First Published: December 10, 2025

About Secure Firewall Migration Tool

The Secure Firewall migration tool enables you to migrate your firewall configurations to a supported Secure Firewall Threat Defense managed by a management center. The migration tool supports migration from Secure Firewall ASA, ASA with FirePOWER Services (FPS), FDM-managed devices, as well as third-party firewalls from Microsoft Azure, Check Point, Palo Alto Networks, and Fortinet.

This document provides critical and release-specific information about the Secure Firewall migration tool. Even if you are familiar with Secure Firewall releases and have previous experience with the migration process, we recommend that you read and thoroughly understand this document.

New Features

Release Version

Feature

Descriptions

10.0

Migration Support for CSF220 Series Devices

This release introduces comprehensive migration support for CSF200 series devices.

Supported migration: All

Migration Support for Firewall Management Center and Firewall Threat Defense 10.0 Release

Migration support for Firewall Management Center and Firewall Threat Defense 10.0 designed to facilitate smooth transitions to this release.

Supported migration: All

Telemetry Enhancements

This release introduces significant enhancements to telemetry capabilities, improving data collection for analysis and troubleshooting.

Supported migration: All

Parsing Performance Improvements

This release delivers significant enhancements to parsing performance, making the system more responsive and efficient.

Supported migration: Check Point Firewall to Firewall Threat Defense, Palo Alto Networks Firewall to Firewall Threat Defense and ASA Firewall to Firewall Threat Defense.

Dual NAT Support Enhancement

The Dual Network Address Translation (NAT) feature is enhanced to improve the user experience.

See: Check Point Configuration Support

Supported migration: Check Point Firewall to Firewall Threat Defense

Open and Resolved Issues

Resolved Issues

Bug ID

Description

CSCwq68720

Parsing fails if the migrated configuration contains an IPv4-mapped IPv6 address.

CSCwq90564

In ASA to Firewall Threat Defense migration using Firewall Migration Tool 7.7.10.1 version, partial site-to-site VPNs are ignored.

CSCwr42202

When migrating ASA configuration to Firewall Management Center using Firewall Migration Tool, Access Control Lists (ACLs) are ignored when the Remote Access VPN (RAVPN) feature is marked for migration.

CSCwr76541

Optimization does not work correctly during migration.

CSCwr77655

During ASA to Firewall Threat Defense migration using the Firewall Migration Tool, Next button is grayed out after parsing.

CSCwr77681

During Fortinet Firewall to Firewall Threat Defense migration using the Firewall Migration Tool, buttons such as Next, Logout, and Settings are grayed out after parsing.

CSCwr81648

When you migrate from ASA to Firewall Threat Defense using the Firewall Migration Tool, the tool cannot parse or push the device configuration (interfaces, routes, or site-to-site VPNs) if the target Firewall Threat Defense is managed as a data interface.

CSCwr85336

In the Palo Alto to Firewall Threat Defense migration using the Firewall Migration Tool, NAT is not visible in parse summary page.

CSCwr96827

The Fortinet Firewall to Firewall Threat Defense migration using the Firewall Migration Tool throws an error at the application mapping stage.

CSCwr98247

The Firewall Migration Tool displays an error message on the Firewall Management Center selection page when Firewall Management Center version 10.0 is chosen.

CSCws16819

Migrating Fortinet Firewall to Firewall Threat Defense ACL configuration fails at parsing stage.

CSCws22470

Palo Alto to Firewall Threat Defense migration using Firewall Migration Tool fails with the error message:

"Str" object has no attribute "toXML"

CSCws23077

In ASA to Firewall Threat Defense migration using Firewall Migration Tool, object groups configuration are not getting migrated.

CSCws24428

The system continues to call the remaining_time API even after the migration is completed.

CSCws24481

Quote handling failures during user-group configuration parsing causes error.

CSCws24497

Some object names contain underscores that mimic the format of an IP address. The configuration parser mistakenly interprets these names as containing subnet notation and tries to split the address using '/', which results in a ValueError.

CSCws24608

Although all ACLs are already optimized in ASA to Firewall Threat Defense migration using Firewall Migration Tool, the proceed button still displays the Optimization dialog box.

CSCws25006

During migration from an FDM-managed device to a Secure Firewall Threat Defense device using the Firewall Migration Tool, an error occurred while pushing DHCP configuration.

CSCws25852

An error occurred at parsing stage:

Object Network range rule has failed, too many values to unpack (expected 2)

CSCws25865

In ASA to Firewall Threat Defense migration using Firewall Migration Tool, partial site-to-site VPNs are being ignored by the Firewall Migration Tool version 7.7.10.1.

CSCws25869

When migrating from ASA to Firewall Threat Defense using the Firewall Migration Tool, an informational message appears repeatedly while you fill in the Preshared Key field.

CSCws25870

In ASA to Firewall Threat Defense migration using Firewall Migration Tool, the tool ignores site-to-site tunnel configuration at parsing stage.

