Best Practices for Backup and Restore

Backup and restore have the following best practices.

When to Back Up

We recommend backing up during a maintenance window or other time of low use.

You must back up in the following situations:

  • Regular backups.

    As part of your disaster recovery plan, we recommend that you perform periodic backups.

  • Before upgrade or reimage.

    If an upgrade fails catastrophically, you may have to reimage and restore. Reimaging returns most settings to factory defaults, including the system password. If you have a recent backup, you can return to normal operations more quickly.

  • After upgrade.

    Ensure that you back up the device after upgrade, so that you have a freshly upgraded device backup.

Maintaining Backup File Security

Backup files are stored as unencrypted archive (.tar) files; they should be stored in a secure repository.

Private keys in PKI objects, which represent the public key certificates and paired private keys that are required to support your deployment are decrypted before they are backed up. The keys are reencrypted with a randomly generated key when you restore the backup.

Backup file should be stored securely.

Backup and Restore in Threat Defense High Availability Deployments

In a threat defense HA deployment, you must:

  • Back up the device pair from the cloud-delivered Firewall Management Center, but restore individually and locally from the threat defense CLI.

    The backup process produces unique backup files for threat defense HA devices. Do not restore one HA peer with the backup file from the other. A backup file contains information that uniquely identifies an appliance, and cannot be shared.

    A threat defense HA device's role is noted in its backup file name. When you restore, make sure you choose the appropriate backup file: primary vs secondary.

  • Do not suspend or break HA before you restore.

    Maintaining the HA configuration ensures that replacement devices can easily reconnect after restore. Note that you will have to resume HA synchronization to make this happen.

  • Do not run the restore CLI command on both peers at the same time.

    Assuming you have successful backups, you can replace either or both peers in an HA pair. Any physical replacement tasks that you can perform simultaneously: unracking, reracking, and so on. However, do not run the restore command on the second device until the restore process completes for the first device, including the reboot.

Backup and Restore in Threat Defense Clustering Deployments

In the threat defense clustering deployment, you must:

  • Back up the entire cluster from the cloud-delivered Firewall Management Center, but restore nodes individually and locally from the threat defense CLI.

    The backup process produces a bundled tar file that includes unique backup files for each cluster node. Do not restore one node with the backup file from another. A backup file contains information that uniquely identifies a device, and cannot be shared.

    The node's role is noted in its backup file name. When you restore, make sure you choose the appropriate backup file: control or data.

    You cannot back up individual nodes. If a data node fails to back up, the management center will still back up all other nodes. If the control node fails to back up, the backup is canceled.

  • All the nodes that are part of the cluster must be registered in the management center, for the backup to be successful.

  • Do not suspend or break clustering before you restore. Maintaining the cluster configuration ensures replacement devices can easily reconnect after restore.

  • Do not run the restore CLI command on multiple nodes at the same time. We recommend that you restore the control node first and wait until it rejoins the cluster before you restore any data nodes.

    Assuming you have successful backups, you can replace multiple nodes in the cluster. Any physical replacement tasks you can perform simultaneously: unracking, reracking, and so on. However, do not run the restore command on an additional node until the restore process completes for the previous node, including the reboot.

Before Restore

Before restore, you must:

  • Revert licensing changes.

    Revert any licensing changes made since you took backup.

    Otherwise, you may have license conflicts or orphan entitlements after the restore. However, do not unregister from Cisco Smart Software Manager (CSSM). If you unregister from CSSM, you must unregister again after you restore, then re-register.

    After the restore completes, reconfigure licensing. If you notice licensing conflicts or orphan entitlements, contact Cisco TAC.

  • Disconnect faulty appliances.

    Disconnect the management interface, and for devices, the data interfaces.

    Restoring a threat defense device sets the management IP address of the replacement device to the management IP address of the old device. To avoid IP address conflicts, disconnect the old device from the management network before you restore the backup on its replacement.

  • Do not unregister managed devices.

    Whether you are restoring a managed device, do not unregister devices from the CDO, even if you physically disconnect an appliance from the network.

    If you unregister, you must redo some device configurations, such as security zone to interface mappings. After you restore, CDO and devices should begin communicating normally.

  • Reimage.

    In an RMA scenario, the replacement appliance arrives configured with factory defaults. However, if the replacement appliance is already configured, we recommend you reimage. Reimaging returns most settings to factory defaults, including the system password. You can only reimage to major versions, so you may must patch after you reimage.

    If you do not reimage, keep in mind that CDO intrusion events and file lists are merged rather than overwritten.

After Restore

After restore, you must:

  • Reconfigure anything that was not restored.

    This can include reconfiguring licensing, and audit log server certificate settings. You also must re-add/re-enroll failed threat defense VPN certificates.

  • Deploy.

    After you restore a device, deploy to that device. You must deploy. If the device or devices are not marked out of date, force deploy from the Device Management page.