Manage Device Configuration

In order to manage a device, Security Cloud Control must have its own copy of the device's configuration stored in its local database. When Security Cloud Control "reads" a configuration from a device it manages, it takes a copy of the device's configuration and saves it. The first time Security Cloud Control reads and saves a copy of a device's configuration is when the device is onboarded. These choices describe reading a configuration for different purposes:

  • Discard Changes: This action is available when a device's configuration status is "Not Synced." In the Not Synced state, there are changes to the device's configuration pending on Security Cloud Control. This option allows you to undo all pending changes. The pending changes are deleted and Security Cloud Control overwrites its copy of the configuration with copy of the configuration stored on the device.

  • Check for Changes: This action is available if the device's configuration status is Synced. Clicking Checking for Changes directs Security Cloud Control to compare its copy of the device's configuration with the copy of the configuration stored on the device. If there is a difference, Security Cloud Control immediately overwrites its copy of the device's configuration with the copy stored on the device.

  • Review Conflict and Accept Without Review: If you have enabled Conflict Detection on a device, Security Cloud Control checks for configuration changes made on the device every 10 minutes. If the copy of the configuration stored on the device has changed, Security Cloud Control notifies you by displaying the "Conflict Detected" configuration status.

    • Review Conflict: Click Review Conflict allows you to review changes made directly on a device and accept or reject them.

    • Accept Without Review: This action overwrites Security Cloud Control's copy of a device's configuration with the latest copy of the configuration stored on the device. Security Cloud Control does not prompt you to confirm the differences in the two copies of the configuration before taking the overwriting action.

Read All: This is a bulk operation. You can select more than one device, in any state, and click Read All to overwrite all the devices' configurations stored on Security Cloud Control with the configurations stored on the devices.

  • Deploy Changes: As you make changes to a device's configuration, Security Cloud Control saves the changes you make to its own copy of the configuration. Those changes are "pending" on Security Cloud Control until they are deployed to the device. When there are changes to a device's configuration that have not been deployed to the device, the device is in the Not Synced configuration state.

    Pending configuration changes have no effect on the network traffic running through the device. Only after Security Cloud Control deploys the changes to the device do they have an effect. When Security Cloud Control deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not overwrite the entire configuration file stored on the device. Deployments can be initiated for a single device or on more than one device simultaneously.

  • Discard All is an option that is only available after you click Preview and Deploy.... After clicking Preview and Deploy, Security Cloud Control shows you a preview of the pending changes in Security Cloud Control. Clicking Discard All deletes all pending changes from Security Cloud Control and does not deploy anything to the selected device(s). Unlike "Discard Changes" above, deleting the pending changes is the end of the operation.


Note

You can schedule deployments or recurring deployments. See Schedule an Automatic Deployment for more information.

Reading, Discarding, and Deploying Configuration Changes

Read All Device Configurations

If a configuration change is made to a device outside of Security Cloud Control, the device's configuration stored on Security Cloud Control and the device's local copy of its configuration are no longer the same. You many want to overwrite Security Cloud Control's copy of the device's configuration with the configuration stored on the device to make the configurations the same again. You can perform this task on many devices simultaneously using the Read All link.

See Reading, Discarding, Checking for, and Deploying Configuration Changes for more information about how Security Cloud Control manages the two copies of the device's configuration.

Here are three configuration statuses where clicking Read All will overwrite Security Cloud Control's copy of the device's configuration with the device's copy of the configuration.

  • Conflict Detected-If conflict detection is enabled, Security Cloud Control polls the devices it manages every 10 minutes for changes made to their configurations. If Security Cloud Control finds that the configuration on the device has changed, Security Cloud Control displays a "Conflict detected" configuration status for the device.

  • Synced-If the device is in a synced state, and you click Read All, Security Cloud Control immediately checks the devices to determine if there have been any changes made to its configurations directly. After clicking Read All, Security Cloud Control confirms your intent to overwrite its copy of the device's configuration and then Security Cloud Control performs the overwrite.

  • Not Synced-If the device is in the Not Synced state, and you click Read All, Security Cloud Control warns you that there are pending changes made to to the device's configuration using Security Cloud Control and that proceeding with the Read All operation will delete those changes and then overwrite Security Cloud Control's copy of the configuration with the configuration on the device. This Read All functions like Discard Changes.

