Importing Policies Overview
CSO supports importing policy configurations from next-generation firewall devices. You can discover existing policy configuration while onboarding next-generation firewall device (without enabling ZTP) or import policy configurations from Firewall and NAT policy pages (after ZTP).. For more information about overview and configuration of ZTP on SRX Series devices, see Zero Touch Provisioning on SRX Series Devices.
To discover existing policy configuration while onboarding next-generation firewall device (without enabling ZTP), see Adding a Standalone Next Generation Firewall Site, and Add an On-Premise Spoke Site with Next Generation Firewall and LAN Capabilities.
CSO uses object name as the unique identifier for an object (such as addresses, services, schedulers, SSL profiles, unified threat management (UTM), and Layer 7 applications). During policy import, all objects that are supported by CSO are imported and all objects names are compared between what is in CSO and what is on the next generation firewall device. A conflict occurs when the name of the object to be imported matches an existing object, but the value of the object does not match. The object conflict resolution (OCR) operation is triggered to resolve the object name conflicts.
If the object name does not exist in CSO, the object is added to CSO.
If the object name exists in CSO with the same content, the existing object in CSO is used.
If the object name exists in CSO with different content, the object conflict resolution operation is triggered, providing users with the following conflict resolution options:
This is the default option.
By default, "_1" is added to the object name, or users can specify a new unique name.
Deploying the policy will delete the original object and add the object with the new name.
There is no functional change to the firewall policy (labels only).
Overwrite with imported value
The object in CSO is replaced with the object from the import operation.
The change will be reflected for all other devices that use this object after the policy deployment.
There is no functional change to the firewall policy.
There may be possible traffic impact to all other devices that use this object the next time the other device is updated from CSO.
Keep existing object
The object name in CSO is used instead of what is on the next generation firewall device.
Policy deployment for the imported firewall policy will show the modification.
There may be possible traffic impact to this firewall because the content is different in some way.
The following section provides an example for importing policies. Here we use Address as an object type and see how to resolve the object name conflicts.
The existing objects in CSO are listed inTable 1.
Table 1: Existing address in CSO
The existing objects in the next generation firewall device are listed inTable 2.
Table 2: Existing address in next-generation firewall device
During policy import, OCR is triggered and the object conflicts between next generation firewall device and CSO. The resolution that we have chosen is listed in Table 3.
Table 3: OCR while importing policies to CSO
Object Name in CSO
Object Type in CSO
Existing Value in CSO
Imported Value to CSO
New Object Name in CSO
Keep Existing Object
Overwrite with Imported value
The object values and the result after resolving conflicts are listed in Table 4.
Table 4: After importing policies to CSO
Discovered Object Name in CSO
Discovered Value in CSO