topic Re: Backup Device specific configuration for Firepower Threat Defense in Network Security

Backup Device specific configuration for Firepower Threat Defense

MarcusFLey — Fri, 21 Feb 2020 15:30:54 GMT

Hello everyone,

I recently had the opportunity to use Firepower 4110 appliances for Backup and Restoration tests.

Now, I need someone to back me up on my findings or correct me where I went wrong.

As far as I am concerned, you can create two Backup files. One for the FXOS and one for the FMC.

If an appliance fails and a new one is delivered due to an RMA, I see the following tasks:

- Bootstrap FXOS

- Update FXOS if necessary

- Upload last used FTD image file

- Import last FXOS configuration

FXOS will then go ahead and deploy the FTD device including the Manager Registration.

The device has been registered with FMC beforehand and is still existing, but now marked as Failed/Disabled since all Health Checks fail.

If the new FTD Logical Device is completely deployed, it is unable to contact the FMC. I had a packet capture running and actually saw communication on TCP/8305 between the appliance and the FMC. Encrypted data has been exchanged, but the FMC still claimed that there was no communication from the device.

In order to push them towards eachother, I tried to reapply the Health Policy, ran the checks again and reconfigured the Manager in FTD by hand. Nothing worked.

So, hesistantly, I deleted the existing device from FMC and registered it. This worked fine, but(!) all Device specific configuration was lost. This includes (but is not limited to)

- Interface configuration

- Routing configuration

- Inline Sets

I often read that there is no need to do a device backup, because all information is stored in FMC, but the above content is definately lost, if an appliance is deleted from FMC. But without deletion, there is no Registration.

FMC does not allow to register devices with the same IP address as an existing device.

I tested this with FTD 6.1 and 6.2, FMC patched up to 6.2.2.2.

Did you guys have the same issues? How do you make sure that you can restore a failed device without having to configure IP addresses and routing by hand?

All the best,

Marcus

Re: Backup Device specific configuration for Firepower Threat Defense

Marvin Rhoads — Thu, 15 Mar 2018 11:57:58 GMT

The shortcoming you point out is one that I don't know any way around either. FTD devices have several operational capability shortcomings and this is one of them.

As you noted, FMC doesn't allow you to snapshot an FTD device setup including the routing, inline sets etc. for restoration to a replacement unit. The only alternative you have for now is to redo them by hand.

We can only keep pressing Cisco to accommodate this functionality in a sustainable way in a future release. After all, traditional Firepower devices have had it for some time with the "Managed Device Backup" feature (under System > Tools in FMC).

Re: Backup Device specific configuration for Firepower Threat Defense

MarcusFLey — Thu, 15 Mar 2018 16:11:55 GMT

Hi Marvin,

thank you very much for your opinion on this matter. I highly appreciate it.

I think everyone appreciates your constant input to Firepower topics. I am gonna mark this as solved.

Best regards,

Marcus