Sync Interface Changes with the Management Center

Interface configuration changes on the device can cause the management center and the device to get out of sync. The management center can detect interface changes by one of the following methods:

  • Event sent from the device

  • Sync when you deploy from the management center

    If the management center detects interface changes when it attempts to deploy, the deploy will fail. You must first accept the interface changes.

  • Manual sync

There are two types of interface changes performed outside of management center that need to be synched:

  • Addition or deletion of physical interfaces—Adding a new interface, or deleting an unused interface has minimal impact on the threat defense configuration. However, deleting an interface that is used in your security policy will impact the configuration. Interfaces can be referenced directly in many places in the threat defense configuration, including access rules, NAT, SSL, identity rules, VPN, DHCP server, and so on. Deleting an interface will delete any configuration associated with that interface. Policies that refer to security zones are not affected. You can also edit the membership of an allocated EtherChannel without affecting the logical device or requiring a sync on the management center.

    When the management center detects changes, the Interface page shows status (removed, changed, or added) to the left of each interface.

  • Management Center access interface changes—If you configure a data interface for managing using the configure network management-data-interface command, you must manually make matching configuration changes in and then acknowledge the changes. These interface changes cannot be made automatically.

This procedure describes how to manually sync device changes if required and how to acknowledge the detected changes. If device changes are temporary, you should not save the changes in the management center; you should wait until the device is stable, and then re-sync.

Before you begin

Procedure

Step 1

Select Devices > Device Management and click Edit (edit icon) for your threat defense device. The Interfaces page is selected by default.

Step 2

If required, click Sync Device on the top left of Interfaces.

Step 3

After the changes are detected, see the following steps.

Addition or Deletion of Physical Interfaces

  1. You will see a red banner on Interfaces indicating that the interface configuration has changed. Click the Click to know more link to view the interface changes.

  2. Click Validate Changes to make sure your policy will still work with the interface changes.

    If there are any errors, you need to change your policy and rerun the validation.

  3. Click Save.

    You can now go to Deploy > Deployment and deploy the policy to assigned devices.

FMC Access Interface Changes

  1. You will see a yellow banner in the top right of the Device page indicating that the management center access configuration has changed. Click the View details link to view the interface changes.

    The FMC Access - Configuration Details dialog box opens.

  2. Take note of all highlighted configurations, especially the pink highlighted ones. You need to match any values on the threat defense by manually configuring them on the management center.

    For example, the pink highlights below show configuration that exists on the threat defense but not yet on the management center.

    The following example shows this page after configuring the interface in management center; the interface settings match, and the pink highlight was removed.

  3. Click Acknowledge.

    We recommend that you do not click Acknowledge until you have finished the management center configuration, and are ready to deploy. Clicking Acknowledge removes the block on deployment. The next time you deploy, the management center configuration will overwrite any remaining conflicting settings on the threat defense. It is your responsibility to manually fix the configuration in the management center before you re-deploy.

  4. You can now go to Deploy > Deployment and deploy the policy to assigned devices.