How to Easily Reset your Cisco FTD device (Converted ASA/2100/4100/9300) to Factory Default

I had an interesting issue come up at a customer. That issue was how to set their FTD box back to factory default after configuring it into an FMC and pushing policies. The answer from Cisco is “you cannot do that”.

In other words, you have to reinstall the FTD image, which, depending on your FTD box can take a couple hours to do per FTD device.

You can go to the console of the FTD device and type “show running-config” to see the full config on the device, but the erase startup-config (etc) will not work….

However, I did find a way to do this easily and efficiently (for 4100/9300 see this blog: 4100/9300 Factory reset)

From the FTD prompt, convert your FTD device from Routed to Transparent mode (or vice versa) and your configuration on the FTD device will be completely erased.

Here is an example:

> configure firewall transparent
The firewall mode cannot be changed when a manager is configured.

Oops, removed your manger first like this:

> configure manager delete
> configure firewall transparent

This will destroy the current interface configurations, are you sure that you want to proceed? [y/N]y

Now, just set it back to Routed mode, if that is what you need
> configure firewall routed
This will destroy the current interface configurations, are you sure that you want to proceed? [y/N]y

Nice!
Todd Lammle

www.lammle.com/firepower

42 Comments

  1. Ok, that’s great but how do you go about configuring the interfaces again? I know Cisco love to make everything complicated but this new FTD CLI is ridiculous.

    1. yea, that takes some effort. We spend quite a while on the interfaces in class. Maybe you can come to class!
      Go to Devices>Devices, click on each FTD box and configure the interfaces tab

  2. If you configure an FTD locally and then add it to an FMC later, does it wipe out all of your interface configurations? Policies? VPN?

    Thanks.

    1. hi James, yes, for sure. All would have to be reconfigured and pushed out through the FMC, replacing the local configuration.

        1. Yes, it’s not that bad, but 100% reconfigured needed if you do local (why?) and then go to FMC
          come to my class and I’ll show you! :)

  3. Will changing the FTD from Routed to transparent only erase interfaces configuration, or will also delete NAT, Platform Settings and FlexConfig ?

    1. Yes, everything except the management IP info is deleted on the box…although it says it deletes only the interface configs, that’s not true. Try it out….it’s the first thing we do in my FTD class.

  4. Is there an easier way to deal with L2L VPNs in the event of having to replace an FTD firewall due to hardware failure or to simply change the management interface IP. All I can find is you must disjoin the FTD from the FMC (requiring you to first delete all of your L2L tunnels that reference that FTD), change the mgmt IP, and rejoin the FMC. Then you must manually reconfigure all L2L tunnels. Not a big deal if you only have 2-3, but on an FTD with upwards of 40 tunnels that’s a huge amount of time to reconfigure.

  5. I’m trying to reset but it’s still keeping saying I have a manage locally.

    > configure firewall transparent

    The firewall mode cannot be changed when a manager is configured.

    > show managers
    Managed locally.

    > configure manager delete

    If you enabled any feature licenses, you must disable them in Firepower Device Manager before deleting the local manager.
    Otherwise, those licenses remain assigned to the device in Cisco Smart Software Manager.
    Do you want to continue[yes/no]yes
    DCHP Server Disabled

    1. yes, that is a hard problem. You may need to reboot the FTD box, or just keep trying to “configure manager add ip_add password” over and over again…I’ve seen this and it’s annoying.

      1. Thanks lammle.

        When configuring with manager add and then on FMC adding the ftd device it keeps loading on FMC forever saying its doing discover.
        On FTD it keeps saying “manager configured” but no configuration its bring applied.
        Rebooted many times, tries to add many times.

        This is the reason I decided to clean up configuration like:
        ERASE STARTUP CONFIG

        Only config and not the operational system as well

  6. WHen trying to add to FMC it says on FTD that its configured corrently but its not receiving new policies.

    On the other side on FMC it keep saying that its running “discovering device” forever.

    This is the reason why I decided to clean up all device config and don’t erase the operational system.

    1. Reboot the FTD box and go into ROMMOM and install 6.2.3 code on it and upgrade your FMC as well.

  7. Hi Todd, does this process ‘change from transparent to routed’ reset any sensitive passwords that are in FirePower Threat Defense?

    I’ve got a bunch of various FTDs I need to RMA with Cisco and would like to completely clear them before I ship them back.

    1. yes, that makes sense. Usually it does. Perform a show running-config and other verification commands, find the commands, and then reset and then verify again. Should do the trick, but just verify
      Thanks!

  8. Hi Todd
    when reset admin password for FTD in the rommon this message show up “””””rommon 1 > password_reset
    WARNING: User configurations will be lost with this operation
    Are you sure ? yes/no [no]: yes”””

    what is mean ? all of the configuration is lost ?

    1. you need to reinstall that one. it’s not hard or time consuming, so it’s not an issue like for the FTD devices

    1. Excellent! Although I have this detailed out in my new CCNP Security book, cisco just doesn’t document this part at all so it’s not written anywhere else

  9. Hello Todd,

    Will this process return to back to ASA from FTD? I am using Cisco 5508-x with firepower module and want to reset to factory default.
    On the newer FTD devices, you can reset those 100% back to factory default, but that won’t work on the 5508’s

    1. No, only reset the configuration back to default.
      You can erase disk and then install ASA code or FTD code at that point.

  10. Failed to automatically delete local manager during manager add.

    I am getting this error when I try to add it to FMC

    Here’s the output of show managers, also FMC is reachable from FTD.
    > show managers
    Managed locally.

    1. Yea, that is a problem since you choose to “manage locally” when you went through the setup.
      its hard to get out of sometimes.
      Try typing “configure manager delete” and then the “configure manager add…” command
      you may need to do this more than once

      1. Tried to do it a couple of times, still no luck. any other thoughts on this? Worst case is that we will have someone to factory reset it.

        1. Just factory reset it, and when you go through the setup CLI, do not choose “manage locally” which is the default if you are not paying attention. That would be the fastest for you.

  11. hi Todd,

    I am getting this error below. I already tried to configure manager delete.

    Failed to automatically delete local manager during manager add.

  12. I have got 2 x FPR2110, can we use a data IP interface to manage them with FMC instead of using the mgmt interface?

  13. I’m a bit confused and maybe you can help me.

    Cisco 2110 in FTD mode (version 6) and connection via Console:
    1) power on the appliance, stop the boot and enter rommon and then issue “factory_reset”
    or
    2) power on the appliance and let it boot; login with admin and local password and then “connect local-mgmt” followed by “erase configuration” and reload

    Aren’t these legit methods to return the device to the default configuration? Or I’m missing something…

    Thanks!

    1. 100% correct. However, the way I do it takes only a minute, whereas each of the ways you mentioned takes 30-60 minutes, depending on the device

        1. Oh it does, but it doesn’t delete the management VLAN, so the IP, etc stays, which you can see with the show network command
          you can delete that still with the >”configure network ipv4 delete” command if you wanted to set that to default as well

Leave a Reply

Your email address will not be published. Required fields are marked *