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

(Optional) Create a change request label to identify the results of this bulk action easily in the Change Log.

Step 5

Select the devices whose configurations you want to save Security Cloud Control. Notice that Security Cloud Control only provides command buttons for actions that can be applied to all the selected devices.

Step 6

Click Read All.

Step 7

Security Cloud Control warns you if there are configuration changes staged on Security Cloud Control, for any of the devices you selected, and asks if you want to continue with the bulk reading configurations action. Click Read All to continue.

Step 8

Look at the notifications tab for the progress of the Read All configurations operation. If you want more information about how individual actions in the bulk operation succeeded or failed, click the blue Review link and you will be directed to the Jobs page.

Step 9

If you created and activated a change request label, remember to clear it so that you don't inadvertently associate other configuration changes with this event.

Read Configuration Changes from an ASA to Security Cloud Control

Why Does Security Cloud Control "Read" ASA Configurations?

In order to manage an ASA, Security Cloud Control must have it's own stored copy of the ASA's running configuration file. The first time Security Cloud Control reads and saves a copy of the device's configuration file is when the device is onboarded. Subsequently, when Security Cloud Control reads a configuration from an ASA, you are opting to either Check for Changes, Accept without Review, or Read Configuration. See Reading, Discarding, Checking for, and Deploying Configuration Changes for more information.

Security Cloud Control also needs to read an ASA configuration in these circumstances:

  • Deploying configuration changes to the ASA has failed and the device state is not listed or Not Synced.

  • Onboarding a device has failed and the device state is No Config.

  • You have made changes to the device configuration outside of Security Cloud Control and the changes have not been polled or detected. THe device state would be either Synced or Conflict Detected.

In these cases, Security Cloud Control needs a copy of the last known configuration stored on the device.

Read Configuration Changes on ASA

When prompted to Read Configuration changes on an ASA:

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

Select the device that Security Cloud Control has recently failed to onboard or the device that Security Cloud Control has failed to deploy a change to.

Step 5

Click Read Configuration in the Synced pane at the right. This option overwrites the configuration currently saved to Security Cloud Control.

Preview and Deploy Configuration Changes for All Devices

Security Cloud Control informs you when you have made a configuration change to a device in your tenant, but you have not deployed that change, by displaying an orange dot on the Deploy icon . The devices affected by these changes show the status "Not Synced" in the Security Devices page. By clicking Deploy, you can review which devices have pending changes and deploy the changes to those devices.

This deployment method is available for all supported devices.

You can use this deployment method for single configuration changes or wait and deploy multiple changes at once.

Procedure

Step 1

In the menu bar of Security Cloud Control click the Deploy button .

Step 2

Select the devices with changes you want to deploy. If a device has a yellow caution triangle, you can not deploy changes to that device. Hover your mouse over the yellow caution triangle to find out why you can't deploy changes to that device.

Step 3

(Optional) If you want to see more information about a pending change, click the View Detailed Changelog link to open the change log associated with that change. Click the Deploy icon to return to the Devices with Pending Changes page.

Step 4

Click Deploy Now to deploy the changes immediately to the devices you selected. You'll see the progress in the Active jobs indicator in the Jobs tray.

Step 5

(Optional) After the deployment has finished, click Jobs in the Security Cloud Control navigation bar. You will see a recent "Deploy Changes" job showing the results of the deployment.

Step 6

If you created a change request label, and you have no more configuration changes to associate with it, clear it.

Deploy Configuration Changes from Security Cloud Control to ASA

Why Does Security Cloud Control Deploy Changes to an ASA?

As you manage and make changes to a device's configuration with Security Cloud Control, Security Cloud Control saves the changes you make to its own copy of the configuration file. Those changes are considered "staged" on Security Cloud Control until they are "deployed" to the device. Staged configuration changes have no effect on the network traffic running through the device. Only after Security Cloud Control "deploys" the changes to the device do they have an effect on the traffic running through the device. When Security Cloud Control deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not overwrite the entire configuration file stored on the device.

The ASA has a "running" configuration file, sometimes called the "running config" and a "startup" configuration file that is sometimes called the "startup config." The configuration stored in the running config file is enforced on traffic passing through the ASA. After you make changes to the running config and you are happy with the behavior those changes produce, you can deploy them to the startup config. If the ASA is ever rebooted, it uses the startup config as its configuration starting point. Any changes you make to the running config that are not saved to the startup config are lost after an ASA is rebooted.

