Backing Up FDM-Managed Devices

You can use Cisco Defense Orchestrator to back up an FDM-managed device's system configuration so that you can restore the device to a previous state. Backups include the configuration only, and not the system software. If you need to completely reimage the device, you need to reinstall the software, then you can upload a backup and recover the configuration. CDO saves the last 5 backups made for a device. When a new backup occurs, the oldest backup is deleted in order to store the newest backup.

Note

The backup does not include the management IP address configuration. Thus, when you recover a backup file, the management address is not replaced from the backup copy. This ensures that any changes you made to the address are preserved, and also makes it possible to restore the configuration on a different device on a different network segment.

The configuration database is locked during backup. You cannot make configuration changes during a backup, although you can view policies, dashboards, and so forth. During a restore, the system is completely unavailable.

To make backup schedules across your devices consistent, you can configure your own default backup schedule. When you schedule a backup for a particular device, you can use your own default settings or change them. You can schedule recurring backups with cadences from daily to once a month and you can perform an on-demand backup. You can also download backups and then use the Threat Defense device manager to restore them.

Requirements and best practice for backing up and restoring an FDM-managed device using CDO

  • CDO can backup FDM-managed devices running software version 6.5 and later.

  • The FDM-managed device must be onboarded to CDO using a registration key.

  • You can restore a backup onto a replacement device only if the two devices are the same model and are running the same version of the software, including the build number, not just the same point release. For example, a backup of an FDM-managed device running software version 6.6.0-90 can only be restored to an FDM-managed device running 6.6.0-90. Do not use the backup and restore process to copy configurations between appliances. A backup file contains information that uniquely identifies an appliance, so that it cannot be shared in this manner.

  • For the Secure Firewall Threat Defense backup functionality to work in CDO, threat defense needs to access one of these CDO URLs based on your tenant region.

    • edge.us.cdo.cisco.com

    • edge.eu.cdo.cisco.com

    • edge.apj.cdo.cisco.com

  • Ensure that port 443 has external and outbound access for the HTTPS protocol. If the port is blocked behind a firewall, the backup and restore process may fail.

Best Practice

The device you are going to backup should be in the Synced state in CDO. CDO backs up the configuration of the device from the device not from CDO. So, if the device is in a Not Synced state, changes on CDO will not be backed up. If the device is in a Conflict Detected state, those changes will be backed up.