies
- intrusion policies
- health and system policies
- alert responses
- application detectors
- dashboards, custom tables, custom workflows, and saved searches
- custom user roles
- report templates
- third-party product and vulnerability mappings
To import an exported configuration, both appliances must be running the same version of the FireSIGHT System. To import an exported intrusion or access control policy, the rule update versions on both appliances must also match.
Exporting Configurations
You can export a single configuration, or you can export a set of configurations (of the same type or of different types) at once. When you later import the package onto another appliance, you can choose which configurations in the package to import.
When you export a configuration, the appliance also exports revision information for that configuration. The FireSIGHT System uses that information to determine whether you can import that configuration onto another appliance; you cannot import a configuration revision that already exists on an appliance.
In addition, when you export a configuration, the appliance also exports system configurations that the configuration depends on, such as authentication objects. For example, if you set up authentication to an LDAP server on your Defense Center, then export a Defense Center system policy with authentication enabled, the authentication object is exported as well.
Tip Many list pages in the FireSIGHT System include an export icon (
) next to list items. Where this icon is present, you can use it as a quick alternative to the export procedure that follows.
You can export the following configurations:
- Alert responses — An alert response is a set of configurations that allows the FireSIGHT System to interact with the external system where you plan to send the alert.
- Custom tables — A custom table is a table you can construct that combines fields from two or more of the predefined tables delivered with the FireSIGHT System.
- Custom user roles — A custom user role is a user role that you create with a specialized set of access privileges. Exporting a custom user role that requires saved searches also exports all of the necessary saved searches.
- Custom workflows — A custom workflow is a workflow that you create to meet the unique needs of your organization. On the Defense Center, you can export custom workflows that you create as well as the predefined custom workflows delivered with the appliance.
Note that if a Defense Center does not allow you to view the table on which an exported custom workflow is based, you can import the workflow but will not be able to view it.
- Dashboards — A dashboard is a customizable tabbed view that provides you with an at-a-glance display of your current system status. Dashboards use various widgets to present data about the events collected and generated by the FireSIGHT System, as well as information about the status and overall health of the appliances in your deployment.
Note that the dashboard widgets that you can view depend on the type of appliance you are using and on your user role. For more information, see Understanding Widget Availability.
- Access control policies — Access control policies include a variety of components that you can configure to determine how the system manages traffic on your network. These components include access control rules; associated intrusion, file, network analysis, and SSL policies; and objects the rules and policies use, including intrusion variable sets. Exporting an access control policy exports all settings and components for the policy except (where present) URL reputations and categories, which are equivalent across appliances and which users cannot change. Any custom URL objects or groups referenced in the access control policy are included when the policy is exported. Note that to import an access control policy, the rule update version on the exporting and importing Defense Center must match. Note that to import an access control policy, the rule update version on the exporting and importing Defense Center must match.
If an access control policy that you export, or the SSL policy it invokes, contains rules that reference geolocation data, the importing Defense Center’s geolocation database (GeoDB) update version is used.
PKI objects containing private key information are encrypted with a randomly generated key when stored on the appliance. If an access control policy that you export references an SSL policy that uses PKI objects containing private keys, the private keys are decrypted before export.
If an access control policy that you export references an unsupported DC500 or Series 2 device policy feature or rule condition, you cannot use a DC500 to apply the policy and you cannot apply the policy to a Series 2 device. Neither the DC500 nor Series 2 devices support user or URL rule conditions, Security Intelligence, or file policies that include rules that use the Block Malware or Malware Cloud Lookup action. Additionally, Series 2 devices do not support application rule conditions.
- Health policies — A health policy comprises the criteria used when checking the health of appliances in your deployment, that is, whether your Cisco hardware and software are working correctly.
- Intrusion policies — Intrusion policies include a variety of components that you can configure to inspect your network traffic for intrusions and policy violations. These components intrusion rules that inspect the protocol header values, payload content, and certain packet size characteristics; FireSIGHT recommended rules configurations; and other advanced settings.
Exporting an intrusion policy exports all settings for the policy. For example, if you choose to set a rule to generate events, or if you set SNMP alerting for a rule, or if you turn on the sensitive data preprocessor in a policy, those settings remain in place in the exported policy. Custom rules, custom rule classifications, and user-defined variables are also exported with the policy.
Note that if you export an intrusion policy that uses a layer that is shared by a second intrusion policy, that shared layer is copied into the policy you are exporting and the sharing relationship is broken. When you import the intrusion policy on another appliance, you can edit the imported policy to suit your needs, including deleting, adding, and sharing layers.
