Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9266
Views
14
Helpful
2
Replies

How to rollback a change in the policy that has not been deployed on FTD from FMC ?

damode
Level 1
Level 1

‎10-23-2019 05:41 PM - edited ‎02-21-2020 09:37 AM

I noticed one of the policies on the FMC is out of date i.e not updated/deployed on the Firewall.

I am not aware what changes were done on the policy and I want to avoid going through each and every rule to find that out.

Is there way I can rollback changes on the policy to match with the policy that is already on the firewall ?

5 people had this problem
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎10-23-2019 07:55 PM

Hi

Unfortunately you can't. This is an existing enhancement request:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm28872/?rfs=iqvred

If you have a backup, you can restore it.
I know some guys at the TAC can clear the db but not all are doing this.

You can go under the system menu then monitoring and audit, you'll be able to see who did the change and click on the detail to see what change has been done.

If someone has exported the policies, you can re-import then under ACP menu.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

pan
Cisco Employee
Cisco Employee

‎03-26-2023 09:23 AM - edited ‎03-26-2023 09:23 AM

Latest FTD have option to rollback the policy to last working policy

configure policy rollback
---------------------------------------------------------------------------------------------
[Warning] Perform a policy rollback if the FTD communicates with the FMC on a data interface, and it has lost connectivity due to a policy deployment from the FMC. If the FTD still has connectivity to the FMC, and you want to perform a policy rollback for other purposes, then you should do the rollback on the FMC and not with this command. Note that there will be a traffic drop when you rollback the policy.

Checking Eligibility ....
============= DEVICE DETAILS =============
Device Version: 7.3.0
Device Type: FTD
Device Mode: Offbox
Device in HA: false
Device in Cluster: false
Device Upgrade InProgress: false
==========================================
Device is eligible for policy rollback

This command will rollback the policy to the last deployment done on Mar 26 15:48.
[Warning] The rollback operation will revert the convergence mode.
Do you want to continue (YES/NO)? Yes

Starting rollback...
Deployment of Platform Settings to device. Status: success

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card