topic Re: Default FlexConfig Policy? in Network Security

Default FlexConfig Policy?

sasha — Tue, 21 Jun 2022 13:29:57 GMT

Hello. I'm creating my FIRST FlexConfig policy. But when I try to assign it to a device, I'm getting the following message:

"Following devices already have assignments listed below. These devices will be reassigned to the current policy
device: impftd - policy: (device setting)

Do you want to continue with above changes?"

Will I loose some settings if I answer "yes"? Is there any way to see the mentioned "(device setting)" policy, and/or FlexConfigs already set on the device?

We're using FMC 7.0.1 and a HA pair of 2110s with FTD 7.0.1. We recently upgraded from 6.4, but we didn't use FlexConfig before.

Thanks and best regards.

Re: Default FlexConfig Policy?

Mohammed al Baqari — Tue, 21 Jun 2022 16:39:19 GMT

Hi,

You navigate to the listed flexconfig policy, you can see what flex objects
are assigned and what is configured.

Keep in mind that if you remove a flex policy from an FTD, it won't revoke
the changes. This is how flex works. You will need another flex policy to
remove the changes. So don't be concerned about revoking existing config
but its good to know what that policy does before any changes.

***** please remember to rate useful posts

Re: Default FlexConfig Policy?

sasha — Wed, 22 Jun 2022 07:15:39 GMT

Hello Mohammed, there ISN'T ANY policies in the list! The policy I'm creating is the FIRST one. But the FMC warns me that the device is assigned to "policy: (device setting)". My question is how to see THAT policy. And is there any other way to see FlexConfig commands which are in effect. As you said, it's good to know that before any changes. Thanks and best regards.

Re: Default FlexConfig Policy?

Marius Gunnerud — Wed, 22 Jun 2022 08:57:23 GMT

I do not believe that this is possible. If the policy is not present in the FMC GUI then the only place you can check is the running configuration on the FTD it self, but there you would need to know what you are looking for. Flexconfig is only a tool that you can use to send ASA CLI configuration to the FTD device, so you would only see the configurations them selves on the FTD and not the actual policy.

Re: Default FlexConfig Policy?

sasha — Wed, 22 Jun 2022 12:00:48 GMT

So, it would be sufficient to compare "show run all" before and after new FlexConfig policy, assuming there are no other changes in the same deployment?

Re: Default FlexConfig Policy?

Marius Gunnerud — Wed, 22 Jun 2022 13:48:17 GMT

Yes that would be the only way to know what was included in the previous policy

Re: Default FlexConfig Policy?

sasha — Thu, 23 Jun 2022 14:25:57 GMT

So folks, thank you both for help. The first policy went fine. Here's the outcome:

- Before I assigned the first flexconfig policy to our FTD HA pair, Preview Config button was grayed out.

- But after I assigned the policy and before I saved the changes, the button became active!?! As the only available device, it didn't offer our FTD HA pair but just our primary FTD device!?! And it displayed the old (before-save) flexconfig.

- After I saved the changes, the button offered our FTD HA as the only available device, and displayed the new flexconfig. All of the old commands were still there, and a couple of new commands produced by the new policy were added.

- I compared show run all before and after, and the only difference were the commands added by the new policy.

Thanks again and best regards.