How to Import From Device

---

Use the Import From Device Wizard to import roles and rules from a selected device or devices into your Policy Domain configuration. This feature is useful when:

• you need to rebuild a domain configuration. You can import roles and rules already enforced on a device into a new domain.
• you are creating your first domain configuration. You can import existing static classification rules on a device into the domain, saving the time it would take to duplicate the rules through Policy Manager.

Using the wizard, you can import roles and rules, and easily organize the rules into services. You can create new services, and merge the imported rules into these new services or into any existing services in your current domain.

Using the Import From Device Wizard

1. Select File > Import > Policy Configuration From Device. The Import From Device Wizard opens.

Import From Device

2. Select whether you would like to import roles and/or rules from the device(s):
   • Roles – Select this option to import roles, including the role's name, description, default VLAN (access control), and default class of service.
   • Rules – Select this option to import the traffic classification rules associated with any roles on the device. If you select this option, you can also select whether to import any static traffic classification rules configured on the device.

   	NOTE:	If you import a device-specific rule, it will be converted to a rule type of "All Devices." If you want the rules to be device-specific, you will have to change their Rule type via the Rule General tab after the import and prior to Enforce.

3. Select the Class of Services checkbox to import all role-based Class of Service information including Class of Services, corresponding role-based rate limit port groups, and mapped role-based rate limits. Selecting this checkbox will also give you the opportunity import the GVRP status (via a dialog box during the import) as long as the domain status is not set to Ignore and it does not match the GVRP status read from the device during the import.

   	WARNING:	If Global Services are used, then modifying Class of Service data (which may be used by Global Services and Rules) can potentially change the policy configuration for all domains. To avoid this, perform the Import Policy Configuration From Device operation on a domain that has the "Edit > Do Not Use Global Services" option checked.

4. Click Next.

Device Selection

5. This window lets you select the devices you would like to import from. The Devices panel on the left side of the window displays all the devices and device groups in the current domain. Select the devices that you would like to import from, and click Add to list them in the Selected Devices panel.
   You can also create or import new devices from which to read policy. Click the Create button to add a new device, if desired. Click the Import from Data File button to open a window where you can select a data file to import devices from. If you use these methods, you can use the Remove the created/imported Devices from Policy Manager upon completion checkbox if you don't want the devices permanently added to the domain.
6. If you selected the Class of Services checkbox in the previous window, you must specify the device from which to import the Class of Service information. Since different devices may specify different CoS configurations for the same Class of Service, a single device must be specified. The existing Classes of Service (in the domain) will be updated with the CoS information from this one device. However, in the case of the Class of Service Mode which is a per-device attribute (specified in the Device General tab), only the devices selected here in this window will have their Class of Service Mode updated (in the domain) to match the mode on the actual device.
7. Click Next.

Read From Device

8. This view displays all the roles and rules available for import into your domain. Using the checkboxes in the Selected columns, select the roles and rules that you want to add to your domain. You can sort the tables by clicking on a column heading.
   
   Roles Panel
   The top panel lists all the roles you can select from, along with information on the role's default actions including access control and class of service. If the role already exists in your domain, it cannot be imported. In addition, any differences between the existing role in your domain and the same role on the device will be indicated using red text, except device-level and port-level mappings.
   • Selected – Use the checkboxes to select the roles you want to add to your domain. Roles that already exist in your current domain display "exists" in this column, and cannot be selected.
   • Name – The name of the role.
   • Access Control – The default access control associated with the role. If the role does not have default access control, the column will display N/A.
   • CoS – The default class of service associated with the role. If the role does not have default class of service, the column will display N/A.
   • Syslog – Displays whether the syslog functionality (a syslog message is generated when the role is used) is configured as a default action of the role.
   • Audit Trap – Displays whether the audit trap functionality (an audit trap is generated when the role is used) is configured as a default action of the role.
   • Disable Port – Displays whether the disable port functionality (ports reported as using this role will be disabled) is configured as a default action of the role.
   • Traffic Mirror – Displays whether traffic mirror functionality is configured as a default action of the role.
   • TCI Overwrite – Displays whether TCI Overwrite is enabled or disabled for the role.
   • Device(s) of Origin – The device(s) the role exists on.
   
