Sync & Delivery

The sync mechanism is how configuration changes propagate from NetDefense to devices. Whenever you modify a snippet, change a template, or reassign an OU, the affected devices need to receive the updated configuration.

How Sync Works

NetDefense computes a SHA-256 hash of the expected configuration payload for each device, based on its current OU assignments, templates, snippets, and variables. This hash is compared against the hash stored from the device’s last successful sync.

• SYNCED — the device’s active configuration matches the current expected hash. No action needed.
• NOT SYNCED — the hashes differ, meaning configuration changes have been made since the device last synced.

The sync hash is calculated based on the origin policy and kept in the NetDefense database, not on the device itself.

Caution

If a device’s local configuration is changed manually and drifts from the NetDefense policy, a normal sync will not reapply the configuration because the hashes still match. Use --force to push the configuration regardless of hash state.

Auto-Sync vs Manual Sync

• Auto-Sync enabled — the device’s NDAgent periodically checks for configuration changes and automatically applies them. This is the recommended setting for most production devices.
• Auto-Sync disabled — configuration is only applied when an administrator explicitly triggers a sync. This is useful for staging environments where you want to review changes before they go live, or for maintenance windows.

Tip

Enable Auto-Sync on production devices so configuration changes propagate without manual intervention. Reserve manual sync for staging or maintenance scenarios.

Check Sync Status

View in NDWeb

ndcli sync status

╭───────────────────┬────────────────┬───────────┬───────────┬──────────────╮
│ Device            │ OU             │ Auto-Sync │ Synced At │ Status       │
├───────────────────┼────────────────┼───────────┼───────────┼──────────────┤
│ fw-branch-austin  │ branch-offices │ Yes       │ 1d        │ ○ NOT SYNCED │
│ fw-branch-chicago │ branch-offices │ Yes       │ 3h        │ ● SYNCED     │
│ fw-branch-denver  │ branch-offices │ Yes       │ 3h        │ ● SYNCED     │
│ fw-guest-lobby    │ guest-networks │ Yes       │ 5m        │ ● SYNCED     │
│ fw-hq-primary     │ production     │ Yes       │ 5m        │ ● SYNCED     │
│ fw-hq-secondary   │ production     │ Yes       │ 5m        │ ● SYNCED     │
│ fw-staging-01     │ staging        │ No        │ 1h        │ ○ NOT SYNCED │
╰───────────────────┴────────────────┴───────────┴───────────┴──────────────╯

Total: 7 devices

Reading this output:

• fw-staging-01 shows NOT SYNCED because it has auto-sync disabled — it requires a manual sync trigger, which is intentional for a staging workflow.
• fw-branch-austin shows NOT SYNCED despite having auto-sync enabled — it hasn’t synced in over a day and is running an older agent version (2.3.9), suggesting a connectivity issue or agent update needed.
• The other devices are all SYNCED with recent sync times, indicating healthy operations.

Trigger Sync

View in NDWeb

Manually push configuration to a specific device:

ndcli sync apply --device fw-staging-01

Or sync all devices in an OU at once:

ndcli sync apply --ou production

You can also use --force to push the configuration even if the hashes already match, which is useful for troubleshooting or to override drifted configurations due to local changes.