For information on the history of Secure Firewall Migration Tool, see:

• History of the ASA Firewall Migration Tool

• History of the ASA with FirePOWER Services Firewall to Threat Defense with the Firewall Migration Tool

• History of the Check Point Firewall Migration Tool

• History of the Palo Alto Networks Firewall Migration Tool

• History of the Fortinet Firewall Migration Tool

• History of the FDM-Managed Device Migration Tool

The following configuration elements are supported for migration:

• Network objects and groups

• Service objects, except for those service objects configured for a source and destination

  Note	Although the Secure Firewall migration tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.

• Service object groups, except for nested service object groups

  Note	Because nesting is not supported on the management center, the Secure Firewall migration tool expands the content of the referenced rules. The rules, however, are migrated with full functionality.

• IPv4 and IPv6 FQDN objects and groups

• IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

• Access rules that are applied to interfaces in the inbound direction and global ACL

• Auto NAT, Manual NAT, and object NAT (conditional)

• Static routes, ECMP routes, and PBR

• Physical interfaces

• Secondary VLANs on ASA or ASA with FirePOWER Services interfaces will not migrate to Firewall Threat Defense.

• Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

• Port channels

• Virtual tunnel interface (VTI)

• Bridge groups (transparent mode only)

• IP SLA Monitor

  The Secure Firewall migration tool creates IP SLA objects, maps the objects with the specific static routes, and migrates these objects to Firewall Management Center.

  Note	IP SLA Monitor is not supported for non-Firewall Threat Defense flow.

• Object Group Search

  Note	Object Group Search is unavailable for Firewall Management Center or Firewall Threat Defense version earlier than 6.6. Object Group Search will not be supported for non-Firewall Threat Defense flow and will be disabled.

• Time-based objects

  Note

  You must manually migrate timezone configuration from source ASA, ASA with FirePOWER Services, and FDM-managed device to target Firewall Threat Defense. Time-based object is not supported for non-Firewall Threat Defense flow and will be disabled. Time-based objects are supported on Firewall Management Center version 6.6 and above.

• Site-to-Site VPN Tunnels

  • Site-to-Site VPN—When the Secure Firewall migration tool detects crypto-map configuration in the source ASA and FDM-managed device, the Secure Firewall migration tool migrates the crypto-map to Firewall Management Center VPN as point-to-point topology

  • Site-to-site VPN from Palo Alto Networks and Fortinet firewalls

  • Crypto map (static/dynamic) based VPN from ASA and FDM-managed device

  • Route-based (VTI) ASA and FDM VPN

  • Certificate-based VPN migration from ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewalls.

  • ASA, FDM-managed device, Palo Alto Networks, and Fortinet trustpoint or certificates migration to Firewall Management Center must be performed manually and is part of the pre-migration activity.

• Dynamic Route objects, BGP, and EIGRP

  • Policy-List

  • Prefix-List

  • Community-List

  • Autonomous System (AS)-Path

  • Route-Map

• Remote Access VPN

  • SSL and IKEv2 protocol.

  • Authentication methods—AAA only, Client Certificate only, SAML, AAA, and Client Certificate.

  • AAA—Radius, Local, LDAP, and AD.

  • Connection Profiles, Group-Policy, Dynamic Access Policy, LDAP Attribute Map, and Certificate Map.

  • Standard and Extended ACL.

  • RA VPN Custom Attributes and VPN load balancing

  • As part of pre-migration activity, perform the following:

    • Migrate the ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewall trustpoints manually to the Firewall Management Center as PKI objects.

    • Retrieve AnyConnect packages, Hostscan Files (Dap.xml, Data.xml, Hostscan Package), External Browser package, and AnyConnect profiles from the source ASA and FDM-managed device.

    • Upload all AnyConnect packages to the Firewall Management Center.

    • Upload AnyConnect profiles directly to the Firewall Management Center or from the Secure Firewall migration tool.

    • Enable the ssh scopy enable command on the ASA to allow retrieval of profiles from the Live Connect ASA.

• ACL optimization

  ACL optimization supports the following ACL types:

  • Redundant ACL—When two ACLs have the same set of configurations and rules, then removing the non-base ACL will not impact the network.

  • Shadow ACL—The first ACL completely shadows the configurations of the second ACL.

  Note	ACL optimization is currently not available for Palo Alto Networks and ASA with FirePower Services (FPS).

For information on the supported configurations of the Secure Firewall migration tool, see:

• Supported ASA Configurations

• Supported ASA with FirePOWER Services Configurations

• Supported Check Point Configurations

• Supported PAN Configurations

• Supported Fortinet Configuration

• Supported FDM-Managed Device Configuration

For information on the migration workflow of the Secure Firewall migration tool, see:

• Export the ASA Configuration File

• Export the ASA with FirePOWER Services Configuration File

• Export the Check Point Configuration Files

• Export the Configuration from Palo Alto Networks Firewall

• Export the Configuration from Fortinet Firewall

• Export the FDM-Managed Device Configuration File

The Secure Firewall migration tool provides the following reports in HTML format with details of the migration:

• Pre-Migration Report

• Post-Migration Report

The Secure Firewall migration tool provides the following capabilities:

• Validation throughout the migration, including parse and push operations

• Object re-use capability

• Object conflict resolution

• Interface mapping

• Auto-creation or reuse of interface objects (ASA name if to security zones and interface groups mapping)

• Auto-creation or reuse of interface objects

• Auto-zone mapping

• User-defined security zone and interface-group creation

• User-defined security zone creation

• Subinterface limit check for the target threat defense device

• Platforms supported:

  • ASA Virtual to Threat Defense Virtual

  • FDM Virtual to Threat Defense Virtual

  • Same hardware migration (X to X device migration)

  • X to Y device migration (Y having higher number of interfaces)

• ACL optimization for source ASA, FDM-managed device, Fortinet, and Checkpoint for ACP rule action.

The Secure Firewall migration tool requires the following infrastructure and platform:

• Windows 10 64-bit operating system or on a macOS version 10.13 or higher

• Google Chrome as the system default browser

  Tip	We recommend that you use full screen mode on the browser when using the migration tool.

• A single instance of the Secure Firewall migration tool per system

• Management Center and Threat Defense must be version 6.2.3.3 or later

Note	Remove the previous build before downloading the newer version.

• Navigating the Cisco Secure Firewall Migration Tool Documentation

• Migrating ASA Firewall to Firewall Threat Defense with the Secure Firewall Migration Tool

• Migrating ASA Firewall with FirePOWER Services to Firewall Threat Defense with the Secure Firewall Migration Tool

• Cisco Secure Firewall ASA to Threat Defense Feature Mapping

• Migrating an FDM-Managed Device to Secure Firewall Threat Defense with the Migration Tool

• Migrating Check Point Firewall to Firewall Threat Defense with the Secure Firewall Migration Tool

• Migrating Palo Alto Networks Firewall to Firewall Threat Defense with the Secure Firewall Migration Tool

• Migrating Fortinet Firewall to Firewall Threat Defense with the Secure Firewall Migration Tool

• Migrating Cisco Secure Firewall ASA to Cisco Multicloud Defense with the Migration Tool

• Migrating Palo Alto Networks Firewall to Cisco Multicloud Defense with the Migration Tool

• Cisco Secure Firewall Migration Tool Compatibility Guide