8-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 8 Managing Deployment
Understanding Deployment
To set a default directory for file deployments, select Tools > Security Manager Administration, then
select Deployment (see Deployment Page, page 11-9). If you select File for the default deployment
method, you also select the default directory. When you create a deployment job, you can change this
directory for that job.
Deploying configurations to a file is useful when the devices are not yet in place in your network (known
as green field deployment), if you have your own mechanisms in place to transfer configurations to your
devices, or if you want to delay deployment. When deploying to a file, the deployment job might fail if
you select a large number of devices or several devices that have large configuration files. If you
encounter deployment failures, resubmit the job with fewer devices selected.
Tip Do not use commands that require interaction with the device during deployment when deploying to file.
We recommend previewing your configuration before deployment to make sure there are no such
commands in the file. For more information, see Previewing Configurations, page8-45.
Understanding How Out-of-Band Changes are Handled
Security Manager considers an out-of-band change to be any change made to a device manually or
outside of Security Manager control, for example, by logging into the device directly and entering
configuration commands through the CLI. Paradoxically, this includes the application of delta changes
that Security Manager creates when you deploy configurations to file rather than to the device.
If you are deploying to the device (rather than to file), and the deploy to device method is configured to
compare the new configuration to the current configuration on the device, you can specify how to handle
out-of-band changes when they are detected using the Out of Band Change Behavior setting. The
setting does not apply when deploying to file.
This setting is ignored if you are comparing the new device configuration with the latest version stored
in the Security Manager Configuration Archive. The default way to handle out-of-band changes, is set
in Tools > Security Manager Administration > Deployment; for more information see Deployment Page,
page 11-9. Look for the Deploy to Device Reference Configuration and When Out of Band Changes
Detected settings.
Tip When the deployment method is configured to use the reference configuration in Configuration Archive,
out-of-band changes are always removed. This is equivalent to selecting Do not check for changes.
Your options for handling out-of-band changes are:
Overwrite changes and show warning—When configurations are deployed, Security Manager
uploads the device’s current configuration and compares it against the configuration it has in its
database. If changes were made to the device manually, Security Manager continues with the
deployment and displays a warning notifying you of this action. Out-of-band changes are removed
from the device.
Cancel deployment—When configurations are deployed, Security Manager uploads the device’s
current configuration and compares it against the configuration it has in its database. If changes were
made to the device manually, Security Manager cancels the deployment and displays a warning
notifying you of this action. You must either manually remove the out-of-band changes, or configure
the same settings in Security Manager, before you can deploy configuration changes to the device.
Do not check for changes—Security Manager does not check for changes and deploys the changes
to the device. No warnings are issued, and any out-of-band changes are removed from the device
configuration.