8-28
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 8 Managing Deployment
Working with Deployment and the Configuration Archive
Deploying Configurations to a Token Management Server, page 8-43
Previewing Configurations, page8-45
Redeploying Configurations to Devices, page 8-49
Aborting Deployment Jobs, page 8-51
Rolling Back Configurations to Devices Using the Deployment Manager, page8-65
Creating or Editing Deployment Schedules, page 8-52
Suspending or Resuming Deployment Schedules, page 8-55
Tips for Successful Deployment Jobs
Successful deployment depends on many things, as explained in Troubleshooting Deployment, page9-9.
In addition to factors involving network communications and the proper functioning of the device, you
can also improve the results of deployment by keeping the following tips in mind when you select
devices for a deployment job or start the job:
You must configure at least one policy on a device before deploying to that device. If you deploy to
a device without assigning at least one policy, the device’s current configuration is overwritten with
a blank configuration and the device will be non-functional.
Firewall devices only—If you manually added a firewall device (as described in Adding Devices by
Manual Definition, page 3-25), we highly recommend that you discover (import) the factory-default
policies for that device before deploying to that device. Bringing these policies into Security
Manager prevents you from unintentionally removing them the first time you deploy to that device.
For more information about factory-default policies for firewall devices, see Default Firewall
Configurations, page 45-2. For more information about importing policies, see Discovering
Policies, page 5-12.
Deployment might take from a few minutes to an hour or more, depending on the number of devices
in the deployment job.
Modifying a subset of devices that are part of a VPN might make the VPN inoperable. If you select
a subset of devices that are part of a VPN when creating a deployment job, you are warned and given
the opportunity to select the other devices in the VPN. See Warning - Partial VPN Deployment
Dialog Box, page 8-32.
You cannot select devices that were included in other deployment jobs that are in an active state
(Edit, Edit Open, and Approved). You can select devices that were included in other deployment jobs
that are in the Deployed, Failed, Discarded, or Aborted states.
Firewall service modules (FWSMs) and Intrusion Detection System service modules (IDSMs)
contain virtual devices. Security Manager considers the module and the virtual devices to be
separate devices.
Some changes to the FWSM might require the Catalyst Multiservice function card (MSFC) to be
updated as well. If you select an FWSM that has these types of changes, Security Manager notifies
you that you must include the MSFC in the deployment job, and it will select the MSFC device for
you automatically. However, if the MSFC is already included in another active deployment job, you
cannot include the MSFC in the current deployment job. You must remove the MSFC from the other
deployment job, discard the other deployment job, or include the FWSM in the other deployment
job.