Cisco 4100/9300 FTD password recovery and reset to factory default

Password Reset

First, here is how you reset the password, and then we can get in and reset the box back to factory default

1. Reboot
2. Use BREAK, ESC or CTRL+L to interrupt boot
3. Find the boot flash command and make a note of kickstart image and system image
4. Load the kickstart image, which is something like this: rommon 1 > boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.3.14.69.SPA
5. This will take you to the switch(boot)# prompt
6. Now you can change the password:

switch(boot)# config t
switch(boot)(config)# admin-password erase
Your password and configuration will be erased!
Do you want to continue? (y/n) [n] y

7. Exit to switch(boot)# prompt and load system image saved earlier to complete the procedure:
switch(boot)(config)# exit
switch(boot)# load bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.3.14.69.SPA
8. Configure the device

Reset 4100/9300 to Factory Default

If you know the password and want to set the FTD box (4100/9330) back to factory default. (For 5500x/2100 reset, see blog post Easy FTD reset)

1. Login to your FXOS
2. Type connect local-mgmt
3. Type erase configuration

Example:
cisco4140-1# connect local-mgmt
cisco4140-1(local-mgmt)# erase configuration
All configurations will be erased and system will reboot. Are you sure? (yes/no):yes
Removing all the configuration. Please wait….
Configurations are cleaned up. Rebooting….

8 Comments

  1. Hi Todd,
    This is very useful…
    Is there a way to do admin pw change on FTD through FMC ? Like CSM where we can change the admin pw for Cisco ASA ….

  2. This is for the FXOS chassis Manager, what about the logical device (FTD) on the chassis ? How to do pw recovery on Logical FTD without affecting the chassis

  3. Hi Todd,

    Thanks for this article. Is there away to recover FTD(2130) admin password without resetting the device to factory default settings?

    Thanks.

      1. Thanks for the reply. I got to admit that after 6 years of working on Palos, then moving to a company using only CISCO FTDs, I would never recommended CISCO FTDs to anyone. The ability to configure/modify and recover in PaloAlto is like 100 years ahead of CISCO FTDs.

        1. I won’t recommended going into your new job and putting down FTD though, that just wouldn’t be a good start to your new job… It’s possible that you’re correct about the reset features, but the NGFW on Cisco is superior to PA, Fortinet, juniper, etc when it comes to Snort process protection. It does take more time to configure Firepower for sure than PA, but it’s worth it.
          Good luck on your new job!

Leave a Reply

Your email address will not be published.