Deploy Configuration Changes

After you change configurations, deploy them to the affected devices. We strongly recommend that you deploy in a maintenance window or at a time when any interruptions to traffic flow and inspection will have the least impact.

Caution

When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts the Snort process, which interrupts traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior and Configurations that Restart the Snort Process When Deployed or Activated.

Before you begin

Be sure all managed devices use the same revision of the Security Zones object. If you have edited security zone objects: Do not deploy configuration changes to any device until you edit the zone setting for interfaces on all devices you want to sync. You must deploy to all managed devices at the same time.
To preview the deployment changes, enable REST API access. To enable the REST API access, follow the steps in Enabling REST API Access.

Note	The deployment process fails if the device configuration is being read at the device CLI during deployment. Do not execute commands such as show running-config during the deployment.

Procedure

Step 1

On the management center menu bar, click Deploy.

Step 2

For a quick deployment, check specific devices and then click Deploy, or click Deploy All to deploy to all devices. Otherwise, for additional deployment options, click Advanced Deploy.

The rest of this procedure applies to the Advanced Deploy screen.

Step 3

Click Expand Arrow ( expand arrow icon ) to view device-specific configuration changes to be deployed.

The Modified By column lists the users who have modified the policies or objects. On expanding the device listing, you can view the users who have modified the policies against each policy listing. For information about when the System user is shown (instead of the logged-in user), see System Username.

Note

Usernames are not provided for deleted policies and objects.
The Inspect Interruption column indicates if traffic inspection interruption may be caused in the device during deployment.

When the status indicates (Yes) that deploying will interrupt inspection, and perhaps traffic, on the threat defense device, the expanded list indicates the specific configurations causing the interruption with the Inspect Interruption ().

If the entry is blank in this column for a device, then it indicates that there will be no traffic inspection interruptions on that device during deployment.

See Restart Warnings for Devices for information to help you identify configurations that interrupt traffic inspection and might interrupt traffic when deployed to the threat defense devices.
The Last Modified Time column specifies when you last made the configuration changes.
The Preview column allows you to preview the changes for the next deployment.
The Status column provides the status for each deployment. For more information, see View Deployment Status.

Step 4

In the Preview column, click Preview ( preview icon ) to see the configuration changes that you can deploy.

Note	If you change the management center name in System () > Configuration > Information, the deployment preview does not specify this change, yet it requires a deployment.

For unsupported features for Preview, see Deployment Preview.

The Comparison View tab lists all the policy and object changes. The left pane lists all the different policy types that have changed on the device, organized in a tree structure.

The Filter icon () lets you filter the policies at the user level and policy level.

The right pane lists all the additions, changes, or deletions in the policy, or the object selected in the left pane. The two columns on the right pane provide the last deployed configuration settings (in the Deployed Version column) versus the changes that are due for deployment (in the Version on Firewall Management Center column). The last-deployed configuration settings are derived from a snapshot of the last saved deployment in the management center and not from the device. The background colors of the settings are color-coded as per the legend available on the top-right of the page.

The Modified By column lists the users who have modified, or added the configuration settings. At the policy level, the management center displays all the users who have modified the policy, and at the rule level, the management center displays only the last user who has modified the rule.

You can download a copy of the change log by clicking the Download Report button.

The Advanced View tab shows the CLI commands that will be applied. This view is useful if you are familiar with ASA CLI, which is used on the back end of the threat defense.

Step 5

Use Show or Hide Policy ( Show or Hide Policy icon ) to selectively view or hide the associated unmodified policies.

Step 6

Check the box next to the device name to deploy all configuration changes, or click Policy selection ( policy selection icon ) to select individual policies or configurations to deploy while withholding the remaining changes without deploying them.

You can also view the interdependent changes for a certain policy or configuration using this option. The management center dynamically detects dependencies between policies (for example, between an access control policy and an intrusion policy), and between the shared objects and the policies. Interdependent changes are indicated using color-coded tags to identify a set of interdependent deployment changes. When one of the deployment changes is selected, the interdependent changes are automatically selected.

For more details, see Selective Policy Deployment.

Note

When the changes in shared objects are deployed, the impacted policies should also be deployed along with them. When you select a shared object during deployment, the impacted policies are automatically selected.
Selective deployment is not supported for scheduled deployments and deployments using REST APIs. You can only opt for complete deployment of all the changes in these cases.
The pre-deployment checks for warnings and errors are performed not only on the selected policies, but on all the policies that are out-of-date. Therefore, the warnings or errors list shows the deselected policies as well.
Similarly, the Inspect Interruption column indication on the Deployment page considers all out-of-date policies and not just the selected policies. For information on the Inspect Interruption column, see Restart Warnings for Devices.

Step 7

After you select the devices or policies to deploy, click Estimate to get a rough estimate of the deployment duration.

The time duration is a rough estimate (having around 70% accuracy), and the actual time taken for deployment may vary for a few scenarios. The estimate is dependable for deployments of up to 20 devices.

When an estimate is not available, it indicates that the data is not available, since the first successful deployment on the selected device is pending. This situation could occur after the management center reimage, version upgrade, or after a high availability failover.

Note	The estimate is incorrect and unreliable for bulk policy changes (in case of bulk policy migrations), and selective deployments because the estimate is based on the heuristic technique.

Step 8

Click Deploy.

Step 9

If the system identifies errors or warnings in the changes to be deployed, it displays them in the Validation Messages window. To view complete details, click the arrow icon before the warnings or errors.

You have the following choices:

Deploy—Continue deploying without resolving warning conditions. Check the Ignore warnings checkbox, to ignore warnings and deploy the changes. You cannot proceed if the system identifies errors.
Close—Exit without deploying. Resolve the error and warning conditions, and attempt to deploy the configuration again.

What to do next

(Optional) Monitor deployment status; see View Deployment Messages.
If the deployment fails, see Best Practices for Deploying Configuration Changes.

During deployment, if there are specific configuration changes in the deployment, the deployment failure may lead to traffic being interrupted. For example, in a cluster environment, an erroneous configuration of an IP address that is not in the same subnet as the Site IPs is configured on the interface. Due to this error, deployment fails and the device attempts to clear the configuration while the rollback operation is being processed. These events collectively lead to a deployment failure that interrupts the traffic.

See the following table to know what configuration changes may cause traffic interruption when deployment fails.


Configuration Changes	Exists?	Traffic Impacted?
Threat Defense Service changes in an access control policy	Yes	Yes
VRF	Yes	Yes
Interface	Yes	Yes
QoS	Yes	Yes

Note	The configuration changes interrupting traffic during deployment is valid only if both the management center and the threat defense are of version 6.2.3 or higher.