Cloud Managed Networks

Hello all

I am trying to see if there's any way to import things like profiles (ACLs) and roles into Central?  We currently have an on prem AOS 8 running and need to duplicate it in Central (we have some AP735s that we need to install).  I have some profiles with quite a few rules and i would like to avoid spending hours clicking thru.  If I cannot do an import, is there any type of cli that I can use?

I have dug thru the forum and most posts say it can't be done, but they are older and I want to double check in case a new feature was added

Thanks!

Jeff

------------------------------
Jeff Johnston
------------------------------

The roles and policies are quite different in AOS10/New Central.  See this "Central Policy Configuration"

I think eventually there will be some tool, perhaps it is best to contact your local SE.

But in the interim for large number of role based policies may be the combination of API and Web UI would be the way.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Thank you

"I think eventually there will be some tool, perhaps it is best to contact your local SE"

This is basically the reason for the post - I was hoping that type of tool was recently release but I guess not.  FWIW - it appears as if I will need to be constructing this in New Central.  We absolutely MUST have the hierarchical capability for the Groups - we have multiple sites that will have multiple gateways.  There are some configs that are global and we want to keep that, some that are site specific, and some that are more location specific.  The AOS8 architecture nailed it in that aspect to be able to put in overrides as you went down.  I am at a complete loss as to why HPe/Aruba EVER designed the original Central without that basic capability.  It's a HUGE step backward for scalability (just my opinion and the smart folks at HPe/Aruba never asked for my input LOL) .

Looks like I'll be investigating the REST APIs.

Thanks again for your response

------------------------------
Jeff Johnston
------------------------------

Original Message:
Sent: Jun 11, 2026 10:02 PM
From: AP-e172d8
Subject: Import profiles and roles into central

The roles and policies are quite different in AOS10/New Central.  See this "Central Policy Configuration"

I think eventually there will be some tool, perhaps it is best to contact your local SE.

But in the interim for large number of role based policies may be the combination of API and Web UI would be the way.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

I believe there will be some migration options when they are fully finished. We are still early adopters with workflows still being adjusted. Not to mention topology and orchestration are not ready yet. 

I have posted to some other links on roles. I am happy to provide insight. The way its done in cnx is not going to be the best for everyone.  I personally really like it once its understood. It can be a little confusing. I would use the concept of creating that acl only once and place it in the order of operations it should be in. If you want a role linked to it, just go into that acl and link the source role. Firewall rules tend to be more specific at top to more generalized at bottom. If a guest role should access a resource on corp, it would need to be listed before the deny-rfc1918. This way when you go into your acl's for guest role you would just add the source role to every acl that needs access. If the corp resource is below the deny-rfc1918. That will be the order of operations its installed on the AP's. 

Just check the show commands after the rules are created. Ensure the order is proper. 

Original Message:
Sent: Jun 12, 2026 08:56 AM
From: JJ-90e114
Subject: Import profiles and roles into central

Thank you

"I think eventually there will be some tool, perhaps it is best to contact your local SE"

This is basically the reason for the post - I was hoping that type of tool was recently release but I guess not.  FWIW - it appears as if I will need to be constructing this in New Central.  We absolutely MUST have the hierarchical capability for the Groups - we have multiple sites that will have multiple gateways.  There are some configs that are global and we want to keep that, some that are site specific, and some that are more location specific.  The AOS8 architecture nailed it in that aspect to be able to put in overrides as you went down.  I am at a complete loss as to why HPe/Aruba EVER designed the original Central without that basic capability.  It's a HUGE step backward for scalability (just my opinion and the smart folks at HPe/Aruba never asked for my input LOL) .

Looks like I'll be investigating the REST APIs.

Thanks again for your response

------------------------------
Jeff Johnston
------------------------------


Original Message:
Sent: Jun 11, 2026 10:02 PM
From: AP-e172d8
Subject: Import profiles and roles into central

The roles and policies are quite different in AOS10/New Central.  See this "Central Policy Configuration"

I think eventually there will be some tool, perhaps it is best to contact your local SE.

But in the interim for large number of role based policies may be the combination of API and Web UI would be the way.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Make sure you really test the most complicated ACL's and "adding/removing" procedures you have before going into production.
You can only use a subset of the actual features of your devices with New Central as there is VERY limited ACL/policy UI features.
More to the point: it's really hard to change policy ACLs completely once assigned as you cannot fx. delete policy ACL linies again.
The whole ACL experience is so cumbersome and convoluted that it takes A LOT of practice in a sandbox Central to not create something in production that you cannot get rid off/change as you need to.

Original Message:
Sent: Jun 12, 2026 08:56 AM
From: JJ-90e114
Subject: Import profiles and roles into central

Thank you

"I think eventually there will be some tool, perhaps it is best to contact your local SE"

This is basically the reason for the post - I was hoping that type of tool was recently release but I guess not.  FWIW - it appears as if I will need to be constructing this in New Central.  We absolutely MUST have the hierarchical capability for the Groups - we have multiple sites that will have multiple gateways.  There are some configs that are global and we want to keep that, some that are site specific, and some that are more location specific.  The AOS8 architecture nailed it in that aspect to be able to put in overrides as you went down.  I am at a complete loss as to why HPe/Aruba EVER designed the original Central without that basic capability.  It's a HUGE step backward for scalability (just my opinion and the smart folks at HPe/Aruba never asked for my input LOL) .

Looks like I'll be investigating the REST APIs.

Thanks again for your response

------------------------------
Jeff Johnston
------------------------------


Original Message:
Sent: Jun 11, 2026 10:02 PM
From: AP-e172d8
Subject: Import profiles and roles into central

The roles and policies are quite different in AOS10/New Central.  See this "Central Policy Configuration"

I think eventually there will be some tool, perhaps it is best to contact your local SE.

But in the interim for large number of role based policies may be the combination of API and Web UI would be the way.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------