topic Re: CLI changes occurring directly on managed devices without using the FMC? in Network Security

CLI changes occurring directly on managed devices without using the FMC?

tayon.kendrick — Fri, 21 Feb 2020 15:44:49 GMT

Just curious if I could make any sort of CLI changes on my managed devices w/o using the FMC, and if I did would those changes be synced with the FMC or is it the case that once I set up a device to be managed by the FMC that all my configuration changes such as access control policies would need to be done via the FMC GUI in order to stay synced?

Re: CLI changes occurring directly on managed devices without using the FMC?

yogdhanu — Wed, 09 May 2018 12:28:50 GMT

Ideally, no config changes are permitted on the device vis CLI apart from basic network settings for the device itself to connect to FMC /internet.

Can you elaborate more on what kind of device you are using and what changes you want to make on that?

Hope it helps,

Yogesh

Re: CLI changes occurring directly on managed devices without using the FMC?

tayon.kendrick — Wed, 09 May 2018 14:45:25 GMT

Thank Yogesh for your reply.

My FMC is currently managing a Cisco Firepower 4140, and 3 ASA 5545's, with
all of these devices being HA.

I have a client who prefers to make ASA ACL policy changes via the ASA's
still, if allowed. My question was still more general and hypothetical in
nature.

I understand the purpose of the FMC and that's what makes using it ideal,
however, if he does make changes on his end on the ASA, how would it affect
the sync process, deploy process, etc....

Re: CLI changes occurring directly on managed devices without using the FMC?

Karsten Iwen — Wed, 09 May 2018 14:45:49 GMT

With the exception of the configuration of the management port, all config is applied one-way from the FMC to the managed device. At least for the next time, there is no configuration on the device that is pushed to the FMC.

If you want to have best of both worlds (locally and centrally managed), you could achieve that with the FTD-API. Local changes could be done by FDM, and also a central management-server (which is not FMC) can fetch all config from FTD, alter it and push it back to the device.

Re: CLI changes occurring directly on managed devices without using the FMC?

tayon.kendrick — Wed, 09 May 2018 15:57:50 GMT

Thanks for your answer Karsten.

I'm not familiar with that scenario. With whom could I speak to in order to obtain more information on this being a possibility.

Re: CLI changes occurring directly on managed devices without using the FMC?

Karsten Iwen — Wed, 09 May 2018 16:03:06 GMT

For now, it's likely that you have to make yourself comfortable with both the API and write your own scripts to implement the API. The API on FTD is quite new, but I assume that some vendors of management-solutions will have software for this in quite some time.