Migrate Secure Firewall Threat Defense from Secure Firewall Management Center to Cloud
Cisco Defense Orchestrator allows a user with CDO Admin rights to migrate the threat defense devices from the management center to the cloud.
Before initiating the migration process on the threat defensedevices, the management center associated with those devices must already be onboarded to CDO.
On migrating the threat defense to the cloud, CDO onboards the devices and imports all shared policies and associated objects, device-specific policies, and device configuration from the management center to CDO.
Note |
CDO handles all duplicate policy and object names that are identified during the management center migration process. This behavior is explained in detail later in this document. |
The events and analytics management can be transferred to CDO or retained with the management center.
Once you perform the migration, you have 14 days to evaluate your changes. The evaluation period allows you to modify or change specific actions or change the management of these devices back to the management center. After the evaluation period, you cannot revert any changes.
User Roles
The user roles of the on-prem management center are no longer applicable in CDO after migration. Your authorization to perform tasks on the migrated device is based on your user role in CDO. See the Users topic to understand the on-prem management center and cloud-delivered Firewall Management Center user role mapping.
Supported Software
This section describes the minimum software requirements for migration:
-
Management Center: 7.2
-
Secure Firewall Threat Defense:
-
7.0.3 or above
-
7.2 or above
Note
This support is not provided for threat defense running on software version 7.1.
-
Licensing
-
When the threat defense is migrated to the cloud, all feature licenses associated with the device are transferred to CDO and released from the management center to the Smart License pool. The device reclaims the device-specific licenses during its registration with CDO. You need not apply license on the device again.
-
The device-specific licenses are not required if you want to keep devices in the management center for analytics.
-
Ensure you have registered the cloud-delivered Firewall Management Center with a smart license.
Supported Features
Handling Shared Policies and Objects
When the migration process begins, the shared policies and associated objects that are associated with the threat defense devices are imported first and then followed by the device configuration.
The following shared policies are imported to CDO after changing the manager on threat defense devices:
-
Access control
-
IPS
-
SSL
-
Prefilter
-
NAT
-
QoS
-
Identity
-
Platform settings
-
Flex config
-
Network analysis
-
DNS
-
Malware & file
-
Health
-
Remote Access VPN
If a policy or object in CDO has the same name as the policy or object that is imported from the Secure Firewall Management Center, CDO takes the following actions after changing the management successfully.
Policies, Objects |
Condition |
Action |
---|---|---|
Access control, SSL, IPS, Prefilter, NAT, QoS, Identity, Platform settings, Network analysis, DNS, Malware & File policies. |
Name of the cloud-delivered Firewall Management Centerpolicy matches the management center policy. |
The cloud-delivered Firewall Management Center policy is used instead of the imported policy from the management center. |
RA VPN Default group policy DfltGrpPolicy |
The default group policyDfltGrpPolicy from the management center is ignored. |
The existing cloud-delivered Firewall Management Center default group policy DfltGrpPolicy is used instead. |
Network, Port objects |
Name and content of network and port objects in the cloud-delivered Firewall Management Center match the ones in the management center. |
The existing cloud-delivered Firewall Management Center network and port objects with the same name and content are used instead of imported objects from the management center. If the object has the same name but different content, an object override is created. |
All other objects |
The existing cloud-delivered Firewall Management Center object is used instead of the imported object from the management center. |
Any Syslog alert object that is associated with the access control policy is imported into Cisco Defense Orchestrator.
Migration Support for Threat Defense in a High Availability Pair
You can migrate a device in a high availability pair. The device management of both active and standby devices is changed and imported into CDO.
Important |
We strongly recommend committing the manager changes before performing any advanced operations, such as creating HA configuration or breaking HA on the devices that are being migrated. Performing such operations during the evaluation period is not supported and may result in unintended behavior. |
Migration Support for Management Center in a High Availability Pair
You can migrate the threat defense devices from a high availability configured management center to the cloud.
The management center can be onboarded using SecureX or credentials with the SDC method. Always onboard the active management center and not the standby.
Note |
If you have already onboarded a standalone management center and later configured it as a standby, delete the standby management center and onboard the active one. |
Points to Remember:
-
SecureX Onboarding Method
-
High availability break is not supported during the 14 days evaluation period. You can break high availability after committing the changes manually or automatically after the evaluation period.
-
High availability switchover is supported during the 14 days evaluation period.
-
-
Credentials Onboarding Method Using SDC
-
High availability break or high availability switchover is not supported during the 14 days evaluation period. You can perform these operations after committing the changes manually or automatically after the evaluation period.
-
After a switchover, onboard the new active unit, which was previously in standby mode, and then start a migration job on the devices.
-
Unsupported Features
The Migrate FTD to cdFMC screen doesn't allow migration of the device to the cloud in the following conditions:
-
A device with a Site-to-Site VPN policy.
-
A device part of a cluster.
-
A device registered only for analytics-only with the management center.
The following configuration are not imported from the management center to CDO as part of migration:
-
Custom Widgets, Application Detectors, Correlation, SNMP and Email Alerts, Scanners, Groups, Dynamic Access Policy, Custom AMP Configuration, Users, Domains, Scheduled Deployment Tasks, ISE configuration, Scheduled GeoDB Updates, Threat Intelligence Director configuration, Dynamic Analysis Connections.
-
ISE internal certificate object is not imported as part of the migration. You must export a new system certificate or a certificate and its associated private key from ISE and import it into CDO.
Secure Firewall Recommended Rules
Migrating threat defense to the cloud mirates the rule recommendations that are already associated with any of the intrusion policies. However, the cloud-delivered Firewall Management Center does not allow the generation of new rule recommendations or auto-update the already migrated recommendations post migration. This is because the cloud-delivered Firewall Management Center does not support rule recommendations. See Auto Cisco Recommended Rules.
