8-62
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 8 Managing Deployment
Rolling Back Configurations
2. Service modules.
3. Chassis.
We recommend performing rediscovery after the rollback operation is complete.
If you are rolling back an FWSM deployment and the system is configured to retrieve security
certificates when adding devices, you might need to retrieve the certificate after the rollback operation
is complete. This can be done using either of the following methods:
Retrieving the certificate on a per-device basis from Device Properties.
Configuring Security Manager to automatically retrieve certificates after rollback. To do this, select
Tools > Security Manager Administration > Device Communication, then select Retrieve while
adding devices in the PIX/ASA/FWSM Device Authentication Certificates field (in SSL Certificate
Parameters).
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page8-65
Using Rollback to Deploy Archived Configurations, page8-66
Commands that Can Cause Conflicts after Rollback, page 8-64
Commands to Recover from Failover Misconfiguration after Rollback, page8-65
Understanding Rollback for IPS and IOS IPS
Special considerations apply to the rollback of IPS devices and IOS IPS devices. For IPS devices and
IOS IPS devices, rollback could possibly include rolling back sensor updates or signature updates. The
reason for this is that for IPS devices and IOS IPS devices, Security Manager supports not only the
management of configuration but also the support of image management in the form of manual and
automatic upgrades and signature updates. Keep in mind that when you do a rollback, you are rolling
back the configuration, not the sensor updates or signature updates. These updates are downgraded only
if the configuration cannot be rolled back without downgrading the updates.
Rollback is accomplished through Configuration Archive. For IPS devices and IOS IPS devices, only the
current configuration is archived. The current configuration for one device version (say, Version X) may
not be valid for a different device version (say, Version Y). Security Manager rolls back a configuration
of Version X to a sensor with Version Y as long as the configuration for X is valid for Y.
If the configuration for X is valid for Y, rollback proceeds and Security Manager displays a confirmation
dialog box to you. If the configuration for X is not valid for Y, Security Manager displays a warning
dialog box to you and provides you with the option of downgrading the sensor during rollback if such a
downgrade will help accomplish the rollback.
Caution Downgrading an IPS device removes certain capabilities of the IPS device. For example, downgrading
the engine prevents you from applying the latest signature updates. Operation of an IPS device without
the latest signature updates diminishes the effectiveness of the IPS device.
For rollback of a deployment job, the warning dialog box contains one or more of the following types of
warnings:
Security Manager warns you about IPS devices that need to have their sensor version downgraded
before a rollback can be performed.
Security Manager warns you about IOS IPS devices whose signature level has changed. For these
devices, only the non-IPS sections of the configuration can be rolled back.