Backup and restore has the following best practices.
When to Back Up
We recommend backing up during a maintenance window or other time of low use.
While the system collects backup data, there may be a temporary pause in data correlation (cloud-delivered Firewall
Management Center only), and you may be prevented from changing configurations related to the backup. If you include event data, event-related
features such as eStreamer are not available.
You should back up in the following situations:
Regular scheduled backups.
As part of your disaster recovery plan, we recommend that you perform periodic
The Version 6.5.0+ cloud-delivered Firewall
Management Center setup process schedules weekly configuration-only backups, to be stored locally. This is not a substitute for full off-site
backups—after initial setup finishes, you should review your scheduled tasks and adjust them to fit your organization's needs.
For more information, see Scheduled Backups.
After SLR changes.
Back up the cloud-delivered Firewall
Management Center after you make changes to Specific Licensing Reservations (SLRs). If you make changes and then restore an older backup,
you will have issues with your Specific Licensing return code and can accrue orphan entitlements.
Before upgrade or reimage.
If an upgrade fails catastrophically, you may have to reimage and restore. Reimaging
returns most settings to factory defaults, including the system password. If you have a
recent backup, you can return to normal operations more quickly.
Back up after you upgrade, so you have a snapshot of your freshly upgraded deployment. We recommend you back up the cloud-delivered Firewall
after you upgrade its managed devices, so your new cloud-delivered Firewall
Management Center backup file 'knows' that its devices have been upgraded.
Maintaining Backup File Security
Backups are stored as unencrypted archive (.tar) files.
Private keys in PKI objects—which represent the public key certificates and paired private keys required to support your deployment—are
decrypted before they are backed up. The keys are reencrypted with a randomly generated key when you restore the backup.
We recommend you back up cloud-delivered Firewall
Management Centers and devices to a secure remote location and verify transfer success. Backups left locally may be deleted, either manually
or by the upgrade process, which purges locally stored backups.
Especially because backup files are unencrypted, do
not allow unauthorized access. If backup files are modified, the restore
process will fail. Keep in mind that anyone with the Admin/Maint role can access
the Backup Management page, where they can move and delete files from remote
In the cloud-delivered Firewall
Management Center's system configuration, you can mount an NFS, SMB, or SSHFS network volume as remote storage. After you do this, all subsequent
backups are copied to that volume, but you can still use the cloud-delivered Firewall
Management Center to manage them. For more information, see Remote Storage Management and Manage Backups and Remote Storage.
Note that only the cloud-delivered Firewall
Management Center mounts the network volume. Managed device backup files are routed through the cloud-delivered Firewall
Management Center. Make sure you have the bandwidth to perform a large data transfer between the cloud-delivered Firewall
Management Center and its devices. For more information, see Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote).
Backup and Restore in FMC High Availability Deployments
In an cloud-delivered Firewall
Management Center high availability deployment, backing up one cloud-delivered Firewall
Management Center does not back up the other. You should regularly back up both peers. Do not restore one HA peer with the backup file from
the other. A backup file contains information that uniquely identifies an appliance, and cannot be shared.
Note that you can replace an HA cloud-delivered Firewall
Management Center without a successful backup. For more information on replacing HAcloud-delivered Firewall
Management Centers, both with and without successful backups, see Replacing FMCs in a High Availability Pair.
Backup and Restore in FTD High Availability Deployments
In an threat defense HA deployment, you should:
Back up the device pair from the FMC, but restore individually and locally from the cloud-delivered Firewall
Management Center CLI.
The backup process produces unique backup files for threat defense HA devices. Do not restore one HA peer with the backup file from the other. A backup file contains information that uniquely
identifies an appliance, and cannot be shared.
An cloud-delivered Firewall
Management Center HA device's role is noted in its backup file name. When you restore, make sure you choose the appropriate backup file: primary
Do not suspend or break HA before you restore.
Maintaining the HA configuration ensures replacement devices can easily reconnect after
restore. Note that you will have to resume HA synchronization to make this happen.
Do not run the restore CLI command on both peers at the same time.
Assuming you have successful backups, you can replace either or both peers in an HA
pair. Any physical replacement tasks you can perform simultaneously: unracking,
reracking, and so on. However, do
not run the restore command on the second device until the restore process
completes for the first device, including the reboot.
Note that you can replace an cloud-delivered Firewall
Management Center HA device without a successful backup; see Replace a Unit in an FTD High Availability Pair.
Backup and Restore for Firepower 4100/9300 Chassis
To restore Firepower software on a Firepower 4100/9300 chassis, the chassis must be running
a compatible FXOS version.
When you back up a Firepower 4100/9300 chassis, we strongly recommend you also back up FXOS configurations. For additional best practices, see Configuration Import/Export Guidelines for Firepower 4100/9300.
Before you back up, you should:
Update the VDB and SRU on the cloud-delivered Firewall
We always recommend you use the latest vulnerability database (VDB) and intrusion rules (SRU). Before you back up an cloud-delivered Firewall
Management Center, check the Cisco Support & Download
site for newer versions.
Check Disk Space.
Before you begin a backup, make sure you have enough disk space on the appliance or on
your remote storage server. The space available is displayed on the Backup Management
Backups can fail if there is not enough space. Especially if you schedule backups, make
sure you regularly prune backup files or allocate more disk space to the remote storage
Before restore, you should:
Revert licensing changes.
Revert any licensing changes made since you took the backup.
Otherwise, you may have license conflicts or orphan
entitlements after the restore. However, do
not unregister from Cisco Smart Software Manager (CSSM). If you unregister
from CSSM, you must unregister again after you restore, then re-register.
After the restore completes, reconfigure licensing. If you notice licensing
conflicts or orphan entitlements, contact Cisco TAC.
Disconnect faulty appliances.
Disconnect the management interface, and for devices, the data interfaces.
Restoring an threat defense device sets the management IP address of the replacement device to the management IP address of the old device. To avoid
IP conflicts, disconnect the old device from the management network before you restore the backup on its replacement.
Note that restoring an cloud-delivered Firewall
does not change the management IP address. You must set that manually on the replacement — just make sure you disconnect the old appliance
from the network before you do.
Do not unregister managed devices.
Whether you are restoring an FMC or managed device, do not unregister devices from the cloud-delivered Firewall
Management Center, even if you physically disconnect an appliance from the network.
If you unregister, you will need to redo some device configurations, such as security zone to interface mappings. After you
restore, the cloud-delivered Firewall
Management Center and devices should begin communicating normally.
In an RMA scenario, the replacement appliance will arrive configured with factory
defaults. However, if the replacement appliance is already configured, we recommend you
reimage. Reimaging returns most settings to factory defaults, including the system
password. You can only reimage to major versions, so you may need to patch after you
If you do not reimage, keep in mind that cloud-delivered Firewall
Management Center intrusion events and file lists are merged rather than overwritten.
After restore, you should:
Reconfigure anything that was not restored.
This can include reconfiguring licensing, remote storage, and audit log server certificate settings. You also must re-add/re-enroll failed threat defense VPN certificates.
Update the VDB and SRU on the cloud-delivered Firewall
We always recommend you use the latest vulnerability database (VDB) and intrusion rules
(SRU). This is especially important for the VDB, because
the VDB in the backup will overwrite the VDB on the replacement FMC.
After you restore an cloud-delivered Firewall
Management Center, deploy to all managed devices. After you restore a device, deploy to that device. You must deploy. If the a device or devices are not marked out of date, force deploy from the Device Management page: Redeploy Existing Configurations to a Device.