Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
0
Helpful
4
Replies

Question on testing restoration of an FMC and FTD backups

Go to solution
ABaker94985
Spotlight
Spotlight

‎06-03-2022 01:29 PM

We are currently backing up FMC and FTD's daily and have been for about 3 years. Fortunately, we've not had to restore due to a failure, but we have done restores just to check things out. We would like to go through the entire process in a lab where we can restore and then simulate some actual traffic and verify everything works. We have some VMs that can be used, but given there are no available physical FTD's, we're planning on using FTDv's. I've found several backup and restore documents on Cisco's website, but I've not seen anything that deals with validation or testing that everything is working as expected. We'd like to have absolutely no doubts that everything is working as it should. Can anyone provide some guidance on restore validation? Thank you.

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎06-03-2022 02:51 PM - edited ‎06-03-2022 02:54 PM

@ABaker94985 we have done a restore of FTD2140 Managed by FMC.

 

Background. We were hitting a bug CSCvn29443  the work around was to reimage the HA-Pair of FTD2140 (prior FTD image was 6.3 and post FTD image 6.5.x where as the FMC running version 6.7.x). once the reimage was done and FTD was added on the FMC. the restore config file of FTD6.3 was pushed to FTD6.5. all went good (pushing deployment went good no issues) however, remember routing tables (For example if you using static routes) They do not push in deployment from the restore backup. you have to manually define again the static routes and push the police. Our client is heavily based vpn tunnel on that site no issues. however if you use Cert for vpn or for anyconnect. Just export the identity certificate and manually restore the identity cert in a fresh install FTD. rest object object group acl all good. Hope this will help you.

 

 

please do not forget to rate.

View solution in original post

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-03-2022 07:15 PM

Hi,

I don't think you will get a document from Cisco on how to test your
environment because it all depends on your apps and use cases. The right
approach is to have a detailed test document for your environment including
test case, how to conduct, success/fail criteria. This way you can test
that everything is working after a restore in a lab or real outage.

>From my side, in addition to what @Sheraz.Salim mentioned, I have seen
interfaces being disabled after restore and should be enabled. Pushing
without enabling will bring things down. Similarly, I have seen interface
names intermittently disappearing after restore and should be added
manually.

**** plz remember to rate useful posts

View solution in original post

0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight

‎06-06-2022 06:22 AM

Thank you. Both posts were very useful.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Sheraz.Salim
VIP
VIP

‎06-03-2022 02:51 PM - edited ‎06-03-2022 02:54 PM

@ABaker94985 we have done a restore of FTD2140 Managed by FMC.

 

Background. We were hitting a bug CSCvn29443  the work around was to reimage the HA-Pair of FTD2140 (prior FTD image was 6.3 and post FTD image 6.5.x where as the FMC running version 6.7.x). once the reimage was done and FTD was added on the FMC. the restore config file of FTD6.3 was pushed to FTD6.5. all went good (pushing deployment went good no issues) however, remember routing tables (For example if you using static routes) They do not push in deployment from the restore backup. you have to manually define again the static routes and push the police. Our client is heavily based vpn tunnel on that site no issues. however if you use Cert for vpn or for anyconnect. Just export the identity certificate and manually restore the identity cert in a fresh install FTD. rest object object group acl all good. Hope this will help you.

 

 

please do not forget to rate.
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-03-2022 07:15 PM

Hi,

I don't think you will get a document from Cisco on how to test your
environment because it all depends on your apps and use cases. The right
approach is to have a detailed test document for your environment including
test case, how to conduct, success/fail criteria. This way you can test
that everything is working after a restore in a lab or real outage.

>From my side, in addition to what @Sheraz.Salim mentioned, I have seen
interfaces being disabled after restore and should be enabled. Pushing
without enabling will bring things down. Similarly, I have seen interface
names intermittently disappearing after restore and should be added
manually.

**** plz remember to rate useful posts
0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight

‎06-06-2022 06:22 AM

Thank you. Both posts were very useful.

 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to ABaker94985

‎06-06-2022 06:33 AM

Just to Add what I have said. you still need to add your FTD (new one) in NAT section and on the platform setting doing this it will save your time.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card