When you deploy changes from Security Cloud Control to an ASA, you are writing those changes into the running configuration file. After you are satisfied with the behavior those changes produce, you can deploy those changes to the startup configuration file.

Deployments can be initiated for a single device or on more than one device simultaneously. You can schedule individual deployments or recurring deployments for a single device.

Some Changes are Deployed Directly to the ASA

If you use the command line interface interface on Security Cloud Control to make a change to an ASA, those changes are not "staged" on Security Cloud Control. They are deployed directly to the running configuration of the ASA. When you make changes that way, your device remains "synced" with Security Cloud Control.

About Deploying Configuration Changes

This section assumes you are using Security Cloud Control's GUI or editing the Device Configuration page, not using Security Cloud Control's CLI interface or CLI macro interface, to make changes to an ASA configuration file.

Updating an ASA configuration is a two-step process.

Procedure

Step 1

Make changes on Security Cloud Control using one of these methods:

  • The Security Cloud Control GUI

  • The device configuration on the Device Configuration page

Step 2

After you make your changes, return to the Security Devices page and then Preview and Deploy... the change to the device.

What to do next

When Security Cloud Control updates an ASA's running configuration with the one staged on Security Cloud Control, or when it changes the configuration on Security Cloud Control with the running configuration stored on the ASA, it attempts to change only the relevant lines of the configuration file if that aspect of the configuration can be managed by the Security Cloud Control GUI. If the desired configuration change cannot be made using the Security Cloud Control GUI, Security Cloud Control attempts to overwrite the entire configuration file to make the change.

Here are two examples:

  • You can create or change a network object using the Security Cloud Control GUI. If Security Cloud Control needs to deploy that change to an ASA's configuration, it would overwrite the relevant lines of the running configuration file on the ASA when the change occurs.

  • You cannot create a new local ASA user using the Security Cloud Control GUI but you can create one by editing the ASA's configuration on the Device Configuration page. If you add a user on the Device Configuration page, and you deploy that change to the ASA, Security Cloud Control will try to save that change to the ASA's running configuration file by overwriting the entire running configuration file.

Deploy Configuration Changes Made Using the Security Cloud Control GUI

Procedure

Step 1

After you make a configuration change using the Security Cloud Control GUI and save your change, that change is saved in Security Cloud Control's stored version of the ASA's running configuration file.

Step 2

Return to the device on the Security Devices page.

Step 3

Click the Devices tab. You should see that the device is now "Not synced."

Step 4

Deploy the changes using one of these methods:

  • Click the Deploy icon at the top-right of the screen. This gives you a chance to review the changes you made to the device before you deploy them. Check the device you made changes to, expand the device to review the changes, click Deploy Now to deploy the changes.

    Note

     

    If you see a yellow warning triangle next to your device on the Devices with Pending Changes screen, you cannot deploy a change to it. Hover your mouse over the warning triangle to learn why you can't deploy changes to the device.

  • In the Not Synced pane, click Preview and Deploy....

    1. Review the commands that will change the ASA configuration file.

    2. If you are satisfied with the commands, choose a Configuration Recovery Preference.

      Note

       

      If you choose "Let me know and I will restore the configuration manually." click View Manual Synchronization Instructions before continuing.

    3. Click Apply Changes to Device.

    4. Click OK to acknowledge the success message.

Schedule Automatic Deployments

You can also configure your tenant to schedule deployments to a single device or all devices with pending changes by scheduling automatic deployments.

Deploy Configuration Changes Using Security Cloud Control's CLI Interface

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

Select the device whose configuration you want to change.

Step 5

Click >_Command Line Interface in the Actions pane.

Step 6

If there are any commands in the command line interface table, click Clear to remove them.

Step 7

In the top box of the command line interface table, enter your commands at the command prompt. You can run a single command, several commands in a batch by entering each command on its own line, or entering a section of configuration file as a command. Here are some examples of commands you can enter in the command line interface table:

A single command creating the network object "albany"
object network albany 
host 209.165.30.2
Multiple commands sent together:
object network albany
host 209.165.30.2
object network boston
host 209.165.40.2
object network cambridge
host 209.165.50.2
A section of a running configuration file entered as a command:
interface GigabitEthernet0/5
 nameif guest
 security-level 0
 no ip address

Note

 

Security Cloud Control does not require you to move between EXEC mode, Privileged EXEC mode, and Global Configuration mode. It interprets the command you enter in the proper context.

