For a consolidated view of your policy sections and rules, you can export your firewall configuration to a file. NSX creates a report of your firewall configuration as a CSV file. You can also import a firewall configuration and view it as a draft in NSX.

  • You can choose to export your published configuration, an auto-saved draft, or a manually saved draft.
  • When exporting a firewall configuration on a Local Manager appliance, only the Local Manager configuration is exported. Configuration that has been synced from a Global Manager is not exported as part of the Local Manager configuration.
  • The import operation is not available on a Global Manager appliance.
  • The exported CSV file and the metadata file together are available for download as a ZIP file.
  • You can only run one export operation and one import operation simultaneously. Running multiple export or multiple import operations simultaneously is not supported.


  1. With admin privileges, log in to NSX Manager.
  2. Select Security > Distributed Firewall.
  3. Export the firewall configuration.
    • To export the current configuration, select Actions > Export FW Configuration.
    • To export an auto-saved draft or a manual draft, select Actions > View and click the name of the draft configuration to open Draft details. Click Export Draft.

      The View Draft Details window displays any differences that exist between the saved configuration and the last published configuration.

  4. Enter a passphrase and click Export.
    A notification is displayed when the configuration has been exported.

    You cannot publish a configuration when the export operation is in progress. If necessary, you can cancel the export operation.

  5. Click Download to save the ZIP file containing the CSV and metadata files.
  6. Starting in NSX 4.1.1 to import a firewall configuration, navigate to Security > Distributed Firewall, and select the Saved Drafts tab. Click Import. In releases earlier than 4.1.1, to import a firewall configuration, navigate to Security > Distributed Firewall and select Actions > Import.

    When importing rules with groups, the groups must be created on the destination environment without typos. If not, you will get a Deleted_Object error message instead of the group name when importing the rules.

    Editing the name of the Group to fix the typo does not fix the issue, because the UUID stays with the the original name.

  7. Browse to select the ZIP file containing the configuration that you want to import. Enter a name and the passphrase that was used when saving the configuration, and click Import.

    Ensure that you select a ZIP file that has not been modified after it was downloaded.

    A notification is displayed if the file to be imported is corrupt or the incorrect passphrase has been used.

    Note: You can only import configuration that has been defined in NSX. Importing third-party firewall configuration is not supported.
    The imported configuration is saved as a manual draft in NSX. You can edit the draft and then publish it as required. For more information on working with drafts, see Firewall Drafts.