Skip to main content

 

 

Cisco Defense Orchestrator

Backing Up FTDs

You can use CDO to back up a Firepower Threat Defense's (FTD's) system configuration so that you can restore the device to a previous state. Backups include the configuration only, and not the system software. If you need to completely reimage the device, you need to reinstall the software, then you can upload a backup and recover the configuration. CDO saves the last 5 backups made for a device. When a new backup occurs, the oldest backup is deleted in order to store the newest backup. 

Note: The backup does not include the management IP address configuration. Thus, when you recover a backup file, the management address is not replaced from the backup copy. This ensures that any changes you made to the address are preserved, and also makes it possible to restore the configuration on a different device on a different network segment.

The configuration database is locked during backup. You cannot make configuration changes during a backup, although you can view policies, dashboards, and so forth. During a restore, the system is completely unavailable.

You can schedule recurring backups with cadences from daily to once a month and you can perform an on-demand backup. You can also download backups and then use Firepower Device Manager (FDM) to restore them. 

Requirements and best practice for backing up and restoring an FTD device using CDO 

  • Requirement: CDO can backup FTDs running software version 6.5 and later.
  • Requirement: The FTD must be onboarded to CDO using a registration key. 
  • Requirement: You can restore a backup onto a replacement device only if the two devices are the same model and are running the same version of the software, including the build number, not just the same point release. For example, a backup of an FTD running software version 6.6.0-90 can only be restored to an FTD running 6.6.0-90. Do not use the backup and restore process to copy configurations between appliances. A backup file contains information that uniquely identifies an appliance, so that it cannot be shared in this manner.
  • Best Practice: The device you are going to backup should be in the Synced state in CDO. CDO backs up the configuration of the device from the device not from CDO. So, if the device is in a Not Synced state, changes on CDO will not be backed up. If the device is in a Conflict Detected state, those changes will be backed up.

Related Articles

 

 

  • Was this article helpful?