Manually Roll Back the Configuration if the Firewall Management Center Loses Connectivity
If you use a data interface on the Firewall Threat Defense for manager access, and you deploy a configuration change from the Firewall Management Center that affects the network connectivity, you can roll back the configuration on the Firewall Threat Defense to the last-deployed configuration so you can restore management connectivity. You can then adjust the configuration settings in Firewall Management Center so that the network connectivity is maintained, and re-deploy. You can use the rollback feature even if you do not lose connectivity; it is not limited to this troubleshooting situation.
Alternatively, you can enable auto rollback of the configuration if you lose connectivity after a deployment; see Edit Deployment Settings.
See the following guidelines:
-
Only the previous deployment is available locally on the Firewall Threat Defense; you cannot roll back to any earlier deployments.
-
Rollback is supported for high availability but not supported for clustering deployments.
-
Rollback is not supported immediately after high availability creation.
-
The rollback only affects configurations that you can set in the Firewall Management Center. For example, the rollback does not affect any local configuration related to the dedicated Management interface, which you can only configure at the Firewall Threat Defense CLI. Note that if you changed data interface settings after the last Firewall Management Center deployment using the configure network management-data-interface command, and then you use the rollback command, those settings will not be preserved; they will roll back to the last-deployed Firewall Management Center settings.
-
UCAPL/CC mode cannot be rolled back.
-
Out-of-band SCEP certificate data that was updated during the previous deployment cannot be rolled back.
-
During the rollback, connections will drop because the current configuration will be cleared.
Procedure
Step 1 | At the Firewall Threat Defense CLI, roll back to the previous configuration. configure policy rollback
After the rollback, the Firewall Threat Defense notifies the Firewall Management Center that the rollback was completed successfully. In the Firewall Management Center, the deployment screen will show a banner stating that the configuration was rolled back.
Example:
Example:
| ||||
Step 2 | Check that the management connection was reestablished. In Firewall Management Center, check the management connection status on the page. At the Firewall Threat Defense CLI, enter the sftunnel-status-brief command to view the management connection status. If it takes more than 10 minutes to reestablish the connection, you should troubleshoot the connection. See Troubleshoot Management Connectivity on a Data Interface. |