Sync Interface Changes with the Firewall Management Center

Interface changes on the device can cause the Firewall Management Center and the device to get out of sync. The Firewall Management Center can detect interface changes by one of the following methods:

  • Event sent from the device

  • Sync when you deploy from the Firewall Management Center

    If the Firewall Management Center detects interface changes when it attempts to deploy, the deployment will fail. You must first accept the interface changes.

  • Manual sync

There are two types of interface changes performed outside of Firewall Management Center that need to be synched:

  • Addition or deletion of physical interfaces—Adding a new interface, or deleting an unused interface has minimal impact on the Firewall Threat Defense configuration. However, deleting an interface that is used in your security policy will impact the configuration. Interfaces can be referenced directly in many places in the Firewall Threat Defense configuration, including access rules, NAT, SSL, identity rules, VPN, DHCP server, and so on. Deleting an interface will delete any configuration associated with that interface. Policies that refer to security zones are not affected. You can also edit the membership of an allocated EtherChannel without affecting the logical device or requiring a sync on the Firewall Management Center.

    When the Firewall Management Center detects changes, the Interface page shows status (removed, changed, or added) to the left of each interface.

  • Firewall Management Center access interface changes—If you configure a data interface for managing using the configure network management-data-interface command, you must manually make matching configuration changes in and then acknowledge the changes. These interface changes cannot be made automatically.

When the Firewall Management Center detects changes, the Interface page shows status (removed, changed, or added) to the left of each interface.

Adding a new interface, or deleting an unused interface has minimal impact on the Firewall Threat Defense configuration. However, deleting an interface that is used in your security policy will impact the configuration. Interfaces can be referenced directly in many places in the Firewall Threat Defense configuration, including access rules, NAT, SSL, identity rules, VPN, DHCP server, and so on. Deleting an interface will delete any configuration associated with that interface. Policies that refer to security zones are not affected. You can also edit the membership of an allocated EtherChannel without affecting the logical device or requiring a sync on the Firewall Management Center.

This procedure describes how to manually sync interface changes if required and how to acknowledge the detected changes. If interface changes are temporary, you should not save the changes in the Firewall Management Center; you should wait until the device is stable, and then re-sync.

Before you begin

Procedure

Step 1

Select Devices > Device Management and click Edit (edit icon) for your Firewall Threat Defense device. The Interfaces page is selected by default.

Step 2

If required, click Sync Device on the top left of Interfaces.

Step 3

After the changes are detected, see the following steps.

Addition or Deletion of Physical Interfaces

  1. You will see a red banner on Interfaces indicating that the interface configuration has changed. Click the Click to know more link to view the interface changes.

  2. Click Validate Changes to make sure your policy will still work with the interface changes.

    If there are any errors, you need to change your policy and rerun the validation.

  3. Click Save.

    You can now click Deploy and deploy the policy to assigned devices.

    You can now go to Deploy > Deployment and deploy the policy to assigned devices.

FMC Access Interface Changes

  1. You will see a yellow banner in the top right of the Device page indicating that the Firewall Management Center access configuration has changed. Click the View details link to view the interface changes.

    The FMC Access - Configuration Details dialog box opens.

  2. Take note of all highlighted configurations, especially the pink highlighted ones. You need to match any values on the Firewall Threat Defense by manually configuring them on the Firewall Management Center.

    For example, the pink highlights below show configuration that exists on the Firewall Threat Defense but not yet on the Firewall Management Center.

    The following example shows this page after configuring the interface in Firewall Management Center; the interface settings match, and the pink highlight was removed.

  3. Click Acknowledge.

    We recommend that you do not click Acknowledge until you have finished the Firewall Management Center configuration, and are ready to deploy. Clicking Acknowledge removes the block on deployment. The next time you deploy, the Firewall Management Center configuration will overwrite any remaining conflicting settings on the Firewall Threat Defense. It is your responsibility to manually fix the configuration in the Firewall Management Center before you re-deploy.

  4. You can now go to Deploy > Deployment and deploy the policy to assigned devices.