06-21-2022 06:29 AM
Hello. I'm creating my FIRST FlexConfig policy. But when I try to assign it to a device, I'm getting the following message:
"Following devices already have assignments listed below. These devices will be reassigned to the current policy
device: impftd - policy: (device setting)
Do you want to continue with above changes?"
Will I loose some settings if I answer "yes"? Is there any way to see the mentioned "(device setting)" policy, and/or FlexConfigs already set on the device?
We're using FMC 7.0.1 and a HA pair of 2110s with FTD 7.0.1. We recently upgraded from 6.4, but we didn't use FlexConfig before.
Thanks and best regards.
Solved! Go to Solution.
06-23-2022 07:25 AM
So folks, thank you both for help. The first policy went fine. Here's the outcome:
- Before I assigned the first flexconfig policy to our FTD HA pair, Preview Config button was grayed out.
- But after I assigned the policy and before I saved the changes, the button became active!?! As the only available device, it didn't offer our FTD HA pair but just our primary FTD device!?! And it displayed the old (before-save) flexconfig.
- After I saved the changes, the button offered our FTD HA as the only available device, and displayed the new flexconfig. All of the old commands were still there, and a couple of new commands produced by the new policy were added.
- I compared show run all before and after, and the only difference were the commands added by the new policy.
Thanks again and best regards.
06-21-2022 09:39 AM
06-22-2022 12:15 AM
Hello Mohammed, there ISN'T ANY policies in the list! The policy I'm creating is the FIRST one. But the FMC warns me that the device is assigned to "policy: (device setting)". My question is how to see THAT policy. And is there any other way to see FlexConfig commands which are in effect. As you said, it's good to know that before any changes. Thanks and best regards.
06-22-2022 01:57 AM
I do not believe that this is possible. If the policy is not present in the FMC GUI then the only place you can check is the running configuration on the FTD it self, but there you would need to know what you are looking for. Flexconfig is only a tool that you can use to send ASA CLI configuration to the FTD device, so you would only see the configurations them selves on the FTD and not the actual policy.
06-22-2022 05:00 AM
So, it would be sufficient to compare "show run all" before and after new FlexConfig policy, assuming there are no other changes in the same deployment?
06-22-2022 06:48 AM
Yes that would be the only way to know what was included in the previous policy
06-23-2022 07:25 AM
So folks, thank you both for help. The first policy went fine. Here's the outcome:
- Before I assigned the first flexconfig policy to our FTD HA pair, Preview Config button was grayed out.
- But after I assigned the policy and before I saved the changes, the button became active!?! As the only available device, it didn't offer our FTD HA pair but just our primary FTD device!?! And it displayed the old (before-save) flexconfig.
- After I saved the changes, the button offered our FTD HA as the only available device, and displayed the new flexconfig. All of the old commands were still there, and a couple of new commands produced by the new policy were added.
- I compared show run all before and after, and the only difference were the commands added by the new policy.
Thanks again and best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide