Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Import export

You can import and export the full or partial configuration of Sophos Firewall.

You can only import and export configurations between compatible devices. The configuration file is a .xml file. You can update the configuration offline and then import it.

To import or export a configuration, go to Backup and firmware > Import export.

You can only import partial configurations from lower to higher models of Sophos Firewall. For details of compatible devices, see Backup-restore compatibility check.

Secure storage master key

The secure storage master key provides extra protection for the account details stored on Sophos Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access. The default administrator (username: admin) sets the secure storage master key.

You don't enter the master key when you export a configuration. To see how Sophos Firewall imports configurations and sensitive information, see the following table:

Scenario Description
Configurations without the master key You can export the configuration, and import it to the same firewall along with sensitive information and the dependent configurations if the firmware wasn't reset or reimaged after the export.

You won't be able to import sensitive information and dependent configurations if you're importing the configuration to the following devices:
  • A different Sophos Firewall.
  • The current device if you reset or reimaged its firmware after exporting the configuration.

You'll need to reenter or recreate the information later. You'll be able to import the rest of the configuration.
Configurations with the master key

You must enter the master key when you import the configuration to the following devices:

  • A different Sophos Firewall.
  • The current device if you reset or reimaged its firmware after exporting the configuration.

If you don't enter the master key when you're prompted, you can import the configuration, but you'll lose sensitive information and dependent configurations. For example, if you don't enter the master key when you import a configuration containing users and their dependent configurations, Sophos Firewall won't import the users and their dependent configurations.

You'll need to reenter or recreate the information later.
Configurations without sensitive information When you import a configuration that doesn't contain sensitive information, you don't need to enter the master key.

Import

Import file: Select the .tar file to import and select Import.

The following rules apply for importing a configuration:

Configuration settings:

  • Sophos Firewall updates the existing configuration with new settings in the imported file.
  • Settings in the current configuration without a matching setting in the imported configuration don't change.
  • For settings specified in both configurations, Sophos Firewall applies the settings of the imported configuration.

    Example

    Traffic shaping settings for Total available WAN bandwidth are as follows:

    • Existing configuration: 1000000

    • Imported configuration: 2560000. This value becomes the Total available WAN bandwidth for the firewall.

Firmware versions: You can import the configuration to a firewall with the same or later firmware version.

Pattern versions: You can import the configuration to a firewall with the same or later pattern version. If it's of an earlier version, update the patterns, and then import the configuration.

Hardware and wireless devices: You can import the configuration of a hardware device to another, or of a wireless device to another wireless device. The device to which you import the configuration must have an equal or higher number of Ethernet ports. If the number of ports is lower, or if the port names differ between the models (example: Port1 versus PortA), you can make changes to the file Entities.xml, and then import the configuration.

Note

When you import a URL list, it can contain a maximum of 128 domains.

Export

The export settings are as follows:

Export full configuration: Select to export the full configuration and select Export.

Export selective configuration: Select the checkbox and select the configurations you want to export. Additionally, to export the dependent configurations, select Include dependent entity.

The firewall exports some configurations as follows:

  • Users: If your firewall uses any external authentication server, such as Active Directory, it only exports the users you manually create in the firewall. It doesn't export users automatically created from the authentication server when they sign in. See FAQs for Active Directory users and groups.
  • Multi-factor authentication: The firewall does as follows:

    • OTPSettings: Exports the settings both for users you manually create and those automatically added to the firewall when it uses an external authentication server.
    • OTPTokens: Only exports the issued (software and hardware) tokens for the users you manually create in the firewall. These are listed under Issued tokens on Authentication > Multi-factor authentication.
  • RED: When you select REDDevice for export, the DHCP server details necessary for RED to work aren't exported, even if you select Include dependent entity. You must also select DHCPServer. Alternatively, you must recreate the DHCP server after importing the exported configuration.

  • Secure storage master key: You must enter the secure storage master key if the configuration has one. If you don't enter the master key, you can't import sensitive information, such as passwords, and dependent configurations. You also lose sensitive information and the dependent configurations when you import configurations that don't have a master key.

Exporting and importing a configuration

When you export a configuration file, you'll download a .tar file. You must extract the files. If you don't have sensitive information, such as passwords, in the exported configuration, for example interfaces, the .tar file only contains the file Entities.xml. However, if the exported configuration has sensitive information, for example users, the .tar file contains the following files:

  • Entities.xml
  • hashFile.json
  • propertyfile

Open Entities.xml in a text editor, such as Notepad, make changes to the configuration, and compress the files back into a .tar file. You can then import the configuration to Sophos Firewall.

Note

Don't change the file name Entities.xml. Also, you can only import a .tar file.

For more information, see How to update and import a configuration.

More resources