Deploy Configuration Changes

After you change configurations, deploy them to the affected devices.

Note

This topic covers the basic steps involved in deploying configuration changes. We strongly recommend that you refer the Deploy Configuration Changes topic in the latest version of the Cisco Secure Firewall Management Center Configuration Guide to understand the prerequisites and implications of deploying the changes before proceeding with the steps.

Caution
When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts the Snort process, which interrupts traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic.

Procedure

Step 1

On the Secure Firewall Management Center menu bar, click Deploy and choose Deployment.

The GUI page lists the devices with out-of-date configurations having Pendingstatus.

  • The Modified By column lists the users who have modified the policies or objects. Expand the device listing to view the users who have modified the policies for each policy listing.

    Note

    Usernames are not provided for deleted policies and objects.

  • The Inspect Interruption column indicates if traffic inspection interruption might occur in the device during deployment.

    If this column is blank for a device, it indicates that there will be no traffic inspection interruptions on that device during deployment.

  • The Last Modified Time column specifies the last time you made configuration changes.

  • The Preview column allows you to preview the changes for the next deployment.

  • The Status column provides the status for each deployment.

Step 2

Identify and choose the devices on which you want to deploy configuration changes.

  • Search—Search for the device name, type, domain, group, or status in the search box.
  • Expand—Click Expand Arrow (expand arrow icon) to view device-specific configuration changes to be deployed.

    When you check a check box adjacent to a device, all the changes made to the device and listed under the device, are pushed for deployment. However, you can use Policy selection ( policy selection icon) to select individual policies or specific configurations to deploy while withholding the remaining changes without deploying them.

    Note

    • When the status in the Inspect Interruption column indicates (Yes) that deploying will interrupt inspection, and perhaps traffic, on a threat defense device, the expanded list indicates the specific configurations causing the interruption with the Inspect Interruption (inspect interruption icon).

    • When there are changes to interface groups, security zones, or objects, the impacted devices are shown as out-of-date on the management center. To ensure that these changes take effect, the policies with these interface groups, security zones, or objects, also need to be deployed along with these changes. The impacted policies are shown as out-of-date on the Previewpage on the management center.

Step 3

Click Deploy.

Step 4

If the system identifies errors or warnings in the changes to be deployed, it displays them in the Validation Messages window. To view complete details, click the arrow icon before the warnings or errors.

You have the following choices:

  • Deploy—Continue deploying without resolving warning conditions. You cannot proceed if the system identifies errors.
  • Close—Exit without deploying. Resolve the error and warning conditions, and attempt to deploy the configuration again.

What to do next

During deployment, if there is a deployment failure, there is a possibility that the failure may impact traffic. However, it depends on certain conditions. If there are specific configuration changes in the deployment, the deployment failure may lead to traffic being interrupted. For details, see the Deploy Configuration Changes topic in the latest version of the Cisco Secure Firewall Management Center Configuration Guide.