Solved: FTD Flex Config - how to delete/change access-list

tpospisil · ‎07-31-2023

I had configured this ACL through Flex Config

access-list CPLANE extended deny ip host 185.11.61.172 any
access-list CPLANE extended permit ip any any
access-group CPLANE in interface outside control-plane

I want to add new IP to block. But when I did it, I can not deploy may config. I have tried remove this Flexconfig from configuration, but I still not able to deploy. How can I fix this?

Rob Ingram · ‎07-31-2023

@tpospisil To manually remove the configuration, you create new FlexConfig objects to clear or negate the configuration commands.

Refer to this - https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/flexconfig_policies.html?bookSearch=true#task_5608EFA7B65C46E299D8DC5877BDCFDB

FYI, a control-plane ACL has an implict "permit" at the end, unlike a normal ACL.

View solution in original post

Rob Ingram · ‎07-31-2023

@tpospisil To manually remove the configuration, you create new FlexConfig objects to clear or negate the configuration commands.

Refer to this - https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/flexconfig_policies.html?bookSearch=true#task_5608EFA7B65C46E299D8DC5877BDCFDB

FYI, a control-plane ACL has an implict "permit" at the end, unlike a normal ACL.

MHM Cisco World · ‎07-31-2023

What is FPR platform you have ?

tpospisil · ‎07-31-2023

2120 and FMC, all in version 7.0.5

But my problem is now solved. Thanks to Rob