8-47
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 8 Managing Deployment
Working with Deployment and the Configuration Archive
Tip Out of band change detection is available only for IOS, ASA, PIX, FWSM devices, and security
contexts; it is not available for IPS devices. However, the settings for handling out of band changes
during deployment also apply to IPS devices; the difference is that you cannot proactively analyze these
changes in IPS devices prior to deployment.
To determine whether there have been out of band changes on one or more device, do any of the
following in Device view:
• Select Tools > Detect Out of Band Changes. You are prompted to select the devices to evaluate for
out of band changes. Select the devices or device groups, click >> to move them to the selected list,
and click OK. For more information on selecting devices, see Using Selectors, page 1-42.
• Select one or more devices or device groups, right-click and select Detect Out of Band Changes.
The selected devices are evaluated for changes.
• During deployment, select the devices to include in deployment and click the Detect OOB Changes
button. (The button is available on the Deploy Saved Changes dialog box and the
Deployment—Create or Edit a Job dialog box, depending on the workflow mode you are using.) The
selected devices are evaluated for changes.
For information on the deployment procedure, see:
–
Deploying Configurations in Non-Workflow Mode, page 8-29
–
Creating and Editing Deployment Jobs, page 8-36
When you start the detection process, the OOB (Out of Band) Changes Dialog Box is opened so that you
can view the results. Each selected device is evaluated by retrieving the current running configuration
and comparing it to the most recent configuration stored in Configuration Archive. Security Manager
does not consider any unmanaged policy types when evaluating differences between the configurations.
Tip Note that if you are in the process of deployment, the running configuration is not compared to the one
you are proposing to deploy, so if you detect out of band changes, you might also want to preview the
proposed configuration to see if you already implemented the same change in Security Manager policies.
Right-click the device in the deployment dialog box and select Preview Config. You can compare the
proposed configuration to the current running configuration. For more information, see Previewing
Configurations, page 8-45.
The OOB Changes dialog box shows the results of change detection. If a device has out of band changes,
the icon for the device in the device selector changes to green. Select a device in the left pane of the OOB
Detail tab to view the changes from the latest configuration in configuration archive. Use the buttons at
the bottom of the window to move from change to change. The legend at the bottom explains the color
coding used to describe the changes.
When evaluating changes, consider the following:
• If you want to keep the change, update the relevant policy in Security Manager to recreate the policy.
Use preview config to ensure that your policy changes produce the desired results. Security Manager
might use different naming conventions, so consider whether the policy results in the same thing,
rather than being exactly the same text. Keep in mind that out of band change detection looks for
syntactic differences, not semantic differences.
• If you use another application to configure certain types of policies, consider unmanaging that
policy type in Security Manager. Security Manager ignores any configuration commands related to
policies that it is not managing. For more information, see Policy Management Page, page 11-45.