Import export

You can import and export the full or partial configuration of Sophos Firewall.

You can only import and export configurations between compatible devices. The configuration file is a .xml file. You can update the configuration offline.

To import or export a configuration, go to Backup and firmware > Import export.

Secure storage master key

The secure storage master key provides extra protection for the account details stored on Sophos Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access. The default administrator (username: admin) sets the secure storage master key.

You don't enter the master key when you export a configuration. To see how Sophos Firewall imports configurations and sensitive information, see the following table:

Table 1. Importing configurations

Scenario

Description

Configurations without the master key

You can export the configuration, and import it to the same firewall along with sensitive information and the dependent configurations if the firmware wasn't reset or reimaged after the export.

You won't be able to import sensitive information and dependent configurations if you're importing the configuration to the following devices:

  • A different Sophos Firewall.
  • The current device if you reset or reimaged its firmware after exporting the configuration.

You'll need to reenter or recreate the information later. You'll be able to import the rest of the configuration.

Configurations with the master key

You must enter the master key when you import the configuration to the following devices:

  • A different Sophos Firewall.
  • The current device if you reset or reimaged its firmware after exporting the configuration.

If you don't enter the master key when you're prompted, you can import the configuration, but you'll lose sensitive information and dependent configurations. For example, if you don't enter the master key when you import a configuration containing users and their dependent configurations, Sophos Firewall won't import the users and their dependent configurations.

You'll need to reenter or recreate the information later.

Configurations without sensitive information

When you import a configuration that doesn't contain sensitive information, you don't need to enter the master key.

Import

Import file: Select the .tar file to import and select Import.

The following rules apply for importing a configuration:

Configuration settings:

  • Sophos Firewall updates the existing configuration with new settings in the imported file.
  • Settings in the current configuration without a matching setting in the imported configuration don't change.
  • For settings specified in both configurations, Sophos Firewall applies the settings of the imported configuration.

    Example: Traffic shaping settings for Total available WAN bandwidth are as follows:

    Existing configuration: 1000000

    Imported configuration: 2560000. This value becomes the Total available WAN bandwidth for the firewall.

Firmware versions: You can import the configuration to a firewall with the same or later firmware version.

Pattern versions: You can import the configuration to a firewall with the same or later pattern version. If it's of an earlier version, update the patterns, and then import the configuration.

Hardware and wireless devices: You can import the configuration of a hardware device to another, or of a wireless device to another wireless device. The device to which you import the configuration must have an equal or higher number of Ethernet ports. If the number of ports is lower, or if the port names differ between the models (example: Port1 versus PortA), you can make changes to the file Entities.xml, and then import the configuration.

Restriction When you import a URL list, it can contain a maximum of 128 domains.

Export

Export full configuration: Select to export the full configuration and select Export.

Export selective configuration: Select the checkbox and select the configurations you want to export. Additionally, to export the dependent configurations, select Include dependent entity.

You must enter the secure storage master key if the configuration has one. If you don't enter the master key, you can't import sensitive information, such as passwords, and dependent configurations. You also lose sensitive information and the dependent configurations when you import configurations that don't have a master key.

Exporting and importing a configuration

When you export a configuration file, you'll download a .tar file. You must extract the files. If you don't have sensitive information, such as passwords, in the exported configuration, for example interfaces, the .tar file only contains the file Entities.xml. However, if the exported configuration has sensitive information, for example users, the .tar file contains the following files:

  • Entities.xml
  • hashFile.json
  • propertyfile

Open Entities.xml in a text editor, such as Notepad, make changes to the configuration, and compress the files back into a .tar file. You can then import the configuration to Sophos Firewall.

Note Don't change the file name Entities.xml. Also, you can only import a .tar file.

For more information, see How to update and import a configuration.