Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
987
Views
5
Helpful
5
Replies

CLI changes occurring directly on managed devices without using the FMC?

Go to solution
tayon.kendrick
Level 1
Level 1

‎05-09-2018 05:19 AM - edited ‎02-21-2020 07:44 AM

Just curious if I could make any sort of CLI changes on my managed devices w/o using the FMC, and if I did would those changes be synced with the FMC or is it the case that once I set up a device to be managed by the FMC that all my configuration changes such as access control policies would need to be done via the FMC GUI in order to stay synced?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-09-2018 07:45 AM

With the exception of the configuration of the management port, all config is applied one-way from the FMC to the managed device. At least for the next time, there is no configuration on the device that is pushed to the FMC.

 

If you want to have best of both worlds (locally and centrally managed), you could achieve that with the FTD-API. Local changes could be done by FDM, and also a central management-server (which is not FMC) can fetch all config from FTD, alter it and push it back to the device. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎05-09-2018 05:28 AM

Hi

 

Ideally, no config changes are permitted on the device vis CLI apart from basic network settings for the device itself to connect to FMC /internet.

Can you elaborate more on what kind of device you are using and what changes you want to make on that?

 

Hope it helps,

Yogesh

0 Helpful

Go to solution
tayon.kendrick
Level 1
Level 1
In response to yogdhanu

‎05-09-2018 07:45 AM

Thank Yogesh for your reply.

My FMC is currently managing a Cisco Firepower 4140, and 3 ASA 5545's, with
all of these devices being HA.

I have a client who prefers to make ASA ACL policy changes via the ASA's
still, if allowed. My question was still more general and hypothetical in
nature.

I understand the purpose of the FMC and that's what makes using it ideal,
however, if he does make changes on his end on the ASA, how would it affect
the sync process, deploy process, etc....
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎05-09-2018 07:45 AM

With the exception of the configuration of the management port, all config is applied one-way from the FMC to the managed device. At least for the next time, there is no configuration on the device that is pushed to the FMC.

 

If you want to have best of both worlds (locally and centrally managed), you could achieve that with the FTD-API. Local changes could be done by FDM, and also a central management-server (which is not FMC) can fetch all config from FTD, alter it and push it back to the device. 

0 Helpful

Go to solution
tayon.kendrick
Level 1
Level 1
In response to Karsten Iwen

‎05-09-2018 08:57 AM

Thanks for your answer Karsten.

 

I'm not familiar with that scenario. With whom could I speak to in order to obtain more information on this being a possibility.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tayon.kendrick

‎05-09-2018 09:03 AM

For now, it's likely that you have to make yourself comfortable with both the API and write your own scripts to implement the API. The API on FTD is quite new, but I assume that some vendors of management-solutions will have software for this in quite some time.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card