Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
Some of the features described in this topic are available only to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.
If you want a cloud-managed Firebox to use the same settings as an existing Firebox configuration, the Import Configuration wizard saves you time and reduces the risk of errors. For example, you can use the wizard to help you migrate from locally-managed Fireboxes to cloud-managed Fireboxes.
Alternatively, when you add a Firebox to WatchGuard Cloud as a cloud-managed device, you can copy configuration settings from another cloud-managed Firebox. For more information, go to Copy Configuration Settings from a Cloud-Managed Firebox.
If you want to import configuration settings to multiple cloud-managed Fireboxes, you can add or edit a Firebox template. The Import Configuration wizard is available from a Firebox template. For more information, go to About Firebox Templates.
With the Import Configuration wizard, you can import these settings from an existing Firebox configuration file to a cloud-managed Firebox:
- Aliases
- Exceptions
- Routes
- Blocked Ports
- Blocked Sites
- Dimension Servers
- Syslog Servers
- Technology Integrations
- Networks
- Branch office virtual private networks (BOVPNs)
You can import only these settings from a Firebox configuration file to WatchGuard Cloud. The import process does not import any other settings from the configuration file. For information about how to import BOVPNs, go to Import BOVPN Configuration Settings from a Firebox Configuration File.
When you import configuration settings, the Import Configuration wizard compares the settings you want to import with the settings that are already configured on the cloud-managed Firebox. If the settings you want to import are duplicates of the settings that are configured on the cloud-managed Firebox, you can select an action to take, such as merge, replace, keep, or skip settings.
You can use the Import Configuration wizard when you want to:
- Add a device to WatchGuard Cloud
- Import configuration settings to an existing cloud-managed Firebox
- Import configuration settings to a Firebox template
Before You Begin
Before you import configuration settings to a cloud-managed Firebox, review the information in these sections:
Configuration File Requirements
Before you can import configuration settings to a cloud-managed Firebox, you must first export and save the .XML configuration file from the Firebox with the settings you want to import.
To save a configuration file from a Firebox, follow the steps in these topics:
- Locally-Managed Fireboxes:
- Policy Manager — Save the Configuration File
- Fireware Web UI — Manage the Firebox Configuration File
- Cloud-Managed Fireboxes:
- WatchGuard Cloud — Download the Firebox Configuration File
The configuration file must:
- Be in .XML format
If you save a configuration file from Fireware Web UI, you must unzip the .XML file from the .GZ file before you can import it. - Be a valid Firebox configuration file
- Contain fewer than 5000 total exceptions to import
A cloud-managed Firebox supports up to 5000 exceptions. There is no maximum limit for aliases.
Duplicate Configuration Data
When you import configuration settings from a Firebox configuration file, the Import Configuration wizard might detect duplicate settings that exist in both the imported .XML configuration file and the cloud-managed Firebox configuration in WatchGuard Cloud. When this occurs, you must specify what action to take for each type of duplicate setting in the Duplicate Settings section of the wizard.
Duplicate setting detection is not applicable to Dimension servers, syslog servers, technology integrations, or networks.
The Import Configuration wizard finds duplicate aliases based on the name of the alias.
Merge
Merges the alias members from the imported configuration with the alias members in WatchGuard Cloud.
For example, a local .XML configuration file has these alias settings:
- Alias Name: my_alias
- Alias Members: alias1, alias2
A WatchGuard Cloud configuration has these alias settings:
- Alias Name: my_alias
- Alias Members: alias3, alias4
Result in WatchGuard Cloud after import:
- Alias Name: my_alias
- Alias Members: alias1, alias2, alias3, alias4
Replace
Overwrites the alias in WatchGuard Cloud with the alias from the imported configuration.
For example, a local .XML configuration file has these alias settings:
- Alias Name: my_alias
- Alias Members: alias1, alias2
A WatchGuard Cloud configuration has these alias settings:
- Alias Name: my_alias
- Alias Members: alias3, alias4
Result in WatchGuard Cloud after import:
- Alias Name: my_alias
- Alias Members: alias1, alias2
Keep Both
Keeps both the alias in WatchGuard Cloud and the alias from the imported configuration file. Rename the alias from the imported configuration file to [alias name]+1.
For example, a local .XML configuration file has these alias settings:
- Alias Name: my_alias
- Alias Members: alias1, alias2
A WatchGuard Cloud configuration has these alias settings:
- Alias Name: my_alias
- Alias Members: alias3, alias4
Result in WatchGuard Cloud after import:
- Alias Name: my_alias
- Alias Members: alias3,alias4
- Alias Name: my_alias.1
- Alias Members: alias1, alias2
Skip
Ignores any duplicate aliases. The import process categorizes duplicate aliases as unsupported and does not import them to WatchGuard Cloud.
