There may be certain situation when you need to reset a Cisco FTD appliance back to factory default to get a clean start. One such example is during a deployment I encountered a Cisco Bug for FTD version 7.0.4 locally managed by FDM. The bug caused a corruption in the database that cannot be repair and configurations from the FDM are not synced with the LINA, the ASA portion of the FTD. There were discrepancies between the configuration in the CLI and the FDM. The options are to reset to factory default or reimage the FTD. This document focusses on resetting the FTD back to factory default and applies to FTD 1000 series of appliances.
Resetting FMC Managed FTDs
If the FTD is managed by FMC, the easiest and fastest way to reset the device is to remove the manager or switch firewall mode from CLI. This will delete all the configurations pushed down from the FMC and set the device back to factory. However, I do not know if the database actually gets rebuilt or just get erased. So, this may not fix the issues with database corruption.
To delete the manager and reset the appliance to default:
> configure manager delete
To reset the appliance to default by changing firewall modes
>configure firewall?
routed Change to routed firewall mode
transparent Change to transparent firewall mode
Resetting FDM managed FTDs
Resetting the FTD to factory default will erase all configurations and settings. It is recommended that a backup of the configuration is performed and downloaded from the FDM to a workstation for local storage. After the factory reset the configuration can then be restored from the FDM. This will fixed the database corruption issue as it deletes the old database and start with a new database.
- Power cycle the appliance and hit Break or ESC during boot up to access ROMMON.
Rebooting... [455618.459682] reboot: Restarting system
************************************************************************
Cisco System ROMMON, Version 1.0.11, RELEASE SOFTWARE
Copyright (c) 1994-2020 by Cisco Systems, Inc.
Compiled Mon 10/12/2020 21:50:47.51 by builder
************************************************************************
Current image running: Boot ROM0
Last reset cause: Manual (0x00000080)
DIMM0 : Present
Platform FPR-1120 with 16384 MBytes of main memory
BIOS has been successfully locked !!
MAC Address: 40:06:d5:4a:97:80
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
- Execute show info to validate hardware and software
rommon 1 > show info
Cisco System ROMMON, Version 1.0.11, RELEASE SOFTWARE
Copyright (c) 1994-2020 by Cisco Systems, Inc.
Compiled Mon 10/12/2020 21:50:47.51 by builder
Current image running (0/1): Boot ROM0, Upgrade FPGA
Last reset cause: Manual (0x00000080)
Product Identifier : FPR-1120
Serial Number - PCA : JAD260205NF
Serial Number - Chassis : JMX2602X1DQ
Version Identifier : V01
Board Version : 4
Processor memory amount : 16384 MBytes
FPGA Version : 2.5.0
FPGA Date : 10/09/2020
MAC Address : 40:06:d5:4a:97:80
Hardware Anchor : F01139R19.09f041c962018-09-13
Certificate (HMAC) : 344AC3E0FAE94F04
Certificate (ROM0) : 161E878E03B02598
Microloader : MA0010R06.1708012017
SECURE BOOT Validation : Passed
[ME] Firmware version :
Operational : 0B:4.0.4.181
Recovery : 0B:4.0.4.181
[ME] Firmware status :
MEFS1 : 000F0345
MEFS2 : 8811E820
Lan-0 SPI eTrack-ID : 0x80000847
Lan-1 SPI eTrack-ID : 0x8000085f
DIMM0 : Present
- Type factory-reset to start the reset process and confirm reset by typing “yes” and then “ERASE”. Type “yes” to any remaining prompts. The system will reboot after the reset.
rommon 3 > factory-reset
Warning: All configuration will be permanently lost with this operation
and application will be initialized to default configuration.
This operation cannot be undone after booting the application image.
Are you sure you would like to continue ? yes/no [no]: yes
Please type 'ERASE' to confirm the operation or any other value to cancel: ERASE
Performing factory reset...
Located .boot_string
Image size 60 inode num 17, bks cnt 1 blk size 8*512
Rommon will continue to boot disk0:installables/switch/fxos-k8-fp1k-lfbff.2.10.1.175.SPA
Are you sure you would like to continue ? yes/no [no]: yes
Located installables/switch/fxos-k8-fp1k-lfbff.2.10.1.175.SPA
Image size 190962784 inode num 439789, bks cnt 46622 blk size 8*512
.
.
.
.
- After the reboot the factory script will run the first time you log in. To log in, use the default username admin and password Admin123 and create a new password as prompted.
firepower login: admin
Password:Admin123
Hello admin. You must change your password.
Enter new password:
Confirm new password:
Your password was updated successfully.
- Accept the EULA and continue with the script and to configure network settings.
firepower# connect ftd
You must accept the EULA to continue.
Press <ENTER> to display the EULA: End User License Agreement
System initialization in progress. Please stand by.
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [y]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface []: 192.168.20.10
Enter an IPv4 netmask for the management interface []: 255.255.255.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 192.168.20.1
Enter a fully qualified hostname for this system [firepower]: FTD01.home.com
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:
Enter a comma-separated list of search domains or 'none' []:
If your networking information has changed, you will need to reconnect.
Setting DNS servers: 208.67.222.222 208.67.220.220
No domain name specified to configure.
Setting hostname as FTD01.home.com
Setting static IPv4: 192.168.20.10 netmask: 255.255.255.0 gateway: 192.168.20.1 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]:
Configuring firewall mode to routed
Update policy deployment information
- add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.
- After completing the script, the FDM can now be used to restore the configuration from backup if needed. The FTD will also need to be relicensed.
If Cisco smart software licensing used, gog into Cisco Software Central. Go to Inventory> Product instances to remove the license and issue a new token for the FTD to acquire an available license. Look for the serial number of the FTD and remove it from Product Instances.
Generate a new token and apply it in the FDM to license the FTD.
As always if you have any questions on Cisco FTD for you and your business and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!
Rick Wong, Principal Network Architect