Home Blog Resetting a Cisco FTD appliance back to factory default

Blog

Dec 28
Resetting a Cisco FTD appliance back to factory default
Posted by Rick Wong

There may be certain situation when you need to reset a Cisco FTD appliance back to factory default to get a clean start. One such example is during a deployment I encountered a Cisco Bug for FTD version 7.0.4 locally managed by FDM. The bug caused a corruption in the database that cannot be repair and configurations from the FDM are not synced with the LINA, the ASA portion of the FTD. There were discrepancies between the configuration in the CLI and the FDM. The options are to reset to factory default or reimage the FTD. This document focusses on resetting the FTD back to factory default and applies to FTD 1000 series of appliances.

 

Resetting FMC Managed FTDs

If the FTD is managed by FMC, the easiest and fastest way to reset the device is to remove the manager or switch firewall mode from CLI.   This will delete all the configurations pushed down from the FMC and set the device back to factory. However, I do not know if the database actually gets rebuilt or just get erased. So, this may not fix the issues with database corruption.

 

To delete the manager and reset the appliance to default:

> configure manager delete

 

To reset the appliance to default by changing firewall modes

>configure firewall?

routed       Change to routed firewall mode

transparent Change to transparent firewall mode

 

Resetting FDM managed FTDs

Resetting the FTD to factory default will erase all configurations and settings. It is recommended that a backup of the configuration is performed and downloaded from the FDM to a workstation for local storage. After the factory reset the configuration can then be restored from the FDM. This will fixed the database corruption issue as it deletes the old database and start with a new database.

  1. Power cycle the appliance and hit Break or ESC during boot up to access ROMMON.

 

Rebooting... [455618.459682] reboot: Restarting system

************************************************************************

Cisco System ROMMON, Version 1.0.11, RELEASE SOFTWARE

Copyright (c) 1994-2020 by Cisco Systems, Inc.

Compiled Mon 10/12/2020 21:50:47.51 by builder

************************************************************************

Current image running: Boot ROM0

Last reset cause: Manual (0x00000080)

DIMM0 : Present

 

Platform FPR-1120 with 16384 MBytes of main memory

BIOS has been successfully locked !!

MAC Address: 40:06:d5:4a:97:80

 

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot interrupted.

 

  1. Execute show info to validate hardware and software

rommon 1 > show info

 

Cisco System ROMMON, Version 1.0.11, RELEASE SOFTWARE

Copyright (c) 1994-2020 by Cisco Systems, Inc.

Compiled Mon 10/12/2020 21:50:47.51 by builder

 

Current image running (0/1): Boot ROM0, Upgrade FPGA

Last reset cause: Manual (0x00000080)

Product Identifier     : FPR-1120

Serial Number - PCA     : JAD260205NF

Serial Number - Chassis : JMX2602X1DQ

Version Identifier     : V01

Board Version           :   4

Processor memory amount : 16384 MBytes

FPGA Version           : 2.5.0

FPGA Date               : 10/09/2020

MAC Address            : 40:06:d5:4a:97:80

Hardware Anchor         : F01139R19.09f041c962018-09-13

Certificate (HMAC)     : 344AC3E0FAE94F04

Certificate (ROM0)     : 161E878E03B02598

Microloader             : MA0010R06.1708012017

SECURE BOOT Validation : Passed

[ME] Firmware version   :

           Operational : 0B:4.0.4.181

               Recovery : 0B:4.0.4.181

[ME] Firmware status   :

                 MEFS1 : 000F0345

                 MEFS2 : 8811E820

Lan-0 SPI eTrack-ID     : 0x80000847

Lan-1 SPI eTrack-ID     : 0x8000085f

 

DIMM0 : Present

  1. Type factory-reset to start the reset process and confirm reset by typing “yes” and then “ERASE”. Type “yes” to any remaining prompts.  The system will reboot after the reset.

 

rommon 3 > factory-reset

Warning: All configuration will be permanently lost with this operation

         and application will be initialized to default configuration.

         This operation cannot be undone after booting the application image.

         Are you sure you would like to continue ? yes/no [no]: yes

         Please type 'ERASE' to confirm the operation or any other value to cancel: ERASE

 

Performing factory reset...

Located .boot_string

Image size 60 inode num 17, bks cnt 1 blk size 8*512

 

 

Rommon will continue to boot disk0:installables/switch/fxos-k8-fp1k-lfbff.2.10.1.175.SPA

 

Are you sure you would like to continue ? yes/no [no]: yes

 

Located installables/switch/fxos-k8-fp1k-lfbff.2.10.1.175.SPA

 

Image size 190962784 inode num 439789, bks cnt 46622 blk size 8*512

.

.

.

.

  1. After the reboot the factory script will run the first time you log in. To log in, use the default username admin and password Admin123 and create a new password as prompted.

 

firepower login: admin

Password:Admin123

 

Hello admin. You must change your password.

Enter new password:

Confirm new password:

Your password was updated successfully.

 

  1. Accept the EULA and continue with the script and to configure network settings.

 

 

firepower# connect ftd

You must accept the EULA to continue.

Press <ENTER> to display the EULA: End User License Agreement

 

System initialization in progress. Please stand by.

You must configure the network to continue.

You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]: y

Do you want to configure IPv6? (y/n) [y]: n

Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual

Enter an IPv4 address for the management interface []: 192.168.20.10

Enter an IPv4 netmask for the management interface []: 255.255.255.0

Enter the IPv4 default gateway for the management interface [data-interfaces]: 192.168.20.1

Enter a fully qualified hostname for this system [firepower]: FTD01.home.com

Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:

Enter a comma-separated list of search domains or 'none' []:

If your networking information has changed, you will need to reconnect.

Setting DNS servers: 208.67.222.222 208.67.220.220

No domain name specified to configure.

Setting hostname as FTD01.home.com

Setting static IPv4: 192.168.20.10 netmask: 255.255.255.0 gateway: 192.168.20.1 on management0

Updating routing tables, please wait...

All configurations applied to the system. Took 3 Seconds.

Saving a copy of running network configuration to local disk.

For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]:

Configuring firewall mode to routed

Update policy deployment information

   - add device configuration

Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

 

 

  1. After completing the script, the FDM can now be used to restore the configuration from backup if needed. The FTD will also need to be relicensed.

 

If Cisco smart software licensing used, gog into Cisco Software Central.   Go to Inventory> Product instances to remove the license and issue a new token for the FTD to acquire an available license. Look for the serial number of the FTD and remove it from Product Instances.

 

Resetting a Cisco FTD appliance back to factory default

Generate a new token and apply it in the FDM to license the FTD.

Resetting a Cisco FTD appliance back to factory default

 

As always if you have any questions on Cisco FTD for you and your business and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!

Contact Us

 

Written By:

Rick Wong, Principal Network Architect

subscribe to our blog

Get New Unique Posts