FTD RMA replacement and added to FMC, and restored the config.

May 1, 2022 / Balaji Bandi / 0 Comments

FTD RMA replacement added to FMC and restore the config

This procedure describes how to restore a Firewall Threat Defense (FTD) configuration to a new, replacement unit using the Cisco Firepower Management Center (FMC)

. The process involves using a backup file from the faulty device, which restores the configuration to the new hardware and automatically reconnects it to the FMC. 

Prerequisites

  • You have an RMA replacement device of the identical model.
  • The replacement device has the same or lower software version, including patches, as the FMC.
  • You have a backup file of the faulty device, downloaded from the FMC.
  • The backup file is saved to an accessible location (e.g., an SCP server).
  • The faulty device has been removed from the network or powered off. 

Step 1: Initial configuration of the replacement FTD

  1. Install and Connect: Rack the new FTD and connect its management interface to the network so it can reach the FMC.
  2. Run Setup Wizard: Access the FTD’s CLI and use the initial setup wizard to configure basic network settings, but do not set the old management IP or register the device to the FMC yet. 

Step 2: Prepare for restore

  1. Upload Backup: Transfer the backup file from your SCP server to the replacement FTD’s /var/sf/backup/ directory using the CLI command restore remote-manager-backup location scp-hostname username filepath backup tar-file

Step 3: Restore the configuration

  1. Initiate and Confirm: From the FTD’s CLI, run the restore command using the backup file (e.g., restore remote-manager-backup backup tar-file) and confirm to overwrite existing configurations.
  2. Reboot and Reconnect: The FTD will restore the configuration, reboot, and automatically reconnect to the FMC. It will be marked as “Out of Date” in the FMC. 

Step 4: Finalize and deploy

  1. Log in to FMC: Access the FMC web interface.
  2. Redeploy Policies: The device will need its policies reapplied.
  3. If you had a Remote Access VPN, you will also need to re-add or re-enroll VPN certificates.

happy Labbing…1