Roll Back a Deployment

You can roll back a device to a previously deployed configuration. After a policy deployment, if the traffic through the device is affected in an unintended way, rollback provides an option to revert the device to the earlier state, which existed before the faulty deployment.

Rollback is a disruptive operation: all the existing connections and routes are dropped, and the traffic is disrupted.

Identifying the Disruptive Configuration

When a deployment has gone awry and caused traffic interruption in an unintended way, you should identify the change in the deployment that caused the condition and fix it so your next deployment will be successful.

See the following ways to compare configurations.

Before a Rollback

  1. Choose Deploy > Deployment History, expand the last deployed job (that caused the traffic disruption), and click the Preview (preview icon).

    The preview page provides an option to compare deployments, which can be useful to identify specific changes for a deployment compared to a previous deployment.

  2. After identifying the change causing the problem, rectify the configuration, and redeploy it on the device.

After a Rollback

  1. After a successful rollback operation, choose Deploy > Deployment, and click the Preview icon next to the rolled back device.

  2. View the changes between the rolled back configuration and the current changes in the Firewall Management Center that are pending deployment.

  3. After identifying the change causing the problem, rectify the configuration, and redeploy it on the device.

Rollback Guidelines and Limitations

  • You can roll back to any one of the last 10 versions before the currently deployed version. Rollback to versions prior to these are not supported. The rollback icon is greyed out for unsupported versions.

  • You have to perform a deployment before you can roll back again.

  • After you perform a rollback, the rolled back devices are marked as out-of-date on the Firewall Management Center. The changes you made to the configuration are still pending for the next deployment. To see the pending changes, choose Deploy > Deployment, and click the Preview icon next to the rolled back device.

  • For devices with very large access lists, if the Object Group Search setting is disabled, then the rollback operation may take a longer duration to complete. To verify the Object Group Search setting, choose Devices > Device Management, and then select the device and click Edit Advanced Settings.

  • For the Firepower 4100/9300, make sure your current Firewall Chassis Manager interface configuration is the same for any rollback versions. Otherwise, the rollback interface configuration may not match your actual interfaces.

  • Rollback is not supported if the manager access interface (Manager or data interface) is different between the rollback version and the current version.

  • Independent certificate enrollments are also listed as deployment jobs in the Deployment History page. However, you cannot roll back to these versions. A rollback from a deployment version created after certificate enrollments reverts the certificate associations as well. In the next deployment after a rollback, manually associate the certificates before proceeding with the deployment.

  • If you upgrade the Firewall Management Center, all rollback versions from the previous software release will no longer be available for devices, even if you did not upgrade the devices.

  • If you upgrade the device, you can only roll back to versions on the current software release.

  • If a deployment for a device with a FlexConfig object configured with a deployment frequency set to Once is rolled back, then you will not be able to redeploy the object even though it is displayed as out-of-date on the Preview page. After a rollback, you will have to manually unassign and then reassign the FlexConfig object to the device before the next deployment.

  • For High Availability, rollback is not supported in the following scenarios:

    • When the version you want to roll back to contains the high-availability bootstrap configuration. In other words, the deployment when you first formed high availability for the standalone devices.

    • When a device that is currently in standalone mode was part of a high availability pair in the previous deployment version.

  • For clustering, see the following guidelines:

    • Rollback is not supported when a device that is currently in standalone mode was part of a cluster in the previous deployment version.

    • (Secure Firewall 3100/4200 and Firewall Threat Defense Virtual in a private cloud) If you change the clustering bootstrap configuration or add or delete nodes, you cannot roll back to a version prior to those changes.

Configurations Not Reverted After a Rollback

Rollback reverts all the configurations on the device except a few. See the table below for details.

Configurations that are reverted during a rollback

Configurations that are not reverted during a rollback

  • All policy configurations

  • Interface configurations

  • SRU configurations

  • VDB configurations

  • LSP configurations

  • VPN configurations

  • FXOS configurations

  • Snort binaries

  • Geo DB