The Backup Management page lists all locally and remotely stored backups. It also lists how much disk space you have available to store backups. Backups can fail if there is not enough space.

Management Center backups require that you use or create a backup profile.

• Click Backup Profiles to use an existing backup profile.

  Next to the profile you want to use, click the edit icon. You can then click Start Backup to begin the backup right now. Or, if you want to edit the profile, go on to the next step.

• Click Firepower Management Backup to start fresh and create a new backup profile.

  Enter a Name for the backup profile.

• Back Up Configuration. In high availability of management centers, if you choose to back up configuration only on an active management center, by default, both the active and standby management centers are backed up into a single unified backup file. For information of unified backup of management center in high availability, see Unified Backup of Management Centers in High Availability.

• Back Up Events

• Back Up Threat Intelligence Director

In a multidomain deployment, you must back up configurations. You cannot back up events or TID data only. For details on what is and what is not backed up for each of these choices, see About Backup and Restore.

This will either be local storage in /var/sf/backup/, or a remote network volume. For more information, see Manage Backups and Remote Storage.

To receive email notifications, you must configure the management center to connect to a mail server: Configuring a Mail Relay Host and Notification Address.

If you are not using an existing backup profile, the system automatically creates one and uses it. If you decide not to run the backup now, you can click Save or Save As New to save the profile. In either case, you can use the newly created profile to configure scheduled backups.

While the system collects backup data, there may be a temporary pause in data correlation, and you may be prevented from changing configurations related to the backup. If you configured remote storage or enabled Copy when complete, the management center may write temporary files to the remote server. These files are cleaned up at the end of the backup process.

For clustering, choose the cluster. You cannot perform backups on individual nodes.

This will either be local storage in /var/sf/remote-backup/, or a remote network volume. For the ISA 3000, if you have an SD card installed, a copy of the backup will also be made on the SD card at /mnt/disk3/backup. For more information, see Manage Backups and Remote Storage.

• Enabled (default): Saves the backup to the management center in /var/sf/remote-backup/.

  For clusters, this option is always checked. The individual node backup files are copied to the management center and then bundled into a single compressed tar file before it is copied to any remote storage.

• Disabled: Saves the backup to the device in /var/sf/backup.

• Back Up Configuration

• Back Up Events

• Back Up Threat Intelligence Director

In a multidomain deployment, you must back up configurations. You cannot back up events or TID data only. For details on what is and what is not backed up for each of these choices, see About Backup and Restore.

This will either be local storage in /var/sf/backup/, or a remote network volume. For the ISA 3000, if you have an SD card installed, a copy of the backup will also be made on the SD card at /mnt/disk3/backup. For more information, see Manage Backups and Remote Storage.

To receive email notifications, you must configure the management center to connect to a mail server: Configuring a Mail Relay Host and Notification Address.

The Backup Management page lists all locally and remotely stored backup files. You can click a backup file to view its contents.

If the backup file is not in the list and you have it saved on your local computer, click Upload Backup; see Manage Backups and Remote Storage.

If you are restoring configurations, you can log back in after the management center reboots.

Depending on your backup configuration, device backups may be stored:

• On the faulty device itself in /var/sf/backup.

• On the management center in /var/sf/remote-backup.

• In a remote storage location.

For threat defense high availability and clustered devices, you back up the group as a unit. For high availability devices, the backup process produces unique backup files, with each device's role indicated in the backup file name. For clusters, control and data node backup files are bundled together in a single compressed file. You must extract the files, which also indicate the device role.

If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device, the backup will be erased. If something else goes wrong, you may not be able to recover the backup. For more information, see Manage Backups and Remote Storage.

The replacement device will need the backup, but can retrieve it with SCP during the restore process. We recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the backup to the replacement device itself.

Disconnect all interfaces. In threat defense high availability deployments, this includes the failover link. For clustering, this includes the cluster control link.

See the hardware installation and getting started guides for your model: http://www.cisco.com/go/ftd-quick.

Connect the device to power and the management interface to the management network. In threat defense high availability deployments, connect the failover link. For clustering, connect the cluster control link. However, do not connect the data interfaces.

See the hardware installation guide for your model: http://www.cisco.com/go/ftd-quick.

In an RMA scenario, the replacement device will arrive configured with factory defaults. If the replacement device is not running the same major version as the faulty device, we recommend you reimage.

See the Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide.

Access the threat defense CLI as the admin user. A setup wizard prompts you to configure the management IP address, gateway, and other basic network settings.

Do not set the same management IP address as the faulty device. This can cause problems if you need to register the device in order to patch it. The restore process will correctly reset the management IP address.