The Import Configuration wizard finds duplicate exceptions based on the settings that you configure for each type of exception.
Replace
Overwrites the exception in WatchGuard Cloud with the exception from the import.
For example, a local .XML configuration file has these exceptions:
- Exception Name: my_exception
- Exception Action: action1
A WatchGuard Cloud configuration has these exceptions:
- Exception Name: my_exception
- Exception Action: action2
Result in WatchGuard Cloud after import:
- Exception Name: my_exception
- Exception Action: action1
Skip
Ignores any duplicate exceptions. The import process categorizes duplicate exceptions as unsupported and does not import them.
Replace
Overwrites the route distance.
For example, a local .XML configuration file has these settings:
- Network: 192.168.1.100
- Gateway: 10.0.1.1
- Route Distance: 1
A WatchGuard Cloud configuration has these settings:
- Network: 192.168.1.100
- Gateway: 10.0.1.1
- Route Distance: 2
Result in WatchGuard Cloud after import:
- Network: 192.168.1.100
- Gateway: 10.0.1.1
- Route Distance: 1
Skip
Ignores any duplicate exception. The import process categorizes the duplicate routes as unsupported and does not import them.
Replace
Overwrites the description of a blocked site in WatchGuard Cloud with the description from the imported configuration file.
For example, a local .XML configuration file has this blocked site:
- Blocked Site: A_Site.com
- Description: Website A.
A WatchGuard Cloud configuration has this blocked site:
- Blocked Site: A_Site.com
- Description: Website B.
Result in WatchGuard Cloud after import:
- Blocked Site: A_Site.com
- Description: Website A.
Skip
Ignore any duplicate blocked sites. The import process categorizes the duplicate blocked sites as unsupported and does not import them.
Skip
Ignore any duplicate blocked ports. The import process categorizes the duplicate blocked ports as unsupported and does not import them.
Not Importable Settings
When you use the Import Configuration wizard to import configuration settings from a Firebox configuration file, the Not Importable tab shows any settings that you cannot import because they are not supported.
Not Importable Aliases
Network Interface Reference
Alias that references a network interface.
Nested Alias
Alias member that has a nested alias that WatchGuard Cloud does not support.
For example, my_alias contains my_other_alias as a member type. This is a nested alias. my_other_alias contains a member type that WatchGuard Cloud does not support.
You can import a nested alias if it already exists in the cloud-managed configuration.
Duplicate Alias from a Template
Alias that has the same name as an alias from a template that the cloud-managed Firebox subscribes to.
Not Importable Exceptions
Duplicate Exception from a Template
Exception for the same security service and with the same value as an exception from a template that the cloud-managed Firebox subscribes to.
Unsupported Exception Action
Exception that performs an action that WatchGuard Cloud does not support. For example, the spamBlocker Quarantine action is not supported.
Not Importable Routes
Duplicate Routes That are Skipped
Routes that are skipped from the Duplicate Settings page in the Import configuration wizard.
Not Importable Blocked Sites
Duplicate Blocked Sites That are Skipped
Blocked sites that are skipped from the Duplicate Settings page in the Import configuration wizard.
Duplicate Blocked Sites from a Template
Blocked sites with the same value as a blocked site from a template that the cloud-managed Firebox subscribes to.
Not Importable Blocked Ports
Duplicate Blocked Ports That are Skipped
Blocked ports that are skipped from the Duplicate Settings page in the Import configuration wizard.
Duplicate Blocked Ports from a Template
Blocked ports with the same value as a blocked site from a template that the cloud-managed Firebox subscribes to.
Not Importable Networks
Network Name Conflict
The network name already exists in the target environment.
IP Address Conflict
The network IP address range overlaps with an existing network.
VLAN ID Conflict
The VLAN ID is assigned to another network.
Interface Already in Use
Another network already uses the selected interface.
Interface or Network Type Mismatch
The interface type does not support the selected network type.
SSID Name Conflict
The SSID name is the same as an existing wireless network.
Unsupported Dynamic DNS Configuration
The Dynamic DNS provider or configuration is not supported.
Unsupported Modem Type
The modem model is not supported.
Unsupported Wireless Configuration
The wireless configuration is not supported.
The Import Configuration wizard does not support the ability to import networks to templates.
Not Importable Aliases
Network Interface Reference
Alias that references a network interface.
Nested Alias
Alias member that has a nested alias that WatchGuard Cloud does not support.
For example, my_alias contains my_other_alias as a member type. This is a nested alias. my_other_alias contains a member type that WatchGuard Cloud does not support.
You can import a nested alias if it already exists in the cloud-managed configuration.
Duplicate Alias From a Template
Alias that has the same name as an alias from a different template on the account.
Not Importable Exceptions
Duplicate Exception from a Template
Exception for the same security service and with the same value as an exception from a different template on the account.
