Restore Threat Defense from Backup: Threat Defense Virtual
Use this procedure to replace a faulty or failed threat defense virtual device for VMware.
In threat defense HA and clustering deployments, you can use this procedure to replace all peers. To replace all, perform all steps on all devices simultaneously, except the restore CLI command itself.
Note | Do not unregister from the management center, even when disconnecting a device from the network. In threat defense HA and clustering deployments, do not suspend or break high availibility or clusters. Maintaining registration ensures that replacement devices can automatically reconnect after restore. |
Before you begin
You must read and understand the requirements, guidelines, limitations, and best practices. Do not skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.
Procedure
Step 1 | Navigate . |
Step 2 | Locate a successful backup of the faulty device from Device Backups under Backup Management. For clustering, node backup files are bundled together in a single compressed file for the cluster (cluster_name.timestamp.tar.gz). Before you can restore nodes, you need to extract the individual node backup files (node_name_control_timestamp.tar or node_name_data_timestamp.tar). Use Download that downloads the backup file(s) to your local storage or Export Backup Links that generates a URL to download the backup and exports it to a CSV file that gets downloaded. Use the URL to download the backup to a secure location. Note that the URL is valid only for six hours, after which you must export it again to get a different URL. In threat defense HA deployments, you back up the pair as a unit, but the backup process produces unique backup files for each device in the pair. The device's role is noted in the backup file name. If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device, the backup will be erased. If something else goes wrong, you may not be able to recover the backup. The replacement device needs the backup, but can retrieve it with SCP during the restore process. We recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the backup to the replacement device itself. |
Step 3 | Remove the faulty device. Shut down, power off, and delete the virtual machine. For procedures, see the documentation for your virtual environment. |
Step 4 | Deploy a replacement device. |
Step 5 | Perform initial configuration on the replacement device. Use the VMware console to access the threat defense virtual CLI as the admin user. A setup wizard prompts you to configure the management IP address, gateway, and other basic network settings. Do not set the same management IP address as the faulty device. This can cause problems if you need to register the device in order to patch it. The restore process will correctly reset the management IP address. See the CLI setup topics in the getting started guide: Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide. |
Step 6 | Make sure that the replacement device is running the same Firewall software version, including patches, as the faulty device. Ensure that the existing device should not be deleted from the Security Cloud Control. The replacement device should be unmanaged from the physical network and the new hardware and the replacing threat defense virtual patch should have the same version. The threat defense virtual CLI does not have an upgrade command. To patch:
|
Step 7 | Make sure that the replacement device has access to the backup file. The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup. For clusters, make sure you extract the individual node backup file from the main cluster bundle. |
Step 8 | From the threat defense CLI, restore the backup. Access the threat defense virtual CLI as the admin user. You can use the console or you can SSH to the newly configured management interface (IP address or hostname). Keep in mind that the restore process will change this IP address. To restore:
In threat defense HA and clustering deployments, make sure you choose the appropriate backup file: primary vs secondary, or control vs. data. The role is noted in the backup file name. If you are restoring all devices, do this sequentially. Do not run the restore command on the next device until the restore process completes for the first device, including the reboot. |
Step 9 | Log into Security Cloud Control and wait for the devices to connect. When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to Security Cloud Control. At this time, the device should appear out of date. At this time, the device should appear out of date. |
Step 10 | Before you deploy, perform any post-restore tasks and resolve any post-restore issues:
|
Step 11 | Deploy configurations. You must deploy. If a restored device is not marked out of date, force deploy from the Device Management page. |
Step 12 | Connect the device's data interfaces. See the hardware installation guide for your model: Cisco Secure Firewall Threat Defense: Install and Upgrade Guides. |