Step 8

After you have entered your commands, click Send. After Security Cloud Control has successfully deployed the changes to the ASA's running config file, you receive the message, Done!

Step 9

After you send the command you may see the message, "Some commands may have made changes to the running config" along with two links.

  • Clicking Deploy to Disk saves the changes made by this command, and any other change in the running config, to the ASA's startup config.

  • Clicking Dismiss, dismisses the message.

Deploy Configuration Changes by Editing the Device Configuration


Caution

This procedure is for advanced users who are familiar with the syntax of an ASA configuration file. This method makes changes directly to the running configuration file stored on Security Cloud Control.

Procedure

Step 1

In the left pane, choose Security Devices

Step 2

Click the appropriate device type tab.

Step 3

Select the device whose configuration you want to change.

Step 4

Click View Configuration in the Actions pane.

Step 5

Click Edit.

Step 6

Make your changes to the running configuration and Save them.

Step 7

Return to the Security Devices page. In the Not Synced pane, click Preview and Deploy...

Step 8

In the Device Sync pane review the changes.

Step 9

Click Replace Configuration or Apply Changes to Device depending on the kind of change it is.

Deploy Configuration Changes for a Shared Object on Multiple Devices

Use this procedure when you are making changes to a policy or object shared by two or more devices. You can change a common policy on however many devices use it.

Procedure

Step 1

Open and edit the Policies page or the Objects page containing the shared object you want to edit.

Step 2

Review the shared device list and confirm that you want to make the changes on all the devices mentioned.

Step 3

Click Confirm.

Step 4

Click Save.

Step 5

Click the Deploy icon and deploy your changes to the affected devices.

Bulk Deploy Device Configurations

If you have made changes to multiple devices, for instance by editing a shared object, you can apply those change to all of the affected devices at once:

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

Select all of the devices for which you have made configuration changes on Security Cloud Control. These devices should show "Not Synced" status.

Step 5

Deploy the changes using one of these methods:

  • Click the button at the top-right of the screen to view the Devices with Pending Changes window. This gives you a chance to review the pending changes on the devices you selected before you deploy them. Click Deploy Now to deploy the changes.

    Note

     

    If you see a yellow warning triangle next to a device on the Devices with Pending Changes screen, you cannot deploy a change to that device. Hover your mouse over the warning triangle for information about why changes cannot be deployed to that device.

  • Click Deploy All on the details pane. Review any warnings and click OK. The bulk deployment starts immediately without a review of the changes.

Step 6

(Optional) Click the Jobs icon in the navigation bar to view the results of the bulk deploy.

About Scheduled Automatic Deployments

Using Security Cloud Control, you can make configuration changes to one or more of the devices it manages and then schedule the changes to be deployed to those devices at a time that is convenient for you.

You can only schedule deployments if you Enable the Option to Schedule Automatic Deployments in the Tenant Settings tab of the Settings page. Once this option is enabled, you can create, edit, or delete scheduled deployments. A scheduled deployment deploys all the staged changes saved on Security Cloud Control at the date and time set. You can also view and delete scheduled deployments from the Jobs page.

If there were changes made directly to the device that have not been read to Security Cloud Control, the scheduled deployment will be skipped until that conflict is resolved. The Jobs page will list any instance where a scheduled deployment fails. If Enable the Option to Schedule Automatic Deployments is turned off, all scheduled deployments are deleted.


Caution

If you schedule a new deployment for multiple devices, and some of those devices already have deployments scheduled, the new scheduled deployment overwrites the existing scheduled deployments.


Note

When you create a scheduled deployment, the schedule is created in your local time, not in the time zone of the device. Scheduled deployments do not automatically adjust for daylight savings time.

Schedule an Automatic Deployment

The deployment schedule can be a single event or a recurring event. You may find recurring automatic deployments a convenient way to line up recurring deployments with your maintenance window. Follow this procedure to schedule a one-time or a recurring deployment for a single device:


Note

If you schedule a deployment for a device that has an existing deployment scheduled, the new scheduled deployment overwrites the existing deployment.