Unsupported Exception Action
Exception that performs an action that WatchGuard Cloud does not support. For example, the spamBlocker Quarantine action is not supported.
Not Importable Blocked Sites
Duplicate Blocked Sites from a Template
Blocked sites with the same value as a blocked site from a template that the cloud-managed Firebox subscribes to.
Not Importable Blocked Ports
Duplicate Blocked Ports from a Template
Blocked ports with the same value as a blocked site from a template that the cloud-managed Firebox subscribes to.
When you import configuration settings into a template, the Import Configuration wizard does not search for duplicates across all templates that belong to an account. The duplicates do not show on the Not Importable tab, but they do show on the Finish page after you complete the wizard.
Import Configuration Settings
With the Import Configuration wizard, you can import some configuration settings from an existing Firebox configuration file to a cloud-managed Firebox configuration.
To import configuration settings to a cloud-managed Firebox:
- Export and save the .XML configuration file from the Firebox with the settings you want to import. For more information, go to Configuration File Requirements.
- From WatchGuard Cloud, select Configure > Devices.
- Select a cloud-managed Firebox.
- Select Device Configuration.
The Device Configuration page opens.
- Click Import Configuration.
The Import Configuration wizard opens.
- Select Import Configuration Settings from a Firebox. For information about how to import BOVPN configuration settings, go to Import BOVPN Configuration Settings from a Firebox Configuration File.
The Import Configuration page opens.
- Drag the configuration file (.XML format) that you want to import to the file upload box. Alternatively, click the box to browse and select the configuration file.
- Click Next.
- If the wizard finds duplicate settings, on the Duplicate Settings page, from the drop-down lists, select the action to take for each duplicate item. For more information, go to Duplicate Configuration Data.
- Click Next.
The Aliases page opens.
- Select the check box next to each alias to import. The page shows the number of aliases available for import and the number of aliases found in the configuration file.
Some data is not available for import because it is reserved for use by the Firebox, such as a default alias. The Not Importable tab shows items that WatchGuard Cloud cannot import. For more information, go to the Not Importable Settings section of this topic.
- Click Next.
The Exceptions page opens.
- Select the check box next to each exception to import. The page shows the number of exceptions available for import and the number of exceptions found in the configuration file.
- Click Next.
The Routes page opens.
- Select the check box next to each route to import. The page shows the number of routes available for import and the routing distance found in the configuration file.
You cannot import routes into a template.
- Click Next.
The Blocked Ports page opens.
- Select the check box next to each blocked port to import. The page shows the number of blocked ports available for import in the configuration file.
- Click Next.
The Blocked Sites page opens.
- Select the check box next to each blocked site to import. The page shows the number of blocked sites available for import and their description in the configuration file.
- Click Next.
The Dimension Servers page opens and shows the Dimension Servers on the cloud-managed Firebox.
- (Optional) To change the list of Dimension servers, click Select Server.
A dialog box opens and shows the list of available Dimension servers. The list shows servers from both the import file and the cloud-managed configuration.
- Select the check box next to the Dimension servers that you want to use with WatchGuard Cloud. You can select up to two Dimension servers from the list.
- Click OK.
- To prioritize Dimension servers, click and drag them to new positions in the list.
- Click Next.
The Syslog Servers page opens. The list of servers includes syslog servers from both the import file and the cloud-managed configuration.
- Select the check box next to each syslog server that you want to use with WatchGuard Cloud. You can select up to three syslog servers.
- Click Next.
The Technology Integrations page opens.
- Select the check box next to each technology integration to import.
When you import a technology integration, it replaces an existing technology integration of the same type. For more information, go to About Firebox Technology Integrations.
- Click Next.
The Networks page opens.
The Import Configuration wizard does not support the ability to import networks to Firebox Cloud or FireCluster devices. It also does not support the ability to import networks to templates.
- Select the check box next to each external or internal network you want to import. The page shows the number of networks available for import and the number of networks found in the configuration file.
- (Optional) If you import an Optional or Custom network from a locally-managed Firebox configuration, the Import Configuration wizard prompts you to select a different network type.
To select a different network type, from the Optional or Custom drop-down list, select Internal or Guest.
- Click Next.
The Finish page opens.
- Review the settings to import. Click Finish.
The Upload in Progress bar indicates the status of the import process.
- Deploy the changes to WatchGuard Cloud.
After you deploy any changes, imported settings show in WatchGuard Cloud on the Device Configuration page. From this page, you can click the relevant widgets to edit or delete the settings that you imported.
If you use a template to import settings, you must also use the template to edit or delete the settings after import.
Add a Cloud-Managed Firebox to WatchGuard Cloud
Import BOVPN Configuration Settings from a Firebox Configuration File