You can remove the sub-interface from the container inside the chassis without requiring a full restart of the instance or affecting production traffic. In Cisco Firepower Threat Defense (FTD) devices, most interface changes (including removing sub-interfaces) can be done dynamically without the need for a reboot or service disruption, provided they are done correctly.

Here’s how you can do it without impacting production traffic:

Ensure the sub-interface is administratively disabled: Since you’ve already disabled the sub-interface within the instance, this is the first step.

Unassign the sub-interface: You can unassign the sub-interface from the container via the command line (CLI) or Firepower Management Center (FMC). This involves removing the sub-interface from the virtual firewall context.

On the CLI, you can use:

bash

config interface gigabitEthernet X/Y.Z no nameif

Where X/Y.Z is the sub-interface you want to remove.

Check for dependency or association: Make sure there are no active sessions or critical configurations still dependent on that sub-interface. For instance, verify that there are no NAT policies, routing configurations, or ACLs directly associated with the sub-interface.

Verify dynamic failover and HA settings (if applicable): If you are running in HA mode, ensure that the sub-interface is not part of the HA configuration, as you would need to remove it from the HA pair as well.

Monitor traffic after change: Once you’ve removed the sub-interface, keep an eye on the traffic and logs to make sure everything remains stable. Typically, the system will handle this operation without impacting production, but monitoring ensures there are no issues.

Key Points:
As long as you’re only removing a disabled sub-interface and no other configurations are dependent on it, it should not require a restart or cause any service disruption.

Always ensure that there are no active connections, routing policies, or other configurations that could be impacted by the removal.