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

Select one ore more devices.

Step 5

In the Device Details pane, locate the Scheduled Deployments tab and click Schedule.

Step 6

Select when the deployment should occur.

  • For a one-time deployment, click the Once on option to select a date and time from the calendar.

  • For a recurring deployment, click the Every option. You can choose either a daily or once a week deployment. Select the Day and Time the deployment should occur.

Step 7

Click Save.

Edit a Scheduled Deployment

Follow this procedure to edit a scheduled deployment:

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

Select one or more devices.

Step 5

In the Device Details pane, locate the Scheduled Deployments tab and click Edit .

Step 6

Edit the recurrence, date, or time of a scheduled deployment.

Step 7

Click Save.

Delete a Scheduled Deployment

Follow this procedure to delete a scheduled deployment:


Note

If you schedule a deployment for multiple devices, and then change or delete the schedule for some of the devices, the original scheduled deployment for the remaining devices will be preserved.

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

Select one or more devices.

Step 5

In the Device Details pane, locate the Scheduled Deployments tab and click Delete .

What to do next

Check for Configuration Changes

Check for Changes to determine if the device's configuration has been changed directly on the device and it is no longer the same as the copy of the configuration stored on Security Cloud Control. You will see the this option when the device is in the "Synced" state.

To check changes:

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

Select the device, whose configuration you suspect may have been changed directly on the device.

Step 5

Click Check for Changes in the Synced pane on the right.

Step 6

The behavior that follows is slightly different depending on the device:

  • For device if there has been a change to the device's configuration, you will receive the message:

    Reading the policy from the device. If there are active deployments on the device, reading will start after they are finished.

    • Click OK to continue. The configuration on the device will overwrite the stored configuration on Security Cloud Control.

    • Click Cancel to cancel the action.

  • For ASA device:

  1. Compare the two configurations presented to you. Click Continue. The configuration labeled Last Known Device Configuration is the configuration stored on Security Cloud Control. The configuration labeled Found on Device is the configuration saved on the ASA.

  2. Select either:

    1. Reject the out-of-band changes to keep the "Last Known Device Configuration."

    2. Accept the out-of-band changes to overwrite the device's configuration stored in Security Cloud Control with the configuration found on the device.

  3. Click Continue.

Discard Configuration Changes

Click Discard Changes when you want to "undo" all the undeployed configuration changes you made to a device's configuration using Security Cloud Control. When you click Discard Changes, Security Cloud Control completely overwrites its local copy of a device's configuration with the configuration stored on the device.

When you click Discard Changes, your device's configuration status is in a Not Synced state. After you discard your changes, the copy of the configuration on Security Cloud Control will be the same as the copy of the configuration on the device and the configuration status in Security Cloud Control will return to Synced.

To discard, or "undo," all of your undeployed configuration changes for a device:

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab.

Step 4

Select the device you have been making configuration changes to.

Step 5

Click Discard Changes in the Not Synced pane on the right.

  • For FDM-managed devices-Security Cloud Control warns you that "Pending changes on Security Cloud Control will be discarded and the Security Cloud Control configuration for this device will be replaced with the configuration currently running on the device." Click Continue to discard your changes.

  • For Meraki devices-Security Cloud Control deletes the change immediately.

  • For AWS devices-Security Cloud Control displays what you are about to delete. Click Accept or Cancel.

Out-of-Band Changes on Devices

Out-of-band changes refer to changes made directly on the device without using Security Cloud Control. These changes may be made using the device's command-line interface over an SSH connection or by using a local manager like the Adaptive Security Device Manager (ASDM) for the ASA, the FDM for the FDM-managed device, or for an On-Premises Firewall Management Center on the On-Premises Firewall Management Center user interface. An out-of-band change causes a conflict between the device's configuration stored on Security Cloud Control and the configuration stored on the device itself.

Detecting Out-of-Band Changes on Devices

If Conflict Detection is enabled for an ASA, or an FDM-managed device, a Cisco IOS device, or an On-Premises Firewall Management Center, Security Cloud Control checks the device every 10 minutes searching for any new changes made directly to the device's configuration outside of Security Cloud Control.

If Security Cloud Control finds that there are changes to the device's configuration that are not stored on Security Cloud Control, it changes the Configuration Status of that device to the "Conflict Detected" state.

