Why Does Cisco Defense Orchestrator Read FTD Configurations?
In order to manage an FTD, CDO must have its own stored copy of the FTD's configuration. When CDO reads a configuration from an FTD, it takes a copy of the FTD's deployed configuration and saves it to its own database. The first time CDO reads and saves a copy of the device's configuration file is when the device is onboarded. See Reading, Discarding, Checking for, and Deploying Configuration Changes for more information.
Pending and Deployed Changes
Configuration changes made to the FTD directly through the Firepower Device Manager (FDM) or its CLI are referred to as staged changes on the FTD until they are deployed. A staged, or pending, change can be edited or deleted without having any affect on traffic running through the FTD. Once the pending changes are deployed, however, they are enforced by the FTD and affect traffic running through the device.
If you enable Conflict Detection on the device, CDO checks for configuration changes every 10 minutes. If the copy of the configuration stored on the device has changed, CDO notifies you by displaying the "Conflict Detected" configuration status. If you do not have Conflict Detection enabled, or a change has been made to the device's configuration within the 10 minute interval between automatic polling, clicking Check for Changes prompts CDO to immediately compare the copy of the configuration on the device with the copy of the configuration stored on CDO. You can choose to Review Conflict to examine the differences between the device configuration and the configuration saved to CDO, then select Discard Changes to remove the staged changes and revert to the saved configuration or confirm the changes. You can also choose to Accept without Review; this option takes the configuration and overwrites what is currently saved to CDO.
Discard Changes Procedure
To discard configuration changes from the FTD, follow this procedure:
- In CDO, on the navigation bar, click Devices & Services.
- Select the device whose configuration is set to Conflict Detected and gives you the link to Revert Pending Changes. The message explains that you can click the link to revert pending changes or you can log on to the FTD using the local manager FDM and deploy the changes first.
Caution: Clicking the Revert Pending Changes link deletes pending changes on FTD immediately. You are not given an opportunity to review the changes first.
- Review the changes on FDM before clicking Revert Pending Changes:
- Open a browser window and enter https://<IP_address_of_the_FTD>.
- Look for the deployment icon in FDM. It will have an orange circle indicating that there are changes ready to deploy.
- Click the icon and review the pending changes:
- If the changes can be deleted, return to CDO and click "Revert Pending Changes." At this point, the configuration on the FTD and the copy of the configuration on CDO should be the same. You are done.
- If you want to deploy the changes to the device, click Deploy Now. Now the deployed configuration on the FTD and the configuration on stored on CDO are different. You can then return to CDO and poll the device for changes. CDO identifies identifies that there has been a change on the FTD, and gives you an opportunity to review the conflict. See Conflict Detected-Review Conflict to resolve that state.
If Reverting Pending Changes Fails
Changes to the system databases and security feeds can't be reverted by CDO. CDO recognizes that there are pending changes, attempts to revert them and then fails. To determine if the revert failure is due to pending database updates or security feed updates, log into the device's FDM console. It will have an orange circle indicating that there are changes ready to deploy. Click the deploy button to review the pending changes and deploy them or discard them as is appropriate.
Review Conflict Procedure
To review configuration changes from the FTD, follow this procedure:
- On the navigation bar, click Devices & Services.
- Select the device whose configuration is marked Conflict Detected and gives you a link to Review Conflict in the Conflict Detected pane on the right.
- Click Review Conflict.
- Compare the two configurations presented to you.
- Take one of these actions:
- Click Accept to overwrite the last known configuration on CDO with the one found on the device. Note: The entire configuration stored on CDO will be completely overwritten by the configuration found on the device.
- Click Reject to reject the changes made on the device and replace them with the last known configuration on CDO.
- Click Cancel to stop the action.
Note: You can prompt CDO to immediately check a device for an out-of-band change by clicking Check for Changes while the device is in the Synced state
Accept Without Review Procedure
To accept configuration changes from the FTD without reviewing, follow this procedure:
- On the navigation bar, click Devices & Services.
- Select the device whose configuration is marked Conflict Detected and gives you a link to Accept Without Review in the Conflict Detected pane on the right.
- Click Accept Without Review. CDO accepts and overwrites the current configuration.