Cisco FPR-4100 Password Recovery

ezzhar891202 · ‎09-28-2022

Dear guys, we have two devices that are in a HA environment. The problem is that secondary FP can connect using AD credentials, but when you run the command, you get an "error retrieving user privileges" and your admin credentials are gone. Both AD and admin have also been gone from the primary unit. So we decided to proceed with password recovery using the document below.

https://www.cisco.com/c/en/us/support/docs/security/firepower-9300-security-appliance/200491-Password-Recovery-Procedure-For-FirePOWE.html

switch(boot)# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
switch(boot)(config)# admin-password erase
Your password and configuration will be erased!
Do you want to continue? (y/n)  [n] y

Is it completely accurate that it will reset all configurations to factory defaults, including policies?

Cisco FPR-4100 Appliances

Sheraz.Salim · ‎09-28-2022

Correct it will wipe the config on your Box. as per the document mentioned and showed the configuration.

please do not forget to rate.

ezzhar891202 · ‎09-28-2022

Thank you for your response @Sheraz.Salim
how can I recover the policies into secondary because we don't have a backup? Since the primary worked properly, only cant log in to the device and will sync and obtain the current policies after HA is restored?

Sheraz.Salim · ‎09-29-2022

@ezzhar891202 Are you managed these FTD from FMC? as this appliances is secondary once you re-image/reset/factory-rest and you make the HA pair the configuration will syn from the Primary FTD (This include all the policies and configuration) to the secondary appliance and make the HA pair.

This procedure as mentioned above returns your Firepower 4100/9300 chassis system to its default configuration settings, including the admin password. Use this procedure to reset the configurations on your device when the admin password is not known. This procedure erases any installed logical devices as well.

also bear in find if you going that route make sure this procedure requires console access to the Firepower 4100/9300 chassis.

please do not forget to rate.

ezzhar891202 · ‎09-30-2022

@Sheraz.Salim CSM was used to manage both boxes. According to the Cisco documentation, we can update the password from CSM.

https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/417/user/guide/CSMUserGuide/pxhostresourc.html#114477

If we truly need to do password recovery, can we just do it or do we need to disconnect the HA first and then do the procedure? Will restoring the HA then sync the policies? Any policies deployed on CSM for user authorization and password recovery will not solve the login problem, correct?

Sheraz.Salim · ‎09-30-2022

@ezzhar891202 The cisco documentation is very clear for FTD4100 if you going to password recovery you requires console access to the Firepower 4100/9300 chassis. Remember This procedure erases any installed logical devices as well.

The best approach would be discount your secondary standby firewall (Break -HA) and follow the password recovery document. once the box is factory reset and when box will come up clean when you have the HA pair the policies from the primary ftd will push to secondary standby firewall. just make sure your recovery password FTD configured as secondary standby.

Also have a look on this document you will find it very useful.

please do not forget to rate.