Solved: Re: Backing up config, FTD and vFMC.

itsupport · ‎10-16-2017

Hi.

I am most of the way through implementing an ASA 5508-x, controlled by a vFMC. Both are running 6.2.2.0 of the FTD and FMC software.

Since the configuration is quite complex, and I would hate to have to do it all again from scratch, I figured that backing it up would be a good idea. When I go to System>Tools>Backup/restore, I see options for "Firepower Management Backup"and "Managed Device Backup."This seems logical; one backs up the vFMC, the other the ASA 5508-x.

Going to "Firepower Management Backup", I was indeed able to create and pull down a 270Mb .TAR file. Looks good!

When I go to "Managed device backup" however, I am greeted with a blank box of "managed devices", and cannot kick off a backup.

So, Questions:

1. Should the managed ASA 5508x be listed here as a managed device that I can backup?
2. If not, if the configuration and other data required to restore the ASA 5508x included in the "firepower management backup".

I want to be in a position where I can restore both the FTD and vFMC in the event of a catastrophic hardware failure. Probably better to sort this out now as opposed to when a device catches fire or gets stolen or something.

Marvin Rhoads · ‎10-16-2017

Managed device backups are only for classic Firepower appliances - not for ASA firepower service modules or FTD appliances.

Your FMC backup has all the policies and other settings for your ASA 5508 running FTD. To recover from scratch (say a hardware failure requiring RMA), you would have to at least bootstrap FTD on the ASA with the proper FTD software revision and then register it to your FMC and then redeploy all the policies to it.

View solution in original post

Marvin Rhoads · ‎10-16-2017

Managed device backups are only for classic Firepower appliances - not for ASA firepower service modules or FTD appliances.

Your FMC backup has all the policies and other settings for your ASA 5508 running FTD. To recover from scratch (say a hardware failure requiring RMA), you would have to at least bootstrap FTD on the ASA with the proper FTD software revision and then register it to your FMC and then redeploy all the policies to it.

fperalta11 · ‎05-22-2018

Hello, I have the same problem with the ASA5525, I can not perform the Backup!!

Marvin Rhoads · ‎05-22-2018

@fperalta11 as I noted on my 10-17-2017 reply, the FMC backup feature is not for ASA firepower service modules.

This limitation is documented in the FMC Configuration Guide as follows:

"You cannot create or restore backup files for NGIPSv, Firepower Threat Defense physical or virtual managed devices or ASA FirePOWER modules. To back up event data, perform a backup of the managing Firepower Management Center."

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/backup_and_restore.html#concept_DF40AA6939E34B249A51AEA910226342

spopravak@mds.rs · ‎10-30-2018

Hello Marvin.

First of all, thank you for all your effort with the Firepower. You are doing a great job!

Anyhow, is there a possibility to recreate a configuration/policies/etc from the managed device in the case of the FMC failure (given that there is no FMC backup :) )? (almost) All data is still on the device, right?

Thanks

Marvin Rhoads · ‎10-30-2018

You're welcome spopravak@mds.rs

You're right the configuration is indeed all there on the managed device. Unfortunately it cannot be retrieved in any usable way to restore to a rebuilt FMC.

NeWGuy1109 · ‎10-15-2019

Hello Marvin,

With reference to mentioned link i understand that FTD devices cannot be backed up using FMC...however, if the FMC backup is taking care of all the policies and managed device configurations... is there a need to take individual FTD device backup ? cant FTDs be restored from FMC backup in times of a disaster

Marvin Rhoads · ‎10-15-2019

Things such as device interfaces, routing etc. aren't included in the FMC backups (pre-6.3).

NeWGuy1109 · ‎10-16-2019

Thank You for the reply...

So pre 6.3 .. for complete recovery FMC Backup + Chassis (Where FTD logical device is installed) is required.
Will Chassis Backup include whole FTD configs such as interfaces routing etc ?

Marvin Rhoads · ‎10-16-2019

I'm not positive about what the chassis backup includes. I don't think it gets logical device platform settings.

Basically, older versions of FTD don't have a sound backup strategy. That's why Cisco is enhancing those features going forward.

Prashobcv93 · ‎10-11-2022

Could we take a list of all ACLs in the FTD from FMC??

Marvin Rhoads · ‎10-11-2022

You can see the Access Control Policy entries (and associate object values) if you run a report of the ACP from the main page Access Policy page. Look for the icon that looks like a stack of papers on the right. That will generate a PDF copy of the policy.

Marvin Rhoads · ‎05-11-2023

Updating this old thread since I just got a helpful vote today.

Device backups for FTD devices are available in FMC 7.x - they were not available in 2017 with 6.x.

Marvin Rhoads · ‎02-03-2019

Note that version 6.3 added the capability to backup managed FTD devices from FMC.

ramirezjason · ‎05-10-2019

Hi Marvin,

I dont really understand the use case for backing up FTD devices if we still would need the FMC to restore the backup

Unless this is for a case where we lose FMC, all created policy and have no backup

Any other advantages to having FTD device backups?