   Rules Panel
   The bottom panel lists all the rules you can select from, along with information on each rule's traffic description (type and value) and actions (access control and class of service). You can select a checkbox to allow the wizard to Consolidate IP TCP/UDP Rules containing adjacent ports and equal actions into ranges where possible. This will reduce the number of rules imported into your domain. For example, if a device has two UDP Port Destination rules - one for FTP (port 21) and one for FTP Data (port 20) - if this checkbox is selected, a range rule of 20-21 is created instead of two separate rules.
   • Selected – Use the checkbox to select the rules you want to add to your domain. Rules that already exist in your current domain display "exists" in this column, and cannot be selected.
   • Name – The name of the rule, generated from the rule's actions, type, and value.
   • Cleanup Static – If you are importing static rules, select this checkbox if you want the wizard to clear the static rule from the port tables on the device. It is recommended that you cleanup static rules so they do not interfere with the rules set through Policy Manager.
   • Type – The Classification Type for the rule.
   • Value – The classification value.
   • Access Control – The access control associated with the rule. If the rule does not specify access control, this column will display N/A.
   • CoS – The class of service associated with the rule. If the rule does not specify a class of service, this column will display N/A.
   • Syslog – Displays whether the syslog functionality (a syslog message is generated when the rule is used) is enabled, disabled, or prohibited for the rule.
   • Audit Trap – Displays whether the audit trap functionality (an audit trap is generated when the rule is used) is enabled, disabled, or prohibited for the rule.
   • Disable Port – Displays whether the disable port functionality (ports reported as using this rule will be disabled) is enabled, disabled, or prohibited for the rule.
   • Traffic Mirror – Displays whether the traffic mirror functionality is enabled, disabled, or prohibited for the rule.
   • TCI Overwrite – Displays whether TCI Overwrite is enabled, disabled, or prohibited for the rule.
   • Role(s) of Origin – The role the rule is coming from.
9. Click Next.

Organize and Update

10. The wizard provides a selection of common ways to organize the rules into services. Select one of these options:
    • All Rules in one Service – Organize all the imported rules into one new service.
    • Rules placed in Services by Action – Organize all imported rules by their action: Deny, Permit, Contain, or Prioritize
    • Rules placed in Services by Classification Layer – Organize all imported rules by their Traffic Classification Layer: Layer 2, Layer 3, or Layer 4.
    • Rules placed in Services by Classification Type – Organize all imported rules by their Traffic Classification Type.
    • Rules placed in Services by Role of Origin – Organize all imported rules by the name of the role they originated from. If desired, you can add these services to the corresponding role in the domain by selecting the Add Generated Services to Matching Role checkbox.
11. In the Role Update section, select the checkbox if you would like to update the existing roles in your domain with any conflicting role information read from the device(s). If the role already exists in your domain, it cannot be imported. However, this option lets you update the existing role in your domain with the values of the same role read from the device(s). These differences were highlighted in the Read From Device role panel in red text. (Device-level and port-level mappings will be imported even though they are not highlighted as differences.)
12. Click Next.

Merge Rules

13. In this view, the panel on the left shows the rules organized into generated services as specified in the previous view. The panel on the right shows the current set of services available in your domain. You can merge the rules into your available services, or leave the rules as organized in the previous view. To merge the rules:
    1. In the left panel, select the rules and/or services you want to merge.
    2. In the right panel, select the service you want to merge the rules into.
    3. Click the Add button. The rules will be reorganized under the service.
    4. If desired, you can create a new service. Click Create Service to open a window where you can name a service and add it to the Available Services panel.
14. Because you are importing new rules into existing services, there is a possibility of conflicts between the new rules and any existing rules in a service. For example, two rules might have the same traffic descriptor but forward traffic to different VLANs, or have different priorities. If the two rules are applied to the same service, or to the same role via two different services, unpredictable and undesired behavior could result. Click Check for Conflicts, and Policy Manager will check rule traffic descriptions and action values, and provide a message if conflicts are found. This gives you an opportunity to resolve the conflicts prior to importing. Any conflicting rules that are not resolved will be disabled when the import is performed.
15. When your rules are organized as desired, click Finish to perform the import.

	NOTE:	Because the import operation imports only roles and rules from the device (not the complete policy configuration), a Verify operation performed following the import may fail. Also, when you import device-specific rules, these rules are converted to a Rule Type of "All Devices," and this will cause Verify to fail. If you want the rules to be device-specific, you will have to change their Rule Type via the Rule General tab after the import and prior to Enforce.

---

Related Information

For information on related concepts:

• Traffic Classification Rules

For information on related tasks:

• How to Create or Modify a Rule