topic Re: Question on testing restoration of an FMC and FTD backups in Network Security

Question on testing restoration of an FMC and FTD backups

ABaker94985 — Fri, 03 Jun 2022 20:29:34 GMT

We are currently backing up FMC and FTD's daily and have been for about 3 years. Fortunately, we've not had to restore due to a failure, but we have done restores just to check things out. We would like to go through the entire process in a lab where we can restore and then simulate some actual traffic and verify everything works. We have some VMs that can be used, but given there are no available physical FTD's, we're planning on using FTDv's. I've found several backup and restore documents on Cisco's website, but I've not seen anything that deals with validation or testing that everything is working as expected. We'd like to have absolutely no doubts that everything is working as it should. Can anyone provide some guidance on restore validation? Thank you.

Re: Question on testing restoration of an FMC and FTD backups

Sheraz.Salim — Fri, 03 Jun 2022 21:54:21 GMT

@ABaker94985 we have done a restore of FTD2140 Managed by FMC.

Background. We were hitting a bug CSCvn29443 the work around was to reimage the HA-Pair of FTD2140 (prior FTD image was 6.3 and post FTD image 6.5.x where as the FMC running version 6.7.x). once the reimage was done and FTD was added on the FMC. the restore config file of FTD6.3 was pushed to FTD6.5. all went good (pushing deployment went good no issues) however, remember routing tables (For example if you using static routes) They do not push in deployment from the restore backup. you have to manually define again the static routes and push the police. Our client is heavily based vpn tunnel on that site no issues. however if you use Cert for vpn or for anyconnect. Just export the identity certificate and manually restore the identity cert in a fresh install FTD. rest object object group acl all good. Hope this will help you.

Re: Question on testing restoration of an FMC and FTD backups

Mohammed al Baqari — Sat, 04 Jun 2022 02:15:19 GMT

Hi,

I don't think you will get a document from Cisco on how to test your
environment because it all depends on your apps and use cases. The right
approach is to have a detailed test document for your environment including
test case, how to conduct, success/fail criteria. This way you can test
that everything is working after a restore in a lab or real outage.

>From my side, in addition to what @Sheraz.Salim mentioned, I have seen
interfaces being disabled after restore and should be enabled. Pushing
without enabling will bring things down. Similarly, I have seen interface
names intermittently disappearing after restore and should be added
manually.

**** plz remember to rate useful posts

Re: Question on testing restoration of an FMC and FTD backups

ABaker94985 — Mon, 06 Jun 2022 13:22:32 GMT

Thank you. Both posts were very useful.

Re: Question on testing restoration of an FMC and FTD backups

Sheraz.Salim — Mon, 06 Jun 2022 13:33:28 GMT

Just to Add what I have said. you still need to add your FTD (new one) in NAT section and on the platform setting doing this it will save your time.