Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
115
Views
1
Helpful
0
Replies

CSCwi79393 - Workaround using Flex Config

srauen
Level 1
Level 1

‎08-12-2024 02:25 PM - edited ‎08-13-2024 05:43 AM

I was able to fix this without having TAC do some intensive backdoor actions.

Go to FTD command line

system support diagnostic-cli

enable (if needed)

show run

srauen_3-1723552950638.png

look for the dns policy map. Mine was similar to:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
umbrella tag UMBRELLAPOLICY device-id 0123456789

srauen_2-1723552765549.png

Create a flex config object. Set it to apply once, append, and paste the policy map in with the 'no' form of the umbrella command. You don't need the message-length lines, and you don't need the device-id. UMBRELLAPOLICY will be based on your own configuration.

policy-map type inspect dns preset_dns_map
parameters
no umbrella tag UMBRELLAPOLICY

srauen_1-1723552579724.png

Do not remove the umbrella policy from the Access Control policy. Leave it as-is. Attach the flex config to the device, and deploy.  The deploy completed for me, and the umbrella settings were effectively removed. Now remove the flex config policy from the device, set the dns umbrella policy to none, and deploy again. This got things back to normal for me.

 

 

Labels:
0 Replies 0
Customers Also Viewed These Support Documents