Skip to main content

 

 

Cisco Defense Orchestrator

Resolve Configuration Conflicts

About Configuration Conflicts

On the Devices & Services page, you may see devices or services have the status "Synced,"  "Not Synced," or "Conflict Detected." 

  • When a device is Synced, the configuration on Defense Orchestrator and the configuration stored locally on the device are the same.  
  • When a device is Not Synced, the configuration stored in Defense Orchestrator was changed and it is now different that the configuration stored locally on the device.
  • When a device has the status Conflict Detected the configuration on the device was changed outside of Defense Orchestrator, and is now different than the configuration stored on Defense Orchestrator. Changes made to devices outside of Defense Orchestrator are called out-of-band changes.

When your device is Synced, your device is up to date. When your device is Not Synced or is marked Conflict Detected, you need to decide if you want to keep the configuration stored on Defense Orchestrator or the configuration stored on the device to return the device status to Synced.

Resolve "Not Synced" Status

To resolve a device "Not Synced" status, follow this procedure:

  1. Open the Devices & Service page. Note the name and IP address of the device that is Not Synced.
  2. Navigate to the Change Log page by selecting Monitoring > Change Log.
  3. Search for the device that is Not Synced.
  4. Review any recent changes created on Defense Orchestrator for that device:
  • If your intention was to push the configuration change from Defense Orchestrator to the device, open the Devices & Services page, select the device and click, Write Changes
  • If you decide you do not want to push the configuration change from Defense Orchestrator to the device, or you want to "undo" the configuration changes you started making on Defense Orchestrator, click Read Policy. That will overwrite the configuration stored in Defense Orchestrator with the running configuration stored on the device.  

Resolve "Conflict Detected" Status

Defense Orchestrator allows you to enable or disable Conflict Detection on each live device. If Conflict Detection is enabled and the device's running configuration changed since it was last read into Defense Orchestrator, the device's configuration status will be Conflict Detected. Changes made to devices managed by Defense Orchestrator will be detected.

To resolve a device with "Conflict Detected" status, follow this procedure:

  1. Select Devices & Services from the navigation bar.
  2. Select the device reporting the conflict and click Review Conflict in the details pane on the right. 
  3. In the Device Sync page, compare the two configurations by reviewing the highlighted differences. 
  • The panel labeled "Last Known Device Configuration" is the device configuration stored on Defense Orchestrator.
  • The panel labeled "Found on Device" is the configuration stored in the running configuration on the ASA.  
  1. Resolve the conflict by selecting one of these radio buttons and clicking Continue:
  • Reject the out of band changes and replace with the last known device config. This will overwrite the configuration stored on the device with the configuration stored on Defense Orchestrator. 
  • Accept out-of-band changes. This will overwrite the configuration and any pending changes stored on Defense Orchestrator with the device's running configuration.