When Security Cloud Control detects a conflict, one of two conditions is likely:

  • There have been configuration changes made to the device directly that have not been saved to Security Cloud Control's database.

  • In the case of an FDM-managed device, there may be "pending" configuration changes on the FDM-managed device that have not been deployed.

  • In the case of an On-Premises Firewall Management Center, there may be changes made, for instance, to objects outside Security Cloud Control, which are pending to be synchronized with Security Cloud Control or changes made in Security Cloud Control which are pending to be deployed to the On-Premises Firewall Management Center.

Synchronizing Configurations Between Security Cloud Control and Device

About Configuration Conflicts

In the Security Devices page, you may see devices or services have the status "Synced," "Not Synced," or "Conflict Detected." To know the status of an On-Premises Firewall Management Center that you manage using Security Cloud Control, navigate Administration > Integrations > Firewall Management Center.

  • When a device is Synced, the configuration on Security Cloud Control) and the configuration stored locally on the device are the same.

  • When a device is Not Synced, the configuration stored in Security Cloud Control was changed and it is now different that the configuration stored locally on the device. Deploying your changes from Security Cloud Control to the device changes the configuration on the device to match Security Cloud Control's version.

  • Changes made to devices outside of Security Cloud Control are called out-of-band changes. When out-of-band changes are made, you'll see the device state change to "Conflict Detected," if conflict detection is enabled for the device. Accepting the out-of-band changes, changes the configuration on Security Cloud Control to match the configuration on the device.

Conflict Detection

When conflict detection is enabled, Security Cloud Control polls the device for the default interval to to determine if a change has been made to the device's configuration outside of Security Cloud Control. If Security Cloud Control detects that a change was made, it changes the configuration status for the device to Conflict Detected. Changes made to a device outside of Security Cloud Control are called "out-of-band" changes.

In the case of an On-Premises Firewall Management Center that is managed by Security Cloud Control, if there are changes that are staged and the device is in Not Synced state, Security Cloud Control stops polling the device to check for changes. When there are changes made outside Security Cloud Control which are pending to be synchronized with Security Cloud Control and changes made in Security Cloud Control which are pending to be deployed to the on-premises management center, Security Cloud Control declares the on-premises management center to be in the Conflict Detected state.

Once this option is enabled, you can configure how often conflicts or OOB changes are detected per device. See Schedule Polling for Device Changes for more information.

Enable Conflict Detection

Enabling conflict detection alerts you to instances where changes have been made to a device outside of Security Cloud Control.

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Select the appropriate device type tab.

Step 4

Select the device or devices for which you want to enable conflict detection.

Step 5

In the Conflict Detection box at the right of the device table, select Enabled from the list.

Automatically Accept Out-of-Band Changes from your Device

You can configure Security Cloud Control to automatically accept any change made directly to a managed device by enabling auto-accept changes. Changes made directly to a device without using Security Cloud Control are referred to as out-of-band changes. An out-of-band change creates a conflict between the device's configuration stored on Security Cloud Control and the configuration stored on the device itself.

The auto-accept changes feature is an enhancement to conflict detection. If you have auto-accept changes enabled on your device, Security Cloud Control checks for changes every 10 minutes to determine if there have been any out-of-band changes made to the device's configuration. If there have been configuration changes, Security Cloud Control automatically updates its local version of the device's configuration without prompting you.

Security Cloud Control will not automatically accept a configuration change if there are configuration changes made on Security Cloud Control that have not yet been deployed to the device. Follow the prompts on the screen to determine your next action.

To use auto-accept changes, you first enable the tenant to display the auto-accept option in the Conflict Detection menu on the Security Devices page; then, you enable auto-accept changes for individual devices.

If you want Security Cloud Control to detect out-of-band changes but give you the option to accept or reject them manually, enable Conflict Detection instead.

Configure Auto-Accept Changes

Procedure

Step 1

Log in to Security Cloud Control using an account with Admin or Super Admin privileges.

Step 2

In the left pane, click Administration > General Settings.

Step 3

In the Tenant Settings area, click the toggle to Enable the option to auto-accept device changes. This enables the Auto-Accept Changes menu option to appear in the Conflict Detection menu on the Security Devices page.

