- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 05:19 AM - edited 02-21-2020 07:44 AM
Just curious if I could make any sort of CLI changes on my managed devices w/o using the FMC, and if I did would those changes be synced with the FMC or is it the case that once I set up a device to be managed by the FMC that all my configuration changes such as access control policies would need to be done via the FMC GUI in order to stay synced?
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 07:45 AM
With the exception of the configuration of the management port, all config is applied one-way from the FMC to the managed device. At least for the next time, there is no configuration on the device that is pushed to the FMC.
If you want to have best of both worlds (locally and centrally managed), you could achieve that with the FTD-API. Local changes could be done by FDM, and also a central management-server (which is not FMC) can fetch all config from FTD, alter it and push it back to the device.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 05:28 AM
Hi
Ideally, no config changes are permitted on the device vis CLI apart from basic network settings for the device itself to connect to FMC /internet.
Can you elaborate more on what kind of device you are using and what changes you want to make on that?
Hope it helps,
Yogesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 07:45 AM
My FMC is currently managing a Cisco Firepower 4140, and 3 ASA 5545's, with
all of these devices being HA.
I have a client who prefers to make ASA ACL policy changes via the ASA's
still, if allowed. My question was still more general and hypothetical in
nature.
I understand the purpose of the FMC and that's what makes using it ideal,
however, if he does make changes on his end on the ASA, how would it affect
the sync process, deploy process, etc....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 07:45 AM
With the exception of the configuration of the management port, all config is applied one-way from the FMC to the managed device. At least for the next time, there is no configuration on the device that is pushed to the FMC.
If you want to have best of both worlds (locally and centrally managed), you could achieve that with the FTD-API. Local changes could be done by FDM, and also a central management-server (which is not FMC) can fetch all config from FTD, alter it and push it back to the device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 08:57 AM
Thanks for your answer Karsten.
I'm not familiar with that scenario. With whom could I speak to in order to obtain more information on this being a possibility.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 09:03 AM
For now, it's likely that you have to make yourself comfortable with both the API and write your own scripts to implement the API. The API on FTD is quite new, but I assume that some vendors of management-solutions will have software for this in quite some time.
