Restore a Threat Defense Device

Threat Defense backup and restore is intended for RMA. Restoring the configurations overwrites all configurations on the device, including the management IP address. It also reboots the device.

In case of hardware failure, this procedure outlines how to replace a firewall device, either standalone or in an HA pair. It assumes you have access to a successful backup of the device or devices you are replacing.

In a threat defense HA deployment, you can use this procedure to replace either or both peers. To replace both, perform all steps on both devices simultaneously, except the restore CLI command itself. You cannot replace a threat defense HA device without a successful backup.

Note

Do not unregister from the CDO, even when disconnecting a device from the network. In a threat defense HA deployment, do not suspend or break HA. Maintaining these links ensures replacement devices can automatically reconnect after a restore.

Before you begin

You must read and understand the requirements, guidelines, limitations, and best practices. Do not skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.

Procedure

Step 1

Contact Cisco TAC for replacement hardware.

Obtain an identical model, with the same number of network modules and same type and number of physical interfaces. You can begin the RMA process from the Cisco Returns Portal.

Step 2

Navigate System(system gear icon) > Tools > Backup/Restore.

Step 3

Locate a successful backup of the faulty device from Device Backups under Backup Management.

Use Download that downloads the backup file(s) to your local storage or Export Backup Links that generates a URL to download the backup and exports it to a CSV file that gets downloaded. Use the URL to download the backup to a secure location. Note that the URL is valid only for six hours, after which you must export it again to get a different URL.

In a threat defense HA deployment, you back up the pair as a unit but the backup process produces unique backup files for each device in the pair. The device's role is noted in the backup file name.

If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device, the backup will be erased. If something else goes wrong, you may not be able to recover the backup.

The replacement device will need the backup, but can retrieve it with the secure copy (SCP) command during the restore process. We recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the backup to the replacement device itself.

Step 4

Remove (unrack) the faulty device and disconnect all interfaces. In threat defense HA deployments, this includes the failover link.

See the hardware installation and getttign started guides for your model: Cisco Firepower NGFW: Install and Upgrade Guides.

Note

Do not unregister from the management center, even when disconnecting a device from the network. In threat defense HA deployments, do not suspend or break HA. Maintaining these links ensures replacement devices can automatically reconnect after restore.

Step 5

Install the replacement device and connect it to the management network.

Connect the device to power and the management interface to the management network. In threat defense HA deployments, connect the failover link. However, do not connect the data interfaces.

See the hardware installation guide for your model: Cisco Firepower NGFW: Install and Upgrade Guides.

Step 6

(Optional) Reimage the replacement device.

In an RMA scenario, the replacement device will arrive configured with factory defaults. If the replacement device is not running the same major version as the faulty device, we recommend you reimage.

See the Cisco Secure Firewall ASA and Threat Defense Reimage Guide.

Step 7

Perform initial configuration on the replacement device.

Access the threat defense CLI as the admin user. You can use the console or you can SSH to the factory-default management interface IP address (192.168.45.45). A setup wizard prompts you to configure the management IP address, gateway, and other basic network settings.

See the initial configuration topics in the getting started guide for your model: Cisco Firepower NGFW: Install and Upgrade Guides.

Note

If you need to patch the replacement device, start the management center registration process as described in the getting started guide. If you do not need to patch, do not register.

Step 8

Make sure the replacement device is running the same Firewall software version, including patches, as the faulty device.

The existing device should not be deleted from the management center. The replacement device should be unmanaged from the physical network and the new hardware as well as the replacing threat defense patch should have the same version. The threat defense CLI does not have an upgrade command. To patch:

  1. From the management center web interface, complete the device registration process: See Add a Device to the Management Center in Cisco Secure Firewall Management Center Device Configuration Guide.

    Create a new AC policy and use the default action "Network Discovery". Leave this policy as is; do not add any features or modifications. This is being used to register the device and deploy a policy with no features so that you do not require licenses, and you will then be able to patch the device. Once backup is restored, it should restore the licensing and policy into the expected state.

  2. Patch the device: Cisco Firewall Management Center Upgrade Guide.

  3. Unregister the freshly patched device from the management center: See Delete a Device from the Management Center in Cisco Secure Firewall Management Center Device Configuration Guide.

    If you do not unregister, you will have a ghost device registered to the management center after the restore process brings your "old" device back up.

Step 9

Make sure the replacement device has access to the backup file.

The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup.

Step 10

From the FTD CLI, restore the backup.

Access the threat defense CLI as the admin user. You can use the console or you can SSH to the newly configured management interface (IP address or hostname). Keep in mind that the restore process will change this IP address.

To restore:

  • With SCP: restore remote-manager-backup location scp-hostname username filepath backup tar-file

  • From the local device: restore remote-manager-backup backup tar-file

Step 11

Log in to CDO and wait for the devices to connect.

When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to CDO. At this time, the device should appear out of date.

At this time, the device should appear out of date.

Step 12

Before you deploy, perform any post-restore tasks and resolve any post-restore issues:

  • Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.

  • Resume HA synchronization.

  • Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from FTD devices, including certificates added after the backup was taken.

Step 13

Deploy configurations.

You must deploy. If a restored device is not marked out of date, force deploy from the Device Management page.

Step 14

Connect the device's data interfaces.

See the hardware installation guide for your model: Cisco Secure Firewall Threat Defense: Install and Upgrade Guides.