CSCws25950

The migration from ASA to Firewall Threat Defense using the Firewall Migration Tool failed. The error message displayed was:

"Error while pushing s2s vpn: Object for Type Ike2 and UUID null is not found"

CSCws26263

During ASA to Firewall Threat Defense migration with the Firewall Migration Tool, the AnyConnect file is not fetched by the Firewall Management Center, even after the page is refreshed.

CSCws27417

In the Palo Alto to Firewall Threat Defense migration using the Firewall Migration Tool, a warning message is displayed on the Optimize, Review and Validate the Configuration page.

CSCws27468

In the Palo Alto to Firewall Threat Defense migration using the Firewall Migration Tool, route and VPN are not supported after the configuration is parsed.

CSCws27674

Adaptive Security Appliance (ASA) to Firewall Threat Defense migration using Firewall Migration Tool fails while pushing RA VPN with the following error:

External proxy invoked LwVPNApi commitWithDomain method and ran into an unexpected error com.cisco.nm.vms.rpc.shared.exception.USMException: Invalid Reference One or more of the selected objects was not found, or may have been deleted by another user or activity. Check the Audit Report to see if any of the selected objects was deleted.

CSCws27993

Firewall Migration Tool stops to parse ACLs after parsing rule named "inside_access_in".

CSCws28174

ASA to Firewall Threat Defense migration in the Firewall Migration Tool fails during the site-to-site VPN push with the following error:

Unsupported or Invalid value for endpoint interface. VPN supports only routed mode interfaces. In case of VRF enabled device, only interfaces that are part of global VRF are supported.

CSCws28557

The Firewall Migration Tool blocks Palo Alto to Firewall Threat Defense migration on the Map Security Zones page.

CSCws28568

In ASA to Firewall Threat Defense migration using Firewall Migration Tool, the tool indicates a need for ACL optimization even though the configuration does not have an ACL.

CSCws29822

ASA to Firewall Threat Defense migration using Firewall Migration Tool fails while pushing extended ACL.

CSCws29832

In ASA to Firewall Threat Defense migration using Firewall Migration Tool, error occurs while pushing group policy.

CSCws29839

The Firewall Migration Tool is unable to connect to Cloud-Delivered Firewall Management Center using the API token.

CSCws30006

Demo mode and upload type does not appear on the telemetry e-mail.

CSCws31190

FDM-Managed Device to Firewall Threat Defense device registration failed due to duplicate device name.

CSCws32615

During ASA to Firewall Threat Defense migration using the Firewall Migration Tool, all ACLs are already optimized. However, the Optimize ACL button still appears.

CSCws32977

Fortinet Firewall to Firewall Threat Defense migration using Firewall Migration Tool fails while pushing RA VPN with the following error:

Error while pushing ra vpn: External proxy invoked LwVPNApi commitWithDomain method and ran into an unexpected error com.cisco.nm.vms.rpc.shared.exception.ValidationException: Configure at least one security zone or interface group in access interfaces to enable Remote Access VPN.

CSCws33225

Migrating Fortinet Firewall to Firewall Threat Defense migration using the Secure Firewall Migration Tool is blocked while pushing RA VPN with the following error:

Only IPv4 Network or Host types are allowed for objects. An object that is not in IPv4 format has been introduced. Please remove the object or modify the object to meet the requirements.

CSCws34300

Check Point (r80-r81) to Firewall Threat Defense migration using Firewall Migration Tool fails during configuration parse with the following error:

cannot access local variable 'extracted_dual_nat_acls' where it is not associated with a value

CSCws34347

In Check Point to Firewall Threat Defense migration using Firewall Migration Tool, unable to download premigration report after parsing the configuration.

Open and Resolved Caveats

The open caveats for this release can be accessed through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you don’t have one, you can register for an account on Cisco.com. For more information on Bug Search Tool, see Bug Search Tool Help.

Use the Open and Resolved Caveats dynamic query for an up-to-date list of open and resolved caveats in Secure Firewall migration tool.

Supported Configurations

The following configuration elements are supported for migration:

  • Network objects and groups

  • Service objects, except for those service objects configured for a source and destination


    Note
    Although the Secure Firewall migration tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.

  • Service object groups, except for nested service object groups


    Note
    Because nesting is not supported on the management center, the Secure Firewall migration tool expands the content of the referenced rules. The rules, however, are migrated with full functionality.

  • IPv4 and IPv6 FQDN objects and groups

  • IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

  • Access rules that are applied to interfaces in the inbound direction and global ACL

  • Auto NAT, Manual NAT, and object NAT (conditional)

  • Static routes, ECMP routes, and PBR

  • Physical interfaces

  • Secondary VLANs on ASA or ASA with FirePOWER Services interfaces will not migrate to Firepower Threat Defense.

  • Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

  • Port channels

  • Virtual tunnel interface (VTI)

  • Bridge groups (transparent mode only)

  • IP SLA Monitor

    The Secure Firewall migration tool creates IP SLA objects, maps the objects with the specific static routes, and migrates these objects to FMC.


