Deploy Configuration Changes

Caution

Do NOT push the management center deployments over a VPN tunnel that is terminating directly on the threat defense. Pushing the management center deployments can potentially inactivate the tunnel and disconnect the management center and the threat defense.

Recovering the device from this situation can be very disruptive and require executing the disaster recovery procedure. This procedure resets the threat defense configuration to factory defaults by changing manager from management center to local and configuring the device from beginning. For more information, see Deploying the Management Center Policy Configuration over VPN Tunnel.

After you change configurations, deploy them to the affected devices. We strongly recommend that you deploy in a maintenance window or at a time when any interruptions to traffic flow and inspection will have the least impact.

Caution
When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts the Snort process, which interrupts traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior and Configurations that Restart the Snort Process When Deployed or Activated.

Before you begin

Note
Policy deployment process fails if the sensor configuration is being read by the system during deployment. Executing commands such as show running-config from the sensor CLI disturbs the deployment, which results in deployment failure.

Procedure

Step 1

On the management center menu bar, click Deploy and then select Deployment.

The GUI page lists the devices with out-of-date configurations having the pending status.

  • The Modified By column lists the users who have modified the policies or objects. On expanding the device listing, you can view the users who have modified the policies against each policy listing.

    Note

    Usernames are not provided for deleted policies and objects.

  • The Inspect Interruption column indicates if traffic inspection interruption may be caused in the device during deployment.

    See Restart Warnings for the Threat Defense Devices for information to help you identify configurations that interrupt traffic inspection and might interrupt traffic when deployed to threat
    defense     devices.

    If the entry is blank in this column for a device, then it indicates that there will be no traffic inspection interruptions on that device during deployment.

  • The Last Modified Time column specifies when you last made the configuration changes.

  • The Preview column allows you to preview the changes for the next deployment. For more information, see Deployment Preview.

  • The Status column provides the status for each deployment. For more information, see Deployment Status.

Step 2

Identify and choose the devices on which you want to deploy configuration changes.

  • Search—Search for the device name, type, domain, group, or status in the search box.
  • Expand—Click Expand Arrow (expand arrow icon) to view device-specific configuration changes to be deployed.

    By selecting the device check box, all the changes for the device, which are listed under the device, are pushed for deployment. However, you can use the Policy selection (policy selection icon) to select individual policies or configurations to deploy while withholding the remaining changes without deploying them. For details, see Selective Policy Deployment.

    Optionally, use Show or Hide Policy (Show or Hide Policy icon) to selectively view or hide the associated unmodified policies.

    Note

    • When the status in the Inspect Interruption column indicates (Yes) that deploying will interrupt inspection, and perhaps traffic, on a threat defense device, the expanded list indicates the specific configurations causing the interruption with the Inspect Interruption (inspect interruption icon).

    • When there are changes to interface groups, security zones, or objects, the impacted devices are shown as out-of-date on the management center. To ensure that these changes take effect, the policies with these interface groups, security zones, or objects, also need to be deployed along with these changes. The impacted policies are shown as out-of-date on the Preview page on the management center.

Step 3

(Optional) Click Estimate to get a rough estimate of the deployment duration.

For more details, see Deployment Estimate.

Step 4

Click Deploy.

Step 5

If the system identifies errors or warnings in the changes to be deployed, it displays them in the Validation Messages window. To view complete details, click the arrow icon before the warnings or errors.

You have the following choices:

  • Deploy—Continue deploying without resolving warning conditions. You cannot proceed if the system identifies errors.
  • Close—Exit without deploying. Resolve the error and warning conditions, and attempt to deploy the configuration again.

What to do next

  • (Optional) Monitor deployment status; see Viewing Deployment Messages.

  • If deploy fails, see Best Practices for Deploying Configuration Changes.

  • During deployment, if there is a deployment failure due to any reason, there is a possibility that the failure may impact traffic. However, it depends on certain conditions. If there are specific configuration changes in the deployment, the deployment failure may lead to traffic being interrupted. See the following table to know what configuration changes may cause traffic interruption when deployment fails.

    Configuration Changes

    Exists?

    Traffic Impacted?

    Threat Defense Service changes in an access control policy

    Yes

    Yes

    VRF

    Yes

    Yes

    Interface

    Yes

    Yes

    QoS

    Yes

    Yes
    Note

    The configuration changes interrupting traffic during deployment is valid only if both the management center and threat defense are of version 6.2.3 or higher.