Configure Rollback on SFTD When SFMC Not Reachable

Available Languages

Download Options

  • PDF     (1.5 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.7 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (522.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 23, 2024
Document ID:222184

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to rollback a deployment change from the Secure SFMC that affects the connectivity to SFTD.

    Prerequisites

    Requirements

    The use of this feature is supported on Secure FirePOWER Threat Detection® version 6.7 onwards.

    Cisco recommends that you have knowledge of these topics:

    • Secure Firewall Management Center (SFMC®) configuration
    • Cisco Secure FirePOWER Threat Defense (SFTD) configuration

    Components Used

    • Secure Firewall Management Center for VMware version 7.2.1
    • Secure Firepower Threat Defense for VMware version 7.2

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    There are scenarios where the communication to SFMC, SFTD, or between SFMC and SFTD is lost when a deployment change affects the network connectivity. You can roll back the configuration on the SFTD to the last-deployed configuration to restore the management connectivity.

    Use the configure policy rollback command to roll back the configuration on the threat defense to the last-deployed configuration.

    Note: The configure policy rollback command was introduced in version 6.7

    See the guidelines:

    • Only the previous deployment is available locally on the threat defense; you cannot roll back to any earlier deployments.
    • Rollback is supported for high availability from management center 7.2 onwards.
    • Rollback is not supported for clustering deployments.
    • The rollback only affects configurations that you can set in the management center. For example, the rollback does not affect any local configuration related to the dedicated Management interface, which you can only configure at the threat defense CLI. Note that if you changed data interface settings after the last management center deployment using the configure network management-data-interface command, and then you use the rollback command, those settings are not be preserved; they roll back to the last deployed management center settings.
    • UCAPL/CC mode cannot be rolled back.
    • Out-of-band SCEP certificate data that was updated during the previous deployment cannot be rolled back.
    • During the rollback, connections can drop because the current configuration is cleared.

    Configure

    Network Diagram

    This document uses this network setup:

    Image 1. Network DiagramImage 1. Diagram

    Scenario

    In this configuration, SFTD is managed by the SFMC using the Firewall inside interface, there is a rule that allows the reachability from the Laptop to the SFMC.

    Procedure

    Step 1.  The rule named FMC-Access was disabled on the SFMC, after deployment, the communication from the Laptop to the SFMC is blocked.

    Image 2. The Rule that Allows SFMC Reachability DisabledImage 2. The Rule that Allows SFMC Reachability Disabled

    Image 3. SFMC Reachability from Laptop not WorkingImage 3. SFMC Reachability from Laptop not Working

    Step 2. Log in to the SFTD via SSH or console, then use the configure policy rollback command.

    Note: If access via SSH is not possible, connect via telnet. 

    > configure policy rollback
    ---------------------------------------------------------------------------------------------
    [Warning] Perform a policy rollback if the FTD communicates with the FMC on a data interface, and it has lost connectivity due to a policy deployment from the FMC. If the FTD still has connectivity to the FMC, 
    and you want to perform a policy rollback for other purposes, then you should do the rollback on the FMC and not with this command. Note that there will be a traffic drop when you rollback the policy.

    Checking Eligibility ....
    ============= DEVICE DETAILS =============
    Device Version: 7.2.0
    Device Type: FTD
    Device Mode: Offbox
    Device in HA: false
    Device in Cluster: false
    Device Upgrade InProgress: false
    ==========================================
    Device is eligible for policy rollback

    This command will rollback the policy to the last deployment done on Jul 15 20:38.
    [Warning] The rollback operation will revert the convergence mode.
    Do you want to continue (YES/NO)?

    Step 3. Write the word YES to confirm the rollback of the last deployment, then wait until the rollback process ends.

    Do you want to continue (YES/NO)? YES

    Starting rollback...
     Deployment of Platform Settings to device.              Status: success
     Preparing policy configuration on the device.           Status: success
     Applying updated policy configuration on the device.    Status: success
     Applying Lina File Configuration on the device.         Status: success
    INFO: Security level for "diagnostic"set to 0 by default.
     Applying Lina Configuration on the device.             Status: success
     Commit Lina Configuration.                             Status: success
     Commit Lina File Configuration.                        Status: success
     Finalizing policy configuration on the device.         Status: success

    ============================================
    POLICY ROLLBACK STATUS: SUCCESS
    ============================================
    tip-icon

    Tip: In case rollback fails, contact Cisco TAC

    Step 4. After the rollback, confirm the SFMC reachability. The SFTD notifies the SFMC that the rollback was completed successfully. In the SFMC, the deployment screen shows a banner stating that the configuration was rolled back.

    Image 4. SFMC Reachability from Laptop RestoredImage 4. SFMC Reachability from Laptop Restored

    Image 5. SFMC Message Confirming Rollback from SFTDImage 5. SFMC Message Confirming Rollback from SFTD

    Step 5. When SFMC access is restored, resolve the SFMC configuration issue and redeploy.

    Image 6. Revert the ChangesImage 6. Revert the Changes

    Troubleshooting

    In case rollback fails, contact Cisco TAC, for additional issues during the process please review the next article: 

    Deployment Rollback

    Revision History

    Revision Publish Date Comments
    1.0
    23-Jul-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Erick Leobardo Perez
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products