Backup and restore has the following best practices.
When to Back Up
We recommend backing up during a maintenance window or other time of low use.
While the system collects backup data, there may be a temporary pause in data correlation (cloud-delivered Firewall
Management Center only), and you may be prevented from changing configurations related to the backup. If you include event data, event-related
features such as eStreamer are not available.
You should back up in the following situations:
-
Regular scheduled backups.
As part of your disaster recovery plan, we recommend that you perform periodic
backups. To automate this process, see Scheduled Backups.
-
Before upgrade or reimage.
If an upgrade fails catastrophically, you may have to reimage and restore. Reimaging
returns most settings to factory defaults, including the system password. If you have a
recent backup, you can return to normal operations more quickly.
-
After upgrade.
Back up after you upgrade, so you have a snapshot of your freshly upgraded deployment. We recommend you back up the cloud-delivered Firewall
Management Center
after you upgrade its managed devices, so your new cloud-delivered Firewall
Management Center backup file 'knows' that its devices have been upgraded.
Maintaining Backup File Security
Backups are stored as unencrypted archive (.tar) files.
Private keys in PKI objects—which represent the public key certificates and paired private keys required to support your deployment—are
decrypted before they are backed up. The keys are reencrypted with a randomly generated key when you restore the backup.
Caution
|
We recommend you back up cloud-delivered Firewall
Management Centers and devices to a secure remote location and verify transfer success. Backups left locally may be deleted, either manually
or by the upgrade process, which purges locally stored backups.
Especially because backup files are unencrypted, do
not allow unauthorized access. If backup files are modified, the restore
process will fail. Keep in mind that anyone with the Admin/Maint role can access
the Backup Management page, where they can move and delete files from remote
storage.
|
In the cloud-delivered Firewall
Management Center's system configuration, you can mount an NFS, SMB, or SSHFS network volume as remote storage. After you do this, all subsequent
backups are copied to that volume, but you can still use the cloud-delivered Firewall
Management Center to manage them. For more information, see Remote Storage Management and Manage Backups and Remote Storage.
Note that only the cloud-delivered Firewall
Management Center mounts the network volume. Managed device backup files are routed through the cloud-delivered Firewall
Management Center. Make sure you have the bandwidth to perform a large data transfer between the cloud-delivered Firewall
Management Center and its devices. For more information, see Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote).
Backup and Restore in FMC High Availability Deployments
In an cloud-delivered Firewall
Management Center high availability deployment, backing up one cloud-delivered Firewall
Management Center does not back up the other. You should regularly back up both peers. Do not restore one HA peer with the backup file from
the other. A backup file contains information that uniquely identifies an appliance, and cannot be shared.
Note that you can replace an HA cloud-delivered Firewall
Management Center without a successful backup. For more information on replacing HAcloud-delivered Firewall
Management Centers, both with and without successful backups, see Replacing FMCs in a High Availability Pair.
Before Backup
Before you back up, you should:
-
Update the VDB and SRU on the cloud-delivered Firewall
Management Center.
We always recommend you use the latest vulnerability database (VDB) and intrusion rules (SRU). Before you back up an cloud-delivered Firewall
Management Center, check the Cisco Support & Download
site for newer versions.
This is especially important for the VDB, because the VDB versions must match to restore a backup. Because you cannot downgrade
the VDB, you do not want a situation where your replacement cloud-delivered Firewall
Management Center has a newer VDB than the backed up cloud-delivered Firewall
Management Center.
-
Check Disk Space.
Before you begin a backup, make sure you have enough disk space on the appliance or on
your remote storage server. The space available is displayed on the Backup Management
page.
Backups can fail if there is not enough space. Especially if you schedule backups, make
sure you regularly prune backup files or allocate more disk space to the remote storage
location.
Before Restore
Before restore, you should:
-
Revert licensing changes.
Revert any licensing changes made since you took the backup.
Otherwise, you may have license conflicts or orphan
entitlements after the restore. However, do
not unregister from Cisco Smart Software Manager (CSSM). If you unregister
from CSSM, you must unregister again after you restore, then re-register.
After the restore completes, reconfigure licensing. If you notice licensing
conflicts or orphan entitlements, contact Cisco TAC.
-
Disconnect faulty appliances.
Disconnect the management interface, and for devices, the data interfaces.
Note that restoring an cloud-delivered Firewall
Management Center
or 7000/8000 series device does not change the management IP address. You must set that manually on the replacement — just make sure you disconnect the old appliance
from the network before you do.
-
Do not unregister managed devices.
Whether you are restoring an FMC or managed device, do not unregister devices from the cloud-delivered Firewall
Management Center, even if you physically disconnect an appliance from the network.
If you unregister, you will need to redo some device configurations, such as security zone to interface mappings. After you
restore, the cloud-delivered Firewall
Management Center and devices should begin communicating normally.
-
Reimage.
In an RMA scenario, the replacement appliance will arrive configured with factory
defaults. However, if the replacement appliance is already configured, we recommend you
reimage. Reimaging returns most settings to factory defaults, including the system
password. You can only reimage to major versions, so you may need to patch after you
reimage.
If you do not reimage, keep in mind that cloud-delivered Firewall
Management Center intrusion events and file lists are merged rather than overwritten.
After Restore
After restore, you should:
-
Reconfigure anything that was not restored.
This can include reconfiguring licensing, remote storage, and audit log server certificate settings.
-
Update the VDB and SRU on the cloud-delivered Firewall
Management Center.
We always recommend you use the latest vulnerability database (VDB) and intrusion rules
(SRU).
-
Deploy.
After you restore an cloud-delivered Firewall
Management Center, deploy to all managed devices. After you restore a device, deploy to that device. You must deploy. If the a device or devices are not marked out of date, force deploy from the Device Management page: Redeploy Existing Configurations to a Device.