Customizing Device Configuration with FlexConfig Policies

Use FlexConfig policies to customize the configuration of a threat defense device.

Before using FlexConfig, try to configure all the policies and settings you need using the other features in management center. FlexConfig is a method of last resort to configure ASA-based features that are compatible with threat defense but which are not otherwise configurable in management center.

Following is the end-to-end procedure for configuring and deploying a FlexConfig policy.

Procedure


Step 1

Determine the CLI command sequence that you want to configure.

If you have a functioning configuration on an ASA device, use show running-config to get the sequence of commands that you need. Make adjustments to items such as interface names and IP addresses as needed.

If this is for a new feature, it is best to try to implement it on an ASA device in a lab setting to verify that you have the correct command sequence.

For more information, see the following topics:

Step 2

Choose Objects > Object Management, then select FlexConfig > FlexConfig Objects from the table of contents.

Examine the predefined FlexConfig objects to determine if any will be able to generate the commands you need. Click View (View icon) to see the object contents. If an existing object is close to what you want, start by making a copy of the object, and then edit the copy. See Predefined FlexConfig Objects.

Examining the objects will also give you an idea of the structure, command syntax, and expected sequencing for a FlexConfig object.

Note

If you find any objects that you will use, either directly or as copies, examine the Variables list at the bottom of the object. Make note of the variable names, except those in all capitals that start with SYS, which are system variables. These variables are text objects that you will probably need to edit and define overrides for, especially if the default value column shows the object has no value.

Step 3

If you need to create your own FlexConfig objects, determine what variables you will need and create the associated objects.

The CLI you need to deploy might contain IP addresses, interface names, port numbers, and other parameters that you might want to adjust over time. These are best isolated into variables, which point to objects that contain the necessary values. You might also need variables for strings that are part of the configuration but which might change over time.

Also, determine if you need different values for each device to which you will assign the policy. For example, you might want to configure the feature on three devices, but you might need to specify a different interface name or IP address on a given command for each of these devices. If you need to customize the object for each device, ensure that you enable overrides when creating the object, and then define the override values per device.

See the following topics for an explanation of the various types of variables and how to configure the related objects when necessary.

Step 4

If you are using the predefined FlexConfig objects, edit the text objects used as variables.

Step 5

(If necessary.) Configure FlexConfig Objects.

You need to create objects only if the predefined objects cannot do the job.

Step 6

Configure the FlexConfig Policy.

Step 7

Set Target Devices for a FlexConfig Policy.

You can also assign the policy to devices when you create the policy. The policy must have at least one assigned device before you can preview it.

Step 8

Preview the FlexConfig Policy.

You must save changes before you can preview the policy.

Verify that the generated commands are the ones intended, and that all variables are resolving correctly.

Step 9

Choose Deploy > Deployment in the menu bar.

Step 10

Select the devices assigned to the policy, and click Deploy.

Wait for deployment to complete.

Step 11

Verify the Deployed Configuration.

Step 12

(If necessary.) Remove Features Configured Using FlexConfig.

Unlike other types of policy, simply unassigning a FlexConfig from a device might not remove the related configuration. If you want to remove a FlexConfig-generated configuration, you follow the cited procedure.

If you are removing a Feature because it is now directly supported by the product, see also Convert from FlexConfig to Managed Feature.