    Note
    IP SLA Monitor is not supported for non-Firepower Threat Defense flow.

  • Object Group Search


    Note

    • Object Group Search is unavailable for FMC or Firepower Threat Defense version earlier than 6.6.

    • Object Group Search will not be supported for non-Firepower Threat Defense flow and will be disabled.

  • Time-based objects


    Note

    • You must manually migrate timezone configuration from source ASA, ASA with FirePOWER Services, and FDM-managed device to target Firepower Threat Defense.

    • Time-based object is not supported for non-Firepower Threat Defense flow and will be disabled.

    • Time-based objects are supported on FMC version 6.6 and above.

  • Site-to-Site VPN Tunnels

    • Site-to-Site VPN—When the Secure Firewall migration tool detects crypto-map configuration in the source ASA and FDM-managed device, the Secure Firewall migration tool migrates the crypto-map to FMC VPN as point-to-point topology

    • Site-to-site VPN from Palo Alto Networks and Fortinet firewalls

    • Crypto map (static/dynamic) based VPN from ASA and FDM-managed device

    • Route-based (VTI) ASA and FDM VPN

    • Certificate-based VPN migration from ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewalls.

    • ASA, FDM-managed device, Palo Alto Networks, and Fortinet trustpoint or certificates migration to FMC must be performed manually and is part of the pre-migration activity.

  • Dynamic Route objects, BGP, and EIGRP

    • Policy-List

    • Prefix-List

    • Community-List

    • Autonomous System (AS)-Path

    • Route-Map

  • Remote Access VPN

    • SSL and IKEv2 protocol.

    • Authentication methods—AAA only, Client Certificate only, SAML, AAA, and Client Certificate.

    • AAA—Radius, Local, LDAP, and AD.

    • Connection Profiles, Group-Policy, Dynamic Access Policy, LDAP Attribute Map, and Certificate Map.

    • Standard and Extended ACL.

    • RA VPN Custom Attributes and VPN load balancing

    • As part of pre-migration activity, perform the following:

      • Migrate the ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewall trustpoints manually to the FMC as PKI objects.

      • Retrieve AnyConnect packages, Hostscan Files (Dap.xml, Data.xml, Hostscan Package), External Browser package, and AnyConnect profiles from the source ASA and FDM-managed device.

      • Upload all AnyConnect packages to the FMC.

      • Upload AnyConnect profiles directly to the FMC or from the Secure Firewall migration tool.

      • Enable the ssh scopy enable command on the ASA to allow retrieval of profiles from the Live Connect ASA.

  • ACL optimization

    ACL optimization supports the following ACL types:

    • Redundant ACL—When two ACLs have the same set of configurations and rules, then removing the non-base ACL will not impact the network.

    • Shadow ACL—The first ACL completely shadows the configurations of the second ACL.

    • Disable ACL—The ACL that has been explicitly turned off in the firewall's configuration. The rules exist in the configuration file, but the Secure Firewall Migration Tool ignores them when processing traffic.


    Note

    ACL optimization is currently not available for Palo Alto Networks and ASA with FirePower Services (FPS).

For information on the supported configurations of the Secure Firewall migration tool, see:

Infrastructure and Platform Requirements

The Secure Firewall migration tool requires the following infrastructure and platform:

  • Windows 10 64-bit operating system or on a macOS version 10.13 or higher

  • Google Chrome as the system default browser


    Tip

    We recommend that you use full screen mode on the browser when using the migration tool.

  • A single instance of the Secure Firewall migration tool per system

  • Management Center and Threat Defense must be version 6.2.3.3 or later


Note
Remove the previous build before downloading the newer version.

Related Documentation

For information on the history of Secure Firewall Migration Tool, see:

Migration Workflow

For information on the migration workflow of the Secure Firewall migration tool, see:

Migration Reports

The Secure Firewall migration tool provides these reports in HTML format with details of the migration:

  • Pre-Migration Report

  • Post-Migration Report

Secure Firewall Migration Tool Capabilities

The Secure Firewall migration tool provides these capabilities:

  • Validation throughout the migration, including parse and push operations

  • Object re-use capability

  • Object conflict resolution

  • Interface mapping

  • Auto-creation or reuse of interface objects (ASA name if to security zones and interface groups mapping)

  • Auto-creation or reuse of interface objects

  • Auto-zone mapping

  • User-defined security zone and interface-group creation

  • User-defined security zone creation

  • Subinterface limit check for the target threat defense device

  • Platforms supported:

    • ASA Virtual to Threat Defense Virtual

    • FDM Virtual to Threat Defense Virtual

    • Same hardware migration (X to X device migration)

    • X to Y device migration (Y having higher number of interfaces)

  • ACL optimization for source ASA, FDM-managed device, Fortinet, and Checkpoint for ACP rule action.

Link to Firewall Migration Tool Documents