Why Does Defense Orchestrator "Read" an FTD Configuration?
In order to manage an FTD, CDO must have its own copy of the FTD's configuration. When CDO "reads a policy" from an FTD, it takes a copy of the FTD's deployed configuration and saves it to its own database. The CDO user makes changes to the CDO's copy of the FTD's configuration until it's time to deploy those changes back to the FTD.
The first time CDO reads and saves a copy of the FTD's configuration is when the FTD is onboarded. Every other time CDO reads the FTD's configuration, it completely overwrites the copy of the FTD's configuration it maintains in its own database. It does not selectively overwrite the differences in the two versions. If you have any configuration changes that have not been "deployed" to the FTD, those changes will be lost when the "read" action occurs.
Note: When you read from an FTD HA pair, you must read from the primary device of the HA pair.
Pending and Deployed Changes on an FTD
Configuration changes made to the FTD directly are referred to as "pending" changes by the FTD until they are "deployed." A pending change can be edited or deleted without having any affect on traffic running through the FTD. Once the pending changes are "deployed," however, they are enforced by the FTD and affect traffic running through the device.
Conflict Detected-Revert Pending Changes
When CDO detects "pending" changes on an FTD, it notifies you and gives you the opportunity to "Revert Pending Changes" by clicking a link in CDO. By clicking Revert Pending Changes on CDO, you delete the pending changes on the FTD. Your other option is to log in to the FTD using Firepower Device Manager and deploy the changes first.
To address the Revert Pending Changes prompt, follow this procedure:
- In CDO, on the navigation bar, click Devices & Services.
- Select the device whose configuration is set to Conflict Detected and gives you the link to Revert Pending Changes. The message explains that you can click the link to revert pending changes or you can log on to the FTD using the local manager, Firepower Device Manager (FDM), and deploy the changes first.
Caution: Clicking the Revert Pending Changes link deletes pending changes on FTD immediately. You are not given an opportunity to review the changes.
- Review the changes on FDM before clicking Revert Pending Changes:
- Open a browser window and enter https://<IP_address_of_the_FTD>.
- Look for the deployment icon in FDM. It will have an orange circle indicating that there are changes ready to deploy.
- Click the icon and review the pending changes:
- If the changes can be deleted, return to CDO and click "Revert Pending Changes." At this point, the configuration on the FTD and the copy of the configuration on CDO should be the same. You are done.
- If you want to deploy the changes to the device, click Deploy Now. Now the deployed configuration on the FTD and the configuration on stored on CDO are different. After about 10 minutes CDO polls the FTD again, identifies this new state, and give you an opportunity to Review the Conflict. See Conflict Detected-Review Conflict to resolve that state.
If Reverting Pending Changes Fails
Changes to Firepower's system databases and security feeds can't be reverted by CDO. CDO recognizes that there are pending changes, attempts to revert them and then fails. To determine if the revert failure is due to pending database updates or security feed updates, log on to the Firepower Device Manager (FDM) for the device with the failed reversion and look for the deployment icon in FDM. It will have an orange circle indicating that there are changes ready to deploy. Click the deploy button to review the pending changes and deploy them or discard them as is appropriate.
Conflict Detected-Review Conflict
Every 10 minutes, CDO searches for changes made directly to the FTD outside of CDO. The changes may have been made using FDM or through the command line interface to the FTD. CDO refers to these changes as "out of band" changes. When CDO detects these changes, it notifies you and gives you the opportunity to review the configuration from the FTD by clicking the Review Conflict link.
To review configuration changes from the FTD, follow this procedure:
- On the navigation bar, click Devices & Services.
- Select the device whose configuration is marked Conflict Detected and gives you a link to Review Conflict in the Conflict Detected pane at the right.
- Click Review Conflict.
- Compare the two configurations presented to you.
- Take one of these actions:
- Click Accept to overwrite the last known configuration on CDO with the one found on the device. Note: The entire configuration stored on CDO will be completely overwritten by the configuration found on the device.
- Click Reject to reject the changes made on the device and replace them with the last known configuration on CDO.
- Click Cancel to stop the Read action.