Why Does Defense Orchestrator Deploy Changes to an FTD?
As you manage and make changes to a device's configuration with CDO, CDO saves the changes you make to its own copy of the configuration file. Those changes are considered "staged" on CDO until they are "deployed" to the device. Staged configuration changes have no effect on the network traffic running through the device. Only after CDO "deploys" the changes to the device do they have an affect on the traffic running through the device. When CDO deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not not overwrite the entire configuration file stored on the device.
Like CDO, FTD has the concept of "pending" changes and "deployed" changes. "Pending" changes on FTD are the equivalent of "staged" changes on CDO. A pending change can be edited or deleted without having any affect on traffic running through the FTD. Once the pending changes are "deployed," however, they are enforced by the FTD and affect traffic running through the device.
Because of FTDs two step process for editing configuration files, CDO deploys changes to a Firepower Threat Defense (FTD) device slightly differently than it does to other devices it manages. CDO first deploys the changes to FTD and the changes are in the "pending" state. Then, CDO "deploys" the changes on the devices and they become live. Now that the changes have been deployed, they are enforced and affect traffic running through the FTD. This applies to both standalone and high availability (HA) devices.
Two things will prevent CDO from deploying changes to an FTD:
- If there are staged changes on the FTD. See Conflict Detected-Revert Pending Changes for more information on how to resolve this state.
- If there are changes being deployed on the FTD, CDO will not deploy the changes.
Deploy Configuration Changes to a Standalone FTD
For the sake of illustration, assume the administrator makes the following changes on CDO and wants to deploy them to FTD configuration.
- Creates a network object called "engineering."
- Creates a network object called "HR_network"
- Creates a rule preventing IP addresses on the engineering network to reach the HR_Network and adds it to the Access Control Policy.
- After you make a configuration change for an FTD using CDO and save it, that change is saved in CDO instance of the FTD's configuration.
- Return to the the Devices & Services page and you should see that the configuration status of the device you made changes to is now "Not synced."
- Select the device and in the Not Synced pane at the right, click Preview and Deploy...
- On the Pending Changes screen, review the changes:
- Red rows indicate that something was deleted, green rows indicate something was added, and blue rows indicate that something was modified in the FTD configuration. The Pending Changes screen also shows when the last deployment was made to the FTD device and who made it.
- Changes are grouped by type. In this example there would be three changes, two of which were to create objects and one was to create an access rule. Clicking the change type jumps you to that section of the pending changes record.
- The Deployed Version column shows the FTD's configuration prior to the change. The Pending Version column shows the change you are about to deploy to the FTD. In this example, because we created everything, the Deployed Version field would be empty and the Pending Version column would have the description of the change you are about to make.
- If you are satisfied with the pending version, click Deploy Now. After the changes are deployed successfully, you can view the change log to confirm what just happened.
If, when deploying a change from CDO to FTD, you click Cancel, the changes you made are not deployed to the FTD. The process is canceled. The changes you made are still staged on CDO and can be edited further before you finally deploy them to FTD.
If, when previewing changes, you click Discard all, the changes you made, and any other changes any other user made but did not deploy to the device, are deleted. CDO reverts its staged configuration to the last read or deployed configuration before any changes were made.