Step 4

In the left pane, click Security Devices and select the device for which you want to automatically accept out-of-band changes.

Step 5

In the Conflict Detection menu, select Auto-Accept Changes in the drop-down menu.

Disabling Auto-Accept Changes for All Devices on the Tenant

Procedure

Step 1

Log-in to Security Cloud Control using an account with Admin or Super Admin privileges.

Step 2

In left pane, click Administration > General Settings.

Step 3

In the Tenant Settings area, disable the "Enable the option to auto-accept device changes" by sliding the toggle to the left so it shows a grey X. This disables Auto-Accept Changes option in the Conflict Detection menu and disables the feature for every device on your tenant.

Note

 

Disabling "Auto-Accept" will require you to review each device conflict before you can accept it into Security Cloud Control. This includes devices previously configured to auto-accept changes.

Resolve Configuration Conflicts

This section provides information about resolving configuration conflicts that occur on the device.

Resolve the Not Synced Status

Use the following procedure to resolve a device with a "Not Synced" Configuration Status:

Procedure

Step 1

In the navigation bar, click Security Devices.

Note

 

For an On-Premises Firewall Management Center, click Administration > Integrations > Firewall Management Center and select the FMC that is in Not Synced state and continue from Step 5.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the appropriate device type tab.

Step 4

Select the device reported as Not Synced.

Step 5

In the Not synced panel to the right, select either of the following:

  • Preview and Deploy... -If you want to push the configuration change from Security Cloud Control to the device, preview and deploy the changes you made now, or wait and deploy multiple changes at once.

  • Discard Changes -If you do not want to push the configuration change from Security Cloud Control to the device, or you want to "undo" the configuration changes you started making on Security Cloud Control. This option overwrites the configuration stored in Security Cloud Control with the running configuration stored on the device.

Resolve the Conflict Detected Status

Security Cloud Control allows you to enable or disable conflict detection on each live device. If Conflict Detection is enabled and there was a change made to the device's configuration without using Security Cloud Control, the device's configuration status will show Conflict Detected.

To resolve a "Conflict Detected" status, follow this procedure:

Procedure

Step 1

In the navigation bar, click Security Devices.

Note

 

For an On-Premises Firewall Management Center, click Administration > Integrations > Firewall Management Center and select the FMC that is in Not Synced state and continue from Step 5.

Step 2

Click the Devices tab to locate your device.

Step 3

Click the appropriate device type tab.

Step 4

Select the device reporting the conflict and click Review Conflict in the details pane on the right.

Step 5

In the Device Sync page, compare the two configurations by reviewing the highlighted differences.

  • The panel labeled "Last Known Device Configuration" is the device configuration stored on Security Cloud Control.

  • The panel labeled "Found on Device" is the configuration stored in the running configuration on the ASA.

Step 6

Resolve the conflict by selecting one of the following:

  • Accept Device changes: This will overwrite the configuration and any pending changes stored on Security Cloud Control with the device's running configuration.

    Note

     

    As Security Cloud Control does not support deploying changes to the Cisco IOS devices outside of the command line interface, your only choice for a Cisco IOS device will be to select Accept Without Review when resolving the conflict.

  • Reject Device Changes: This will overwrite the configuration stored on the device with the configuration stored on Security Cloud Control.

Note

 

All configuration changes, rejected or accepted, are recorded in the change log.

Schedule Polling for Device Changes

If you have Conflict Detection enabled, or if you Enable the option to auto-accept device changes from the Settings page,Security Cloud Control polls the device for the default interval to determine if a change has been made to the device's configuration outside of Security Cloud Control. You can customize how often Security Cloud Control polls for changes per device. These changes can be applied to more than one device.

If there is no selection configured for a device, the interval is automatically configured for "tenant default".


Note

Customizing the interval per device from the Security Devices page overrides the polling interval selected as the Default Conflict Detection Interval from the General Settings page.

After you enable Conflict Detection from the Security Devices page or Enable the option to auto-accept device changes from the Settings page, use the following procedure to schedule how often you want Security Cloud Control to poll your devices:

Procedure

Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab to locate your device.

Step 3

Click the appropriate device type tab.

Step 4

Select the device or devices for which you want to enable conflict detection.

Step 5

In the same area as Conflict Detection, click the drop-down menu for Check every and select the desired polling interval: