Verify the Deployed Configuration

After you deploy a FlexConfig policy to a device, verify that the deployment was successful and that the resulting configuration is what you expected. Also, verify that the device is performing as expected.

Procedure

Step 1

To verify that deployment was successful:

  1. Click Notifications in the menu bar, which is unnamed between Deploy and System.

    The icon looks like one of the following, and it might include a number if there are errors:

    • Indicates No Warnings — Indicates no warnings or errors are present on the system.

    • Indicates One or More Warnings — Indicates one or more warnings and no errors are present on the system.

    • Indicates One or More Errors — Indicates one or more errors and any number of warnings are present on the system.

  2. On Deployments, verify that the deployment was successful.

  3. To see more detailed information, especially for failed deployments, click Show History.

  4. Select the deployment job in the list of jobs in the left column.

    Jobs are listed in reverse chronological order, with the most recent job at the top of the list.

  5. Click download in the Transcript column for the device in the right column.

    The deployment transcript includes commands sent to the device, and any responses returned from the device. These response can be informative messages or error messages. For failed deployments, look for messages that indicate errors with the commands that you sent through FlexConfig. These errors can help you correct the script in the FlexConfig object that is trying to configure the commands.

    Note

    There is no distinction made in the transcript between commands sent for managed features and those generated from FlexConfig policies.

    For example, the following sequence shows that management center sent commands to configure GigabitEthernet0/0 with the logical name outside. The device responded that it automatically set the security level to 0. Threat Defense does not use the security level for anything. Messages relevant to FlexConfig are in the CLI Apply section of the transcript. 

    
========= CLI APPLY =========

FMC >> interface GigabitEthernet0/0
FMC >>  nameif outside
FTDv 192.168.0.152 >> [info] : INFO: Security level for "outside" set to 0 by default.

Step 2

Verify that the deployed configuration includes the expected commands.

You can do this by making an SSH connection to the device's management IP address. Use the show running-config command to view the configuration.

Alternatively, use the CLI tool within Secure Firewall Management Center.

  1. Choose > Health > Monitor and click the name of the device.

    You might need to click the open/close arrow in the Count column in the Status table to see any devices.

  2. Click Advanced Troubleshooting.

  3. Click Threat Defense CLI.

  4. Select show as the command, and type running-config as the parameter.

  5. Click Execute.

    The running configuration appears in the text box. You can select the configuration and press Ctrl+C, then paste it into a text file for later analysis.

Step 3

Verify that the device is performing as expected.

Use the show commands related to the feature to see detailed information and statistics. For example, if you enabled additional protocol inspections, the show service-policy command provides this information. The exact commands to use are feature-dependent and should be mentioned in the ASA configuration guide and command reference you used to learn how to configure the feature.

If commands that show statistics indicate that numbers are not changing (for example, hit counts, connection counts, and so forth), the configuration might be valid but not meaningful. If you know that traffic is going through the device that should show up in statistics, look for what is missing in your configuration. For example, NAT or access rules might be dropping or changing traffic before a feature can act on it.

You can use the show commands from an SSH session or through the management center CLI tool.

However, if the show command that you need to use is not available directly within the threat defense CLI, you will need make an SSH connection to the device to use the commands. From the CLI, enter the following command sequence to enter Privileged EXEC mode within the diagnostic CLI. From there, you should be able to enter these otherwise unsupported show commands. 


> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> enable
Password: <press enter, do not enter a password>
firepower#