Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
195
Views
1
Helpful
7
Replies

How do objects import when importing an ACP from one FMC to another

Go to solution
NetworkMonkey101
Level 3
Level 3

‎07-24-2025 02:22 AM

I have exported an ACP and it's objects from one FMC to another.

Would like to clarify how the objects are imported into the new FMC. 

We will have had objects – both network and port objects – on the new FMC2600 with the same name as objects in the policy imported from the old FMC with ACP. Some of these objects will not have the same definition on each platform.

How would ACP handles these cases?

Will it have overwritten the existing definition, created a new/renamed object, merged objects or just used the FMC2600 definition?

 

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-24-2025 03:16 AM

@NetworkMonkey101 sounds like you just exported and imported the Access Control policy? 

You can use the Import/Export feature to copy configurations which includes the ACP, NAT policies, objects etc - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/770/management-center-admin-77/tools-import-export.html#ID-2229-0000009d

When you import objects and object groups:

  • Generally, the import process imports objects and groups as new, and you cannot replace existing objects and groups. However, if network and port objects or groups in an imported configuration match existing objects or groups, the imported configuration reuses the existing objects/groups, rather than creating new objects/groups. The system determines a match by comparing the name (minus any autogenerated number) and content of each network and port object/group.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎07-24-2025 02:53 AM

As I know 

You can not do that 

MHM

0 Helpful

Go to solution
NetworkMonkey101
Level 3
Level 3
In response to MHM Cisco World

‎07-24-2025 03:03 AM

Ok well I have imported the ACP and all the policies were created... I assume the would have pulled in any missing objects that did not exist on the FMC.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to NetworkMonkey101

‎07-24-2025 03:49 AM - edited ‎07-24-2025 03:50 AM

There is import/export NAT ACP and even whole config 

But there is no import/export object 

There is workaround using python.

Sorry for that.

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎07-24-2025 04:02 AM - edited ‎07-24-2025 04:10 AM

Update 

When you import/export ACP or NAT the fmc auto import/export object use with it.

Check import/export report  

Screenshot (967).png

Screenshot (968).png

You will see list of object relate to acp/nat.

That why fmc not have separate feature for object

MHM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎07-24-2025 03:16 AM

@NetworkMonkey101 sounds like you just exported and imported the Access Control policy? 

You can use the Import/Export feature to copy configurations which includes the ACP, NAT policies, objects etc - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/770/management-center-admin-77/tools-import-export.html#ID-2229-0000009d

When you import objects and object groups:

  • Generally, the import process imports objects and groups as new, and you cannot replace existing objects and groups. However, if network and port objects or groups in an imported configuration match existing objects or groups, the imported configuration reuses the existing objects/groups, rather than creating new objects/groups. The system determines a match by comparing the name (minus any autogenerated number) and content of each network and port object/group.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Rob Ingram

‎07-24-2025 03:52 AM - edited ‎07-24-2025 04:04 AM

Thanks

MHM

0 Helpful

Go to solution
jameswood32
Level 1
Level 1

‎07-24-2025 04:14 AM

When importing an Access Control Policy (ACP) from one Firepower Management Center (FMC) to another, the associated objects (such as network objects, port objects, and security zones) can behave differently based on how the export/import process is configured and the existing state of the target FMC.

Here’s how it typically works:

  1. Exporting the ACP: When you export an ACP, FMC creates a policy package that includes references to all associated objects. However, it doesn’t automatically export the full object definitions unless explicitly included.

  2. Import Behavior:

    • Existing Objects: If the target FMC already has an object with the same name and type, the import will typically use the existing object. If there’s a mismatch (e.g., different IP range), FMC may throw a warning or error, depending on the version.

    • Missing Objects: If the referenced object does not exist on the target FMC, the import will fail unless you manually create those objects first or include them in a full policy export.

    • Custom and Shared Objects: Custom objects tied to specific policies need to be verified during import. Shared objects used globally should be synced or re-created manually if not included.

  3. Best Practice: Always review the object dependencies before importing. Use the Policy Dependency Tree or Export Preview to see which objects are required.

  4. Tooling: Some admins use REST APIs or Firepower Migration Tool to automate and ensure object consistency between FMCs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card