If you export an intrusion policy from one Defense Center to another, the imported policy may behave differently if the second Defense Center has differently configured default variables.
Note You cannot use the Import/Export feature to update rules created by Cisco’s Vulnerability Research Team (VRT). Instead, download and apply the latest rule update version; see Importing Rule Updates and Local Rule Files.
- Report templates — Reports are document files formatted in PDF, HTML, or CSV that collate specific FireSIGHT System data. A report template specifies the data searches and formats for the report and its sections. When you export a report template, all saved searches, images, objects created in the object manager, and custom tables that are necessary for the report are exported also.
- Saved searches — A saved search provides access to predefined FireSIGHT System data for users with limited permissions. When you export a custom user role that requires saved searches, the necessary saved searches are exported also. You can also export individual user-defined saved searches.
- SSL policies - SSL policies include a variety of components that you can configure to determine how the system manages encrypted traffic on your network, including SSL rules and references reusable objects. Exporting an SSL policy exports all settings and components for the policy except (where present) URL reputations and categories, which are equivalent across appliances and which users cannot change. Note that to import an SSL policy, the rule update version on the exporting and importing Defense Center must match.
PKI objects containing private key information are encrypted with a randomly generated key when stored on the appliance. If an SSL policy you export uses PKI objects containing private keys, the private keys are decrypted before export.
If an SSL policy that you export contains rules that reference geolocation data, the importing Defense Center’s geolocation database (GeoDB) update version is used.
- System policies — A system policy controls the aspects of an appliance that are likely to be similar to other FireSIGHT System appliances in your deployment, including database event limits, time settings, login banners, and so on.
If external authentication is enabled in the system policy you are exporting, the associated authentication objects are exported as well.
Note that system policies on Defense Centers contain database settings that do not apply to managed devices. If you export a system policy from a managed device and then import it onto a Defense Center, the database limits that you could not configure on the device are set to the default values on the Defense Center.
- Third-party product mappings — If you import data from a third-party application, you must map the product to the third-party name to assign vulnerabilities and perform impact correlation using that data. Mapping the product associates Cisco vulnerability information with the third-party product name, which allows the FireSIGHT System to perform impact correlation using that data. For information on creating a third-party product mapping, see Mapping Third-Party Products.
- Third-party vulnerability mappings — To add vulnerability information from a third-party application to the vulnerability database, you must map the third-party identification string for each imported vulnerability to any existing Cisco, Bugtraq, or Snort ID. After you create a mapping for the vulnerability, the mapping works for all vulnerabilities imported to hosts in your network map and allows impact correlation for those vulnerabilities. For information on creating a third-party vulnerability mapping, see Mapping Third-Party Vulnerabilities.
- Application detectors — When the system analyzes IP traffic, it uses detectors to collect information about and then identify the commonly used applications running on hosts on your network. You can export two kinds of detectors: user-defined detectors and individual add-on detectors provided by Cisco Professional Services. For more information on detectors, see Working with Application Detectors.
Note Depending on the number of configurations being exported and the number of objects those configurations reference, the export process may take several minutes.
To export one or more configurations:
Step 1 Make sure that the appliance where you are exporting the configurations and the appliance where you plan to import the configurations are running the same version of the FireSIGHT System. If you are exporting an intrusion or access control policy, make sure that the rule update versions match.
If the versions of the FireSIGHT System (and, if applicable, the rule update versions) do not match, the import will fail.
Step 2 Select Systems > Tools > Import/Export .
The Import/Export page appears, including a list of the configurations on the appliance. Note that configuration categories with no configurations to export do not appear in this list.
Tip You can click the collapse icon (
) next to a configuration type to collapse the list of configurations. Click the expand folder icon () next to an configuration type to reveal configurations.
Step 3 Select the check boxes next to the configurations you want to export and click Export .
Step 4 Follow your web browser’s prompts to save the exported package to your computer.
Importing Configurations
After you export a configuration from an appliance, you can import it onto a different appliance as long as that appliance supports it. Note, however, that some imported configurations may not be useful depending on the type of appliance you are using and on your user role.
Depending on the type of configuration you are importing, you should keep the following points in mind:
- You must make sure that the appliance where you import a configuration is running the same version of the FireSIGHT System as the appliance you used to export the configuration. If you are importing an intrusion or access control policy, the rule update versions on both appliances must also match. If the versions do not match, the import will fail.
- When you import a custom user role that requires saved searches, the necessary saved searches are imported also.
- The dashboard widgets that you can view depend on the type of appliance you are using and on your user role. For example, a dashboard created on the Defense Center and imported onto a managed device may display some invalid, disabled widgets.
- If you import an access control policy that evaluates traffic based on zones, you must map the zones in the imported policy to zones on devices managed by the importing Defense Center. When you map zones, their types must match. Therefore, you must create any zone types you need on the importing Defense Center before you begin the import. For more information about security zones, see Working with Security Zones.
- If you import an access control policy or saved search that includes an object or object group that has an identical name to an existing object or group, you must rename the object or group.
- If you import an access control policy or an intrusion policy, the import process replaces existing default variables in the default variable set with the imported default variables. If your existing default variable set contains a custom variable not present in the imported default variable set, the unique variable is preserved.
- If you import an intrusion policy that used a shared layer from a second intrusion policy, the export process breaks the sharing relationship and the previously shared layer is copied into the package. In other words, imported intrusion policies do not contain shared layers.
Note You cannot use the Import/Export feature to update rules created by Cisco’s Vulnerability Research Team (VRT). Instead, download and apply the latest rule update version; see Importing Rule Updates and Local Rule Files.
- If you import an SSL policy that references PKI objects that contain private keys, the system encrypts the keys with a randomly generated key before storing them on the appliance.
- When you import a system policy that was exported from a Defense Center where external authentication is enabled, you also import the authentication objects on which the system policy depends.
Because you can export several configurations in a single package, when you import the package you must choose which configurations in the package to import. You can only import configurations that are supported on the destination appliance.
When you attempt to import a configuration, your appliance determines whether that configuration already exists on the appliance. If a conflict exists, you can:
- keep the existing configuration,
- replace the existing configuration with a new configuration,
- keep the newest configuration, or
- import the configuration as a new configuration.
If you import a configuration and then later make a modification to the configuration on the destination system, and then re-import the configuration, you must choose which version of the configuration to keep.
Depending on the number of configurations being imported and the number of objects those configurations reference, the import process may take several minutes.
To import one or more configurations:
Step 1 Make sure that the appliance where you are exporting the configurations and the appliance where you plan to import the configurations are running the same version of the FireSIGHT System. If you want to import an intrusion or access control policy, you must also make sure that the rule update versions match.
If the versions of the FireSIGHT System (and, if applicable, the rule update versions) do not match, the import will fail.
Step 2 Export the configurations you want to import; see Exporting Configurations.
Step 3 On the appliance where you want to import the configurations, select System > Tools > Import/Export .
The Import/Export page appears.
Tip Click the collapse icon () next to a configuration type to collapse the list of configurations. Click the expand folder icon () next to a configuration type to reveal configurations.
The Upload Package page appears.
The result of the upload depends on the contents of the package:
- If the configurations in the package exactly match versions that already exist on your appliance, a message displays indicating that the versions already exist. The appliance has the most recent configurations, so you do not need to import them.
- If there is a FireSIGHT System or (if applicable) rule update version mismatch between your appliance and the appliance where the package was exported, a message appears, indicating that you cannot import the package. Update the FireSIGHT System or the rule update version and attempt the process again.
- If the package contains any configurations or rule versions that do not exist on your appliance, the Package Import page appears. Continue with the next step.
Step 7 Select the configurations you want to import and click Import .
The import process resolves, with the following results:
- If the configurations you import do not have previous revisions on your appliance, the import completes automatically and a success message appears. Skip the rest of the procedure.
- If you are importing an access control policy that includes security zones, the Access Control Import Resolution page appears. Continue with step 8 .
- If the configurations you import do have previous revisions on your appliance, the Import Resolution page appears. Continue with step 9 .
Step 8 Next to each incoming security zone, select an existing local security zone of a matching type to map to and click Import .
Return to step 7 .
Step 9 Expand each configuration and select the appropriate option:
- To keep the configuration on your appliance, select Keep existing .
- To replace the configuration on your appliance with the imported configuration, select Replace existing .
- To keep the newest configuration, select Keep newest .
- To save the imported configuration as a new configuration, select Import as new and, optionally, edit the configuration name.
If you are importing an access control policy that includes a file policy with either the clean list or custom detection list enabled, the Import as new option is not available.
- If you are importing an access control policy or saved search that includes a dependent object, either accept the suggested name or rename the object. The system always imports these dependent objects as new. You do not have the option to keep or to replace existing objects. Note that the system treats objects and object groups in the same manner.
The configurations are imported.
Feedback