Restore Threat Defense from Backup: Threat Defense Virtual

Use this procedure to replace a faulty or failed threat defense virtual device for VMware.

In threat defense HA and clustering deployments, you can use this procedure to replace all peers. To replace all, perform all steps on all devices simultaneously, except the restore CLI command itself.

Note

Do not unregister from the management center, even when disconnecting a device from the network. In threat defense HA and clustering deployments, do not suspend or break high availibility or clusters. Maintaining registration ensures that replacement devices can automatically reconnect after restore.

Before you begin

You must read and understand the requirements, guidelines, limitations, and best practices. Do not skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.

Procedure

Step 1	Navigate System() > Tools > Backup/Restore.
Step 2	Locate a successful backup of the faulty device from Device Backups under Backup Management. For clustering, node backup files are bundled together in a single compressed file for the cluster (cluster_name.timestamp.tar.gz). Before you can restore nodes, you need to extract the individual node backup files (node_name_control_timestamp.tar or node_name_data_timestamp.tar). Use Download that downloads the backup file(s) to your local storage or Export Backup Links that generates a URL to download the backup and exports it to a CSV file that gets downloaded. Use the URL to download the backup to a secure location. Note that the URL is valid only for six hours, after which you must export it again to get a different URL. In threat defense HA deployments, you back up the pair as a unit, but the backup process produces unique backup files for each device in the pair. The device's role is noted in the backup file name. If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device, the backup will be erased. If something else goes wrong, you may not be able to recover the backup. The replacement device needs the backup, but can retrieve it with SCP during the restore process. We recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the backup to the replacement device itself.
Step 3	Remove the faulty device. Shut down, power off, and delete the virtual machine. For procedures, see the documentation for your virtual environment.
Step 4	Deploy a replacement device. See the Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide.
Step 5	Perform initial configuration on the replacement device. Use the VMware console to access the threat defense virtual CLI as the admin user. A setup wizard prompts you to configure the management IP address, gateway, and other basic network settings. Do not set the same management IP address as the faulty device. This can cause problems if you need to register the device in order to patch it. The restore process will correctly reset the management IP address. See the CLI setup topics in the getting started guide: Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide.
Step 6	Make sure that the replacement device is running the same Firewall software version, including patches, as the faulty device. Ensure that the existing device should not be deleted from the CDO. The replacement device should be unmanaged from the physical network and the new hardware and the replacing threat defense virtual patch should have the same version. The threat defense virtual CLI does not have an upgrade command. To patch: Complete the threat defense virtual registration process in CDO. Patch the threat defense virtual device. Unregister the freshly patched device from CDO.
Step 7	Make sure that the replacement device has access to the backup file. The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup. For clusters, make sure you extract the individual node backup file from the main cluster bundle.
Step 8	From the threat defense CLI, restore the backup. Access the threat defense virtual CLI as the admin user. You can use the console or you can SSH to the newly configured management interface (IP address or hostname). Keep in mind that the restore process will change this IP address. To restore: With SCP: restore remote-manager-backup location scp-hostname username filepath backup tar-file From the local device: restore remote-manager-backup backup tar-file In threat defense HA and clustering deployments, make sure you choose the appropriate backup file: primary vs secondary, or control vs. data. The role is noted in the backup file name. If you are restoring all devices, do this sequentially. Do not run the restore command on the next device until the restore process completes for the first device, including the reboot.
Step 9	Log into CDO and wait for the devices to connect. When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to CDO. At this time, the device should appear out of date. At this time, the device should appear out of date.
Step 10	Before you deploy, perform any post-restore tasks and resolve any post-restore issues: Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC. Resume HA synchronization. Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense virtual devices, including certificates added after the backup was taken.
Step 11	Deploy configurations. You must deploy. If a restored device is not marked out of date, force deploy from the Device Management page.
Step 12	Connect the device's data interfaces. See the hardware installation guide for your model: Cisco Secure Firewall Threat Defense: Install and Upgrade Guides.