cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20017
Views
18
Helpful
16
Replies

Backing up config, FTD and vFMC.

itsupport
Level 1
Level 1

 

 

Hi.

I am most of the way through implementing an ASA 5508-x, controlled by a vFMC. Both are running 6.2.2.0 of the FTD and FMC software.

Since the configuration is quite complex, and I would hate to have to do it all again from scratch, I figured that backing it up would be a good idea. When I go to  System>Tools>Backup/restore, I see options for "Firepower Management Backup"and "Managed Device Backup."This seems logical; one backs up the vFMC, the other the ASA 5508-x.

Going to "Firepower Management Backup", I was indeed able to create and pull down a 270Mb .TAR file. Looks good!

When I go to "Managed device backup" however, I am greeted with a blank box of "managed devices", and cannot kick off a backup.
Capture.JPG

So, Questions:

1. Should the managed ASA 5508x be listed here as a managed device that I can backup?
2. If not, if the configuration and other data required to restore the ASA 5508x included in the "firepower management backup".

I want to be in a position where I can restore both the FTD and vFMC in the event of a catastrophic hardware failure. Probably better to sort this out now as opposed to when a device catches fire or gets stolen or something.


 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Managed device backups are only for classic Firepower appliances - not for ASA firepower service modules or FTD appliances.

 

Your FMC backup has all the policies and other settings for your ASA 5508 running FTD. To recover from scratch (say a hardware failure requiring RMA), you would have to at least bootstrap FTD on the ASA with the proper FTD software revision and then register it to your FMC and then redeploy all the policies to it.

View solution in original post

16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

Managed device backups are only for classic Firepower appliances - not for ASA firepower service modules or FTD appliances.

 

Your FMC backup has all the policies and other settings for your ASA 5508 running FTD. To recover from scratch (say a hardware failure requiring RMA), you would have to at least bootstrap FTD on the ASA with the proper FTD software revision and then register it to your FMC and then redeploy all the policies to it.

Hello, I have the same problem with the ASA5525, I can not perform the Backup!!

@fperalta11 as I noted on my 10-17-2017 reply, the FMC backup feature is not for ASA firepower service modules.

 

This limitation is documented in the FMC Configuration Guide as follows:

 

"You cannot create or restore backup files for NGIPSv, Firepower Threat Defense physical or virtual managed devices or ASA FirePOWER modules. To back up event data, perform a backup of the managing Firepower Management Center."

 

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/backup_and_restore.html#concept_DF40AA6939E34B249A51AEA910226342

Hello Marvin.

 

First of all, thank you for all your effort with the Firepower. You are doing a great job!

 

Anyhow, is there a possibility to recreate a configuration/policies/etc from the managed device in the case of the FMC failure (given that there is no FMC backup :) )? (almost) All data is still on the device, right?

 

Thanks

 

You're welcome spopravak@mds.rs

 

You're right the configuration is indeed all there on the managed device. Unfortunately it cannot be retrieved in any usable way to restore to a rebuilt FMC.

Hello Marvin,

 

With reference to mentioned link i understand that FTD devices cannot be backed up using FMC...however, if the FMC backup is taking care of all the policies and managed device configurations... is there a need to take individual FTD device backup ? cant FTDs be restored from FMC backup in times of a disaster

Things such as device interfaces, routing etc. aren't included in the FMC backups (pre-6.3).

Thank You for the reply...

So pre 6.3 .. for complete recovery FMC Backup + Chassis (Where FTD logical device is installed) is required.
Will Chassis Backup include whole FTD configs such as interfaces routing etc ?

I'm not positive about what the chassis backup includes. I don't think it gets logical device platform settings.

Basically, older versions of FTD don't have a sound backup strategy. That's why Cisco is enhancing those features going forward.

Could we take a list of all ACLs in the FTD from FMC??

You can see the Access Control Policy entries (and associate object values) if you run a report of the ACP from the main page Access Policy page. Look for the icon that looks like a stack of papers on the right. That will generate a PDF copy of the policy.

Updating this old thread since I just got a helpful vote today.

Device backups for FTD devices are available in FMC 7.x - they were not available in 2017 with 6.x.

Marvin Rhoads
Hall of Fame
Hall of Fame

Note that version 6.3 added the capability to backup managed FTD devices from FMC.

Hi Marvin,

I dont really understand the use case for backing up FTD devices if we still would need the FMC to restore the backup

Unless this is for a case where we lose FMC, all created policy and have no backup

Any other advantages to having FTD device backups?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: