Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5040
Views
0
Helpful
3
Replies

Importing Policies into ISE 2.6 from policy.xml file

Go to solution
rocant
Cisco Employee
Cisco Employee

‎04-08-2020 02:50 AM

Hi all

Please help, my customer has a production ISE implementation running on version 2.3 P4. We are currently running a POV for SDA and they have bought ISE VM licenses to test this. they have installed version 2.6 (not sure on the patch) on the VM, however; they would like to import all of their policies (4 years worth) from their production 2.3 implementation.

TAC has come back and said this cannot be done, is there any hack / trick / anything that could help them do this, even if they have to modify their exported 2.3 XML policy file and copy back to the correct directory?

They really don't want to trash their 2.6 VM installation.

Thanks in advance for the help!

Regards

Rob

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-08-2020 03:39 PM

The Policy Export is mainly intended to be provided to Cisco TAC to assist in troubleshooting and analysis of the policy elements. None of the current ISE versions provide any function to import the exported policy.

As per the Admin Guide, ISE 2.6 supports restore from backups obtained from Release 2.1 and later. The only option to prevent manual reconfiguration of the old 2.3 Policy Elements would be to restore the 2.3 backup to the 2.6 cluster and reconfigure the DNAC/SDA integration.

AFAIK, DNAC uses some pretty basic AuthC/AuthZ Policies in the Default Policy Set so this would also give you the ability to configure some more efficient policies to be used by the SDA fabric.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marce1000
VIP
VIP

‎04-08-2020 03:24 AM

 

 - This sure is not going to work and the xml will be incompatible with a 2.6 installation. The straight-path forward is to build a 2.6-ready environment by having an 'offline'-upgrade process on the to-be production environment.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
rocant
Cisco Employee
Cisco Employee
In response to marce1000

‎04-08-2020 11:54 PM

Thank you

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-08-2020 03:39 PM

The Policy Export is mainly intended to be provided to Cisco TAC to assist in troubleshooting and analysis of the policy elements. None of the current ISE versions provide any function to import the exported policy.

As per the Admin Guide, ISE 2.6 supports restore from backups obtained from Release 2.1 and later. The only option to prevent manual reconfiguration of the old 2.3 Policy Elements would be to restore the 2.3 backup to the 2.6 cluster and reconfigure the DNAC/SDA integration.

AFAIK, DNAC uses some pretty basic AuthC/AuthZ Policies in the Default Policy Set so this would also give you the ability to configure some more efficient policies to be used by the SDA fabric.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents