About Backup and Restore
The ability to recover from a disaster is an essential part of any system maintenance plan. As part of your disaster recovery plan, we recommend that you perform periodic backups to a secure remote location.
You can perform on-demand backups for the FMC and 7000/8000 series devices from the FMC.
You can also use the local web interface on a 7000/8000 series device to perform on-demand backups. Local backup management on 7000/8000 series devices is slightly different and has fewer options than backup management on the FMC, but in general works in the same way. Note that you can use the FMC to back up these devices remotely.
For more information, see Backing Up FMCs or Managed Devices.
You can use the scheduler on an FMC or 7000/8000 series device to automate backups. You cannot schedule remote device backups from the FMC.
For more information, see Scheduled Backups.
Storing Backup Files
You can store backups locally. However, we recommend you back up FMCs and managed devices to a secure remote location by mounting an NFS, SMB, or SSHFS network volume as remote storage. After you do this, all subsequent backups are copied to that volume, but you can still use the FMC to manage them.
For more information, see Remote Storage Management and Manage Backups and Remote Storage.
Restoring the FMC and Managed Devices
You restore the FMC and 7000/8000 series devices from the local Backup Management page.
For more information, see Restoring FMCs and Managed Devices.
What Is Backed Up?
FMC backups can include:
All configurations you can set on the FMC web interface are included in a configuration backup, with the exception of remote storage and audit log server certificate settings. In a multidomain deployment, you must back up configurations. You cannot back up events or TID data only.
Event backups include all events in the FMC database. However, FMC event backups do not include intrusion event review status. Restored intrusion events do not appear on Reviewed Events pages.
Threat Intelligence Director (TID) data.
For more information, see About Backing Up and Restoring TID Data.
7000/8000 series device backups are always configuration-only.
What Is Restored?
Restoring configurations overwrites all backed-up configurations, with very few exceptions. On the FMC, restoring events and TID data overwrites all existing events and TID data, with the exception of intrusion events.
Make sure you understand and plan for the following:
You cannot restore what is not backed up.
FMC configuration backups do not include remote storage and audit log server certificate settings, so you must reconfigure these after restore. Also, because FMC event backups do not include intrusion event review status, restored intrusion events do not appear on Reviewed Events pages.
Restoring to a configured FMC — instead of factory-fresh or reimaged — merges intrusion events and file lists.
The FMC event restore process does not overwrite intrusion events. Instead, the intrusion events in the backup are added to the database. To avoid duplicates, delete existing intrusion events before you restore.
The FMC configuration restore process does not overwrite clean and custom detection file lists used by AMP for Networks. Instead, it merges existing file lists with the file lists in the backup. To replace file lists, delete existing file lists before you restore.