Custom Network Analysis
If the device is associated with a custom network analysis policy, you must remove all references to this policy from the on premise before migration.
-
Log on to the on premise management center.
-
Choose Policies > Access Control.
-
Click the edit icon on the access control policy you want to disassociate the custom NAP and then click the Advanced tab.
-
In the Network Analysis and Intrusion Policies area, click the edit icon.
-
In the Default Network Analysis Policy list, select a system-provided policy.
-
Click OK.
-
Click Save to save the changes and then click Deploy to download the changes to the device.
After migration, you can manually create the Network Analysis Policy in CDO.
Migration Guidelines and Limitations for VPN Configuration
Keep the following in mind when you migrate a device with VPN configuration:
Migration Support for Remote Access VPN Policy
CDO imports all the settings of a remote access VPN policy as part of the migration.
As part of the migration process, CDO imports all the settings of a remote access VPN policy except for the following:
-
Object overrides are not imported.
If overrides are used in the address pool object, you must manually add them to the imported object using CDO after migration.
-
Local users are not imported.
If the authentication server is configured to a local database for user authentication, the associated local realm object will be imported into CDO. However, you must manually add the local users to the imported local realm object using CDO after migration. See Create a Realm and Realm Directory.
-
VPN load balancing configuration is not migrated.
-
RA VPN certificate enrollment with domain configuration is not imported.
You can perform the following after migration:
-
In CDO, click Inventory > FTD.
-
Select the migrated FTD and in the Device Management on the right, click Device Overview.
-
Choose Devices > Certificates.
Perform one of the following:
-
If the certificates are imported in an error state, click the Refresh certificate status icon to synchronize the certificate status with the device. The certificate status turns green.
-
If the certificates are not imported, you must manually add the certificates defined in the RA VPN policy configured in the management center.
-
-
Managing Threat Defense Events and Analytics
The events and analytics management can be retained in the management center or transferred to Cisco Defense Orchestrator, where the devices must be configured to send events to Cisco Defense Orchestrator. While initiating the migration process, you are allowed to choose the manager to which the device events must be sent for analytics.
If you select the management center for analytics, Cisco Defense Orchestrator becomes the manager for selected devices but retains a copy of those devices on the management center in analytics-only mode. The devices continue to send events to the management center, and Cisco Defense Orchestrator manages the configuration changes.
If you select Cisco Defense Orchestrator for analytics, Cisco Defense Orchestrator becomes the manager for the selected devices and deletes these devices from the management center. Cisco Defense Orchestrator manages both configuration changes and events and analytics management. You must configure threat defense devices to send events to the Cisco cloud. You can use either Security Services Exchange or the Secure Event Connector (SEC) to send events from the devices to the Cisco Secure Analytics and Logging (SAL) in the cloud.
Enable Notification Settings
You can subscribe to get email notifications from CDO whenever a device associated with your tenant experiences a specific action when migrating threat defense devices to CDO.
CDO sends an email if you enable to receive a notification for the following state during the Migrate FTD to cdFMC job:
-
Failed: When a migration job fails.
-
Started: When a migration job is initiated.
-
Succeeded: When a migration job is completed successfully.
-
Commit Pending: When the manager changes are to be committed.
To enable notification settings, see Notification Settings.
Verify Threat Defense Connectivity with Cloud-delivered Firewall Management Center
This section provides the commands to determine the threat defense connectivity with the cloud-delivered Firewall Management Center.
Check internet connectivity on the device
Execute the ping system <any OpenDNS server address> command to check whether the device can reach the internet.
-
Connect to the CLI of the device, either from the console port or using SSH.
-
Log in with the Admin username and password.
-
Enter ping system <OpenDNS IPAddress>.
ping system 208.67.222.222
PING 208.67.222.222 (208.67.222.222) 56(84) bytes of data.
64 bytes from 208.67.222.222: icmp_seq=1 ttl=48 time=22.10 ms
64 bytes from 208.67.222.222: icmp_seq=2 ttl=48 time=22.10 ms
64 bytes from 208.67.222.222: icmp_seq=3 ttl=48 time=22.8 ms
64 bytes from 208.67.222.222: icmp_seq=4 ttl=48 time=22.6 ms
^C
--- 208.67.222.222 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7ms
rtt min/avg/max/mdev = 22.588/22.841/22.995/0.223 ms
The above example shows that the device can connect to the internet using the OpenDNS Server IP address. Also, the number of packets transmitted is the same as received, indicating that internet connectivity is available on the device. This shows that the device can reach the internet.
Note |
If your results don't match, check the internet connection manually. |
Check device connectivity with Cloud-delivered Firewall Management Center
-
Obtain the host name of the cloud-delivered Firewall Management Center.
-
In the CDO navigation pane, click Tools & Services > Firewall Management Center.
-
Choose Cloud-Delivered FMC to see the cloud-delivered Firewall Management Center details on the right pane.
-
In the Hostname field, copy only the hostname shown in the following example image.
In the above figure, the highlighted text is the hostname (cdo-acc10.app.us.cdo.cisco.com) of the FMC to be copied.
-
-
Connect to the CLI of the device, either from the console port or using SSH.
-
Enter ping system <hostname of the FMC>.
ping system cdo-acc10.app.us.cdo.cisco.com
PING cdo-acc10.app.us.cdo.cisco.com (54.187.125.161) 56(84) bytes of data.
^C
--- cdo-acc10.app.us.cdo.cisco.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 64ms
In the above example, the hostname is resolved with the IP address, indicating your connection is successful. Ignore the "100% packet loss" message shown in the response.
Note |
If you can't connect to the host, you can rectify the DNS configuration in the CLI using configure network dns <address>. |