Import and Export Security Policy
You can export and import security policy to and from the PCE using the CLI Tool. Importing and exporting security policy is particularly useful for moving policy from one PCE to another to avoid recreating policy from scratch on the target PCE. For example:
You can test the policy on a staging PCE and then move it to your production PCE.
You can move the policy from a proof-of-concept PCE deployment to your production PCE.
Export and Import Policy Objects
You can use the CLI Tool to export or import the following objects in the PCE:
Labels:
labelsLabel groups:
label_groupsPairing profiles:
pairing_profilesIP lists:
ip_listsServices:
servicesRulesets and rules:
rule_sets
About Exporting Rules
You can export rules for workloads, virtual services, or virtual servers.
Illumio recommends that you base your security policy rules on labels for flexibility. Do not tie the rules to specific individual workloads, virtual services, or virtual servers.
Virtual servers and virtual services are not exported.
The CLI Tool policy export does not include such references. A warning is displayed on export when you have rules tied to individual workloads, virtual services, or virtual servers. Attempts to import such rules fail, and the reason for the failure is displayed.
Example: Failed Attempt to Export Rules for Workload
WARNING: rule /orgs/1/sec_policy/active/rule_sets/3/sec_rules/39 contains non-transferrable providers: workload /orgs/1/workloads/a51ae67d-472a-44c3-984e-d518a8e95aee Unable to proceed, please verify input
Workflow for Security Policy Export/Import
Authenticate to the source PCE.
Export the policy to a file. Syntax summary:
ilo sec_policy export --file someExportFilenameAuthenticate to the target PCE.
Import the saved policy. Syntax summary:
ilo sec_policy import --file someImportFilename
Output Options, Format, and Contents
All exported policy is written to standard output. To write to a file, use the --file option.
The exported policy is in JSON format.
By default, all supported policy objects are exported. You can export a subset of policy by specifying one or more resource types with the –resource option (labels, label_groups, pairing_profiles, ip_lists, services, or rule_sets).
When a subset of policy items is exported (such as only labels), all referenced resources are also exported.
See also About Exporting Rules for information.
Exported Rulesets
With the -- rule_set option, you can export multiple rulesets.
By default, only the most recently provisioned, active policy is exported. To export the current draft policy or a previous policy, use the -–pversion state option. See List Draft or Active Version of Rulesets for information.
For a single ruleset, make sure the --pversion state you specify matches the provisioned state of the ruleset. In the following example, the state is draft:
ilo sec_policy export --pversion draft --rule_set /orgs/1/sec_policy/draft/rule_sets/1
Effects of Policy Import
All imported policies are read from standard input unless you import from a file with the --file option.
You can import policy files multiple times. Each import affects only a single copy of a resource.
All imported policies are set in the draft provisioned state. After the import, you must explicitly provision the active state.
Non-transferrable policy rules (that is, rules tied to specific workloads, virtual servers, and bound services), the import aborts with a warning. See About Exporting Rules for information.
Policy items already on the target PCE are updated by imported resources whose names match existing resources' names. Services do not have to have the same names. Services match if they have the same set of ports and protocols.
An import does not delete resources. For example, if you export policy from PCE-1 to PCE-2, delete a resource “R” from PCE 1, and then export and import again, resource “R” is still present on PCE 2. You must explicitly delete resource “R” from PCE2.