See the initial configuration topics in the getting started guide for your model: http://www.cisco.com/go/ftd-quick.

Ensure that the existing device should not be deleted from the management center. The replacement device should be unmanaged from the physical network and the new hardware as well as the replacing threat defense patch should have the same version. The threat defense CLI does not have an upgrade command. To patch:

The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup. For clustered devices, extract the appropriate backup file from the backup bundle.

Access the threat defense CLI as the admin user. You can use the console or you can SSH to the newly configured management interface (IP address or hostname). Keep in mind that the restore process will change this IP address.

To restore:

• With SCP: restore remote-manager-backup location scp-hostname username filepath backup tar-file

• From the local device: restore remote-manager-backup backup tar-file

In threat defense high availability and clustering deployments, make sure you choose the appropriate backup file: primary vs secondary, or control vs. data. The role is noted in the backup file name. If you are restoring all devices, do this sequentially. Do not run the restore command on the next device until the restore process completes for the first device, including the reboot.

When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to the management center. At this time, the device should appear out of date.

• Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.

• Resume high availability synchronization. From the threat defense CLI , enter configure high-availability resume. See Suspend and Resume High Availability in the Cisco Secure Firewall Management Center Device Configuration Guide.

• Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense devices, including certificates added after the backup was taken. See Managing VPN Certificates in the Cisco Secure Firewall Management Center Device Configuration Guide.

You must deploy. After you restore a device, you must force deploy from the Device Management page. See Redeploy Existing Configurations to a Device in the Cisco Secure Firewall Management Center Device Configuration Guide.

See the hardware installation guide for your model: http://www.cisco.com/go/ftd-quick.

Disconnect all interfaces. In threat defense HA deployments, this includes the failover link.

If you need to reimage the device or apply a software patch, connect the power connector.

In an RMA scenario, the replacement device will arrive configured with factory defaults. If the replacement device is not running the same major version as the faulty device, you need to reimage. Obtain the installer from https://www.cisco.com/go/isa3000-software.

See the Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide to reimage.

The following procedure assumes you have a factory default configuration. If you already configured the device, you can log into device manager and go directly to the Device > Upgrades page to install the patch.

In either case, obtain the patch package from https://www.cisco.com/go/isa3000-software.

If you used device manager to install a patch, you can reboot from the Device > System Settings > Reboot/Shutdown page. From the threat defense CLI, use the reboot command. If you have not yet attached power, attach it now.

Use a standard size #1 paper clip with wire gauge 0.033 inch or smaller to depress the Reset button. The restoration process is triggered during bootup. The device restores the configuration, and then reboots. The device will then register with the management center automatically.

If you are restoring both devices in an HA pair, do this sequentially. Do not restore the second device until the restore process completes for the first device, including the reboot.

At this time, the device should appear out of date.

• Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.

• Resume high availability synchronization. From the threat defense CLI , enter configure high-availability resume. See Suspend and Resume High Availability in the Cisco Secure Firewall Management Center Device Configuration Guide.

• Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense devices, including certificates added after the backup was taken. See Managing VPN Certificates in the Cisco Secure Firewall Management Center Device Configuration Guide.

You must deploy. After you restore a device, you must force deploy from the Device Management page. See Redeploy Existing Configurations to a Device in the Cisco Secure Firewall Management Center Device Configuration Guide.

See the hardware installation guide for your model: http://www.cisco.com/go/ftd-quick.

Depending on your backup configuration, device backups may be stored:

• On the faulty device itself in /var/sf/backup.

• On the management center in /var/sf/remote-backup.

• In a remote storage location.

For threat defense high availability and clustered devices, you back up the group as a unit. For high availability devices, the backup process produces unique backup files, with each device's role indicated in the backup file name. For clusters, control and data node backup files are bundled together in a single compressed file. You must extract the files, which also indicate the device role.

If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device, the backup will be erased. If something else goes wrong, you may not be able to recover the backup. For more information, see Manage Backups and Remote Storage.

The replacement device will need the backup, but can retrieve it with SCP during the restore process. We recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the backup to the replacement device itself.

Disconnect all interfaces. In threat defense high availability deployments, this includes the failover link. For clustering, this includes the cluster control link.

See the hardware installation and getting started guides for your model: http://www.cisco.com/go/ftd-quick.

Connect the device to power and the management interface to the management network. In threat defense high availability deployments, connect the failover link. For clustering, connect the cluster control link. However, do not connect the data interfaces.

See the hardware installation guide for your model: http://www.cisco.com/go/ftd-quick.

