Solved: Thanks for the comments. We

kaustubhmhatre · ‎10-18-2016

I'm currently looking at creating a backup and restore plan for the FMC and firepower sensors. I want to ensure that we have all the configuration and events backed up in case of any disaster. I wanted to understand what we lose if we do not backup the individual managed devices but only backup the configuration and the events on the Firesight management center.

I am aware of the information in the following link - but just as a test I performed a backup on one of the managed devices and found that the backup file size is ~2.2 GB while the backup file (config+events) on the FMC 3500 model which has 20 sensors reporting is only about 1 GB. Am I missing something? Is there some data present on the sensors which is not sent across to the FMC.

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/Backup_and_Restore.html

What is the best practice when it comes to backing up events and configs on the FMC and managed devices?

nspasov · ‎10-18-2016

Here are the things that I have always done/recommended:

1. Worry about backing up FireSIGHT/FMC only. If the FMC blows up, the sensors will continue to function with their latest known config until communication with FMC is re-established. Logs will also be stored locally until the sensor runs out of disk space

2. The historical logs/event should be getting offloaded to an external solution such as Splunk

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎10-18-2016

Here are the things that I have always done/recommended:

1. Worry about backing up FireSIGHT/FMC only. If the FMC blows up, the sensors will continue to function with their latest known config until communication with FMC is re-established. Logs will also be stored locally until the sensor runs out of disk space

2. The historical logs/event should be getting offloaded to an external solution such as Splunk

I hope this helps!

Thank you for rating helpful posts!

Pranav Gade · ‎11-28-2016

Hi Neno

Thanks for detail explanation. Actually we are having FMC running on VM , so having some queries regarding backup/ restore. Can you help me for the same.
1- Is configuration backup and restore will work on VM to VM ?
2- As we have integrated FTD -4100 in FMC with HA , so if my FMC is get corrupted or VM get deleted then is there any impact on HA?
3- If we rebulid new VM of FMC then backup restore will work ? What is the step hy step procedure ? For e.g are we need to add FTD device first manually or if we do configuration restore it will come automatically with previus integarted devices ?
4- Is configuration backup will include all configuration like ACL , Nat , Route etc ?

Thanks in advance...

nspasov · ‎12-02-2016

Hello Pranav-

My answers below:

#1. Yes

#2. High Availability for virtual FMC is currently not supported/offered. I have heard that it is on the road-map but I don't have more specific details. If you are using a hardware appliance then there should be no impact on your services. (see the link below for more details)

#3. I have never tried that before but according to Cisco's documentation (see link below) backup and restore is only supported for like-to-like devices. The link below will also outline the steps required for performing backup and/or restore.

#4. Yes. For more info reference Chapter-7 of the FMC Config Guide:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61.pdf

I hope this helps!

Thank you for rating helpful posts!

Pranav Gade · ‎12-26-2016

Thanks Neno for update .We have done this one month bay and yes backup restoration works properly even all backup includes HA device registration , License , rules , NAT , route restored properly.

Only we need to be sure Snort version , VDB version and software version should be same for VM to VM backup restoration.

Jetsy Mathew · ‎10-18-2016

Hello Team,

As a best practice perform a weekly backup of the FMC and store that in a remote server, otherwise storing the entire backup in FMC may end up in filling the disk space. All the policy configurations are getting stored in FMC. Whenever you restore the backup its must that all the software versions and other SRU, VDB version everything should be same.If the software version or any other SRU or VDB version doesnt match the restore will fail.Let say even if the managed device doesnt have any backup that's fine.Even if the sensor or managed device gets reimaged , you just have to bring back the managed device to a compatible version and register back the sensor to the FMC and just reapply the policies to those managed devices.All the configurations will be get applied from FMC to Firepower.

Rate the helpful posts.

Regards

Jetsy

dvalinho · ‎08-13-2019

Hello,

Thanks for your replies. If i got you right, backing up the entire FMC will help restoring the FTD in case of failure.

However I am a little bit confused because i have read its only from version 6.3 that managed devices(4100,9300) backup can be done.

Am i wrong?

Thanks for your reply.

Thanks for your reply

kaustubhmhatre · ‎10-19-2016

Thanks for the comments. We are already sending events over to a SIEM from the FMC. I'm not concerned about the configuration since we are regularly backing up the FMC externally. My only concern is missing events which are not sent over to FMC from the sensors. Not sure if that level of granularity is an overkill and is needed?

I was concerned because on one of the sensors the backup file is ~2.2 GB and the backup of the FMC itself (20sensors reporting to it) is only 1GB

Best practices to backup Firesight management center and Firepower sensors configuration and events