Factory Reset Firepower 4100 & 9300
I got my hands on some Cisco Firepower 4100 units and after playing around with them I wanted to reset them to factory settings, essentially erase the "startup-config" on the FXOS. The Firepower units act a little differently than your normal Cisco IOS or ASA and you can't just erase startup-config and reload the device, that would be too easy.
(Edit: 7-21-17) After Gabriele made this comment - "connect local-mgmt" and then "erase configuration" it looks like you can. Thanks Gabriele
You also can follow the password recovery on this post which will also erases the configuration. You have to be physically at the device with a console cable, plug into the console port to begin:
- Power off the system, and then power it back on
- While the system is booting, you have go into ROMMON mode to do that press ESC or CTRL+L. You'll see a message confirming that you are going to ROMMON
1!! Rommon image verified successfully !!
2
3Cisco System ROMMON, Version 1.0.10, RELEASE SOFTWARE
4
5Copyright (c) 1994-2015 by Cisco Systems, Inc.
6
7Compiled Mon 11/30/2015 15:23:18.60 by builder
8
9Current image running: Boot ROM0
10
11Last reset cause: PowerCycleRequest
12
13DIMM Slot 0 : Present
14
15DIMM Slot 1 : Present
16
17No USB drive !!
18
19BIOS has been locked !!
20
21Platform FPR-4110-SUP with 8192 Mbytes of main memory
Make note of the kickstart and FXOS system image as you need these names to be able to boot to the correct image. In this example under ROMMON the following appeared on-screen
1boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.3.14.69.SPA bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.3.14.69.SPA
- Load the kickstart image
1rommon 1 > boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.3.14.69.SPA
2
3 !! Kickstart Image verified successfully !!
- When kickstart loads you'll be at the switch(boot)# prompt, enter configuration mode.
1switch(boot)#
2switch(boot)# config t
3Enter configuration commands, one per line. End with CNTL/Z.
- Under the configuration mode, type admin-password erase, this will erase everything and bring the system back to factory defaults.
1switch(boot)(config)# admin-password erase
2Your password and configuration will be erased!
3Do you want to continue? (y/n) [n] y
4switch(boot)(config)# exit
- Load the system image to startup the FXOS, once the image has been loaded you'll be prompted to enter the setup wizard.
1switch(boot)# load bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.3.14.69.SPA
2Uncompressing system image: bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.3.14.69.SPA
3
4You have chosen to setup a new Security Appliance. Continue? (y/n):
I hope this information is helpful, the information I was referencing is located here: Password Recovery Procedure For Firepower 9300/4100 Series Appliances
Static Comments:
Jimmy -
Hi :Ryan ,I got several devices like ASA 5525x with firepower mode ,i want to reinstall the whole system from ASA(firepower software ) to firepower system complete(called FTD system) ,Do you have similar experence ? Also i purchase (Protection,Control,Malware,URL Filtering) licence ,i find the the firepower mode didnt filter locker virus (like CryptoLocker,CBT locker),Can you give me some suggestion ?
Ryan -
Hey Gabriele, Never tried that command, that's a lot easier than what I was doing :) Thanks. Ryan
Ryan -
Hey Jimmy, I have not had experience upgrading to the FTD image for the ASAs and from what I can tell you may have to upgrade/download several things. I found this on Cisco website which may be a good starting point: http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html I have worked with the Firepower 4100 units which give you the option to use either ASA or an FTD image. I have been playing around with the FTD image and the ASA SFR module, they are different you really don't manage the device directly, it all works through the Firepower Management Center. Its interesting you're not having any luck with the filtering make sure if you are using the ASA image that you set up a service policy under the global policy to inspect all traffic with the SFR module and its not in monitor mode. You will also need to setup policies and rules in the FMC to block this type of traffic. Hope that helps :) Ryan
anon -
You should update your post at the top with this advice. I almost took the long path as well. :)
Ryan -
Updated, thanks Anon :)
Gabriele -
You can try with the commands "connect local-mgmt" and then "erase configuration". It should work