In an RMA scenario, the replacement device will arrive configured with factory defaults. If the replacement device is not running the same major version as the faulty device, we recommend you reimage.

See the instructions on restoring the factory default configuration in the appropriate Cisco Firepower 4100/9300 FXOS Firepower Chassis Manager Configuration Guide.

You must be running a compatible FXOS version before you re-add logical devices. You can use chassis manager to import your backed-up FXOS configurations: Importing a Configuration File.

Do not set the same management IP addresses as the logical device or devices on the faulty chassis. This can cause problems if you need to register a logical device in order to patch it. The restore process will correctly reset the management IP address.

See the management center deployment chapter in the getting started guide for your model: http://www.cisco.com/go/ftd-quick.

Ensure that the existing device should not be deleted from the management center. The replacement device should be unmanaged from the physical network and the new hardware as well as the replacing threat defense patch should have the same version. The threat defense CLI does not have an upgrade command. To patch:

The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup. For clustered devices, extract the appropriate backup file from the backup bundle.

Access the threat defense CLI as the admin user. You can use the console or you can SSH to the newly configured management interface (IP address or hostname). Keep in mind that the restore process will change this IP address.

To restore:

• With SCP: restore remote-manager-backup location scp-hostname username filepath backup tar-file

• From the local device: restore remote-manager-backup backup tar-file

In threat defense high availability and clustering deployments, make sure you choose the appropriate backup file: primary vs secondary, or control vs. data. The role is noted in the backup file name. If you are restoring all devices, do this sequentially. Do not run the restore command on the next device until the restore process completes for the first device, including the reboot.

When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to the management center. At this time, the device should appear out of date.

• Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.

• Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense devices, including certificates added after the backup was taken. See Managing VPN Certificates in the Cisco Secure Firewall Management Center Device Configuration Guide.

You must deploy. After you restore a device, you must force deploy from the Device Management page. See Redeploy Existing Configurations to a Device in the Cisco Secure Firewall Management Center Device Configuration Guide.

See the hardware installation guide for your model: http://www.cisco.com/go/ftd-quick.

Depending on your backup configuration, device backups may be stored:

• On the faulty device itself in /var/sf/backup.

• On the management center in /var/sf/remote-backup.

• In a remote storage location.

For threat defense high availability and clustered devices, you back up the group as a unit. For high availability devices, the backup process produces unique backup files, with each device's role indicated in the backup file name. For clusters, control and data node backup files are bundled together in a single compressed file. You must extract the files, which also indicate the device role.

If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device, the backup will be erased. If something else goes wrong, you may not be able to recover the backup. For more information, see Manage Backups and Remote Storage.

The replacement device will need the backup, but can retrieve it with SCP during the restore process. We recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the backup to the replacement device itself.

Shut down, power off, and delete the virtual machine. For procedures, see the documentation for your virtual environment.

See https://www.cisco.com/go/ftdv-quick.

Use the console to access the threat defense CLI as the admin user. A setup wizard prompts you to configure the management IP address, gateway, and other basic network settings.

Do not set the same management IP address as the faulty device. This can cause problems if you need to register the device in order to patch it. The restore process will correctly reset the management IP address.

See the CLI setup topics in the getting started guide: https://www.cisco.com/go/ftdv-quick.

Ensure that the existing device should not be deleted from the management center. The replacement device should be unmanaged from the physical network and the new hardware as well as the replacing threat defense patch should have the same version. The threat defense CLI does not have an upgrade command. To patch:

The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup. For clustered devices, extract the appropriate backup file from the backup bundle.

Access the threat defense CLI as the admin user. You can use the console or you can SSH to the newly configured management interface (IP address or hostname). Keep in mind that the restore process will change this IP address.

To restore:

• With SCP: restore remote-manager-backup location scp-hostname username filepath backup tar-file

• From the local device: restore remote-manager-backup backup tar-file

In threat defense high availability and clustering deployments, make sure you choose the appropriate backup file: primary vs secondary, or control vs. data. The role is noted in the backup file name. If you are restoring all devices, do this sequentially. Do not run the restore command on the next device until the restore process completes for the first device, including the reboot.

When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to the management center. At this time, the device should appear out of date.

• Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.

• Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense devices, including certificates added after the backup was taken. See Managing VPN Certificates in the Cisco Secure Firewall Management Center Device Configuration Guide.

You must deploy. After you restore a device, you must force deploy from the Device Management page. See Redeploy Existing Configurations to a Device in the Cisco Secure Firewall Management Center Device Configuration Guide.

See the getting started guide: https://www.cisco.com/go/ftdv-quick.