1.0 Executive Summary

This document provides a comprehensive, validated procedure for configuring automated backups from a Cisco Firepower Management Center (FMC) to a remote server using SSH key-pair authentication. The objective is to establish a secure, passwordless mechanism suitable for automation, addressing the common requirement to replace password-based authentication for scheduled backup tasks. The solution details the generation of SSH keys, configuration of the remote backup server, and the specific steps required within the FMC graphical user interface (GUI) and command-line interface (CLI) to implement and verify this functionality.

2.0 Problem Analysis

The core technical challenge is automating FMC backups to a remote Linux/Unix-based server using Secure Copy (SCP) or Secure File Transfer Protocol (SFTP) without manual password entry. While the FMC backup utility supports these protocols, its native configuration for automated jobs requires a secure and persistent authentication method. Standard password authentication is less secure and problematic for automation. The required solution is to leverage public/private SSH key-pair authentication, where the FMC can authenticate to the backup server automatically using its private key. The initial steps involve generating the key pair and placing the public key on the server, but the critical, FMC-specific part of the process is correctly uploading the private key to the FMC and associating it with the backup operation.

3.0 Prerequisites

Before proceeding with the configuration, ensure the following prerequisites are met:

• Remote Backup Server: A functional SSH server (e.g., OpenSSH) must be running on the designated backup host.
• User Account: A dedicated user account for backups must exist on the remote server (e.g., fmcbackup). This user must have write permissions to the target backup directory.
• Network Connectivity: Ensure TCP port 22 (or the custom SSH port) is open and accessible from the FMC’s management interface to the remote backup server. Verify no intermediary firewalls are blocking this communication.
• Administrative Access: You must have administrative credentials for both the FMC and the remote backup server (root or sudo access).

4.0 Comprehensive Solution Walkthrough

This procedure is divided into four stages: key generation, server-side configuration, FMC configuration, and verification.

4.1 SSH Key Pair Generation

On a secure workstation or the backup server itself, generate a new SSH key pair. It is best practice to use a strong key algorithm and length.

1. Open a terminal session.

2. Execute the ssh-keygen command. We recommend using RSA with a 4096-bit length for enhanced security.

   ssh-keygen -t rsa -b 4096 -f ~/.ssh/fmc_backup_key
   

3. When prompted for a passphrase, press Enter twice to leave it blank. A passphrase-protected key cannot be used for passwordless automation.

4. This command creates two files:

   • fmc_backup_key (the private key)
   • fmc_backup_key.pub (the public key)

4.2 Remote Backup Server Configuration

Configure the backup server to trust the public key for the designated backup user.

1. Log in to the remote backup server as the backup user (e.g., fmcbackup).

2. Create the .ssh directory if it does not exist and set the correct permissions to ensure security.

   mkdir -p ~/.ssh
   chmod 700 ~/.ssh
   

3. Append the content of the public key (fmc_backup_key.pub) to the authorized_keys file.

   cat /path/to/fmc_backup_key.pub >> ~/.ssh/authorized_keys
   

4. Set strict permissions on the authorized_keys file. Incorrect permissions will cause SSH key authentication to fail.

   chmod 600 ~/.ssh/authorized_keys
   

4.3 Firepower Management Center (FMC) Configuration

Upload the private key to the FMC and configure the backup profile.

1. Upload the Private Key:

   • Log in to the FMC GUI.
   • Navigate to System > Configuration > Secure Shell.
   • In the “SSH Client” section, click Browse next to the “Upload New Private Key” field.
   • Select the private key file (fmc_backup_key) generated in step 4.1.
   • Click Upload. The FMC will now use this key for outbound SSH/SCP/SFTP connections initiated by the system.

2. Configure the Backup Profile:

   • Navigate to System > Tools > Backup/Restore.
   • Click on the Backup Management tab.
   • Click Create Backup.
   • Provide a Name for the backup profile.
   • Select the desired Backup Type (e.g., “Backup Firepower Management Center”).
   • Under Storage Location, select Remote Storage.
   • Enter the following details for the remote server:
     • Host: The IP address or FQDN of your backup server.
     • Protocol: Select SCP or SFTP.
     • Port: 22 (or your custom port).
     • User: The backup user account (e.g., fmcbackup).
     • Password: Leave this field blank. The FMC will automatically attempt to use the uploaded SSH private key.
     • Directory: The absolute path to the backup destination directory on the server (e.g., /backups/fmc).
   • Configure the Recurrence for your automated schedule.
   • Click Save. The FMC will now attempt backups according to this schedule using the configured SSH key.

4.4 Verification and Troubleshooting

It is critical to verify the connection from the FMC before relying on the scheduled job.

1. Use SSH to log in to the FMC’s command-line interface (CLI) as admin.

2. Enter expert mode to access the underlying Linux shell: > expert

3. Manually test the SCP or SSH connection to the backup server to confirm the key authentication is working correctly.

   ssh -i /etc/ssh/ssh_host_rsa_key <backup_user>@<backup_server_ip>
   

   Note: The FMC stores the uploaded private key as /etc/ssh/ssh_host_rsa_key. You should receive a successful login without a password prompt.

4. If the connection fails, verify file permissions on the server, check for firewall blocks, and ensure the correct private key was uploaded to the FMC.

5.0 Conclusion

By following this detailed procedure, you can successfully configure a secure, reliable, and automated backup solution for the Firepower Management Center using SSH key-pair authentication. This method eliminates the security risks and operational inefficiencies associated with storing and using passwords for scheduled tasks, aligning with industry best practices for system administration.