Introduction

The Secure Firewall migration tool enables you to migrate your firewall configurations to a supported Secure Firewall Threat Defense managed by a management center. The migration tool supports migration from Secure Firewall ASA, ASA with FirePOWER Services (FPS), FDM-managed devices as well as third-party firewalls from Check Point, Palo Alto Networks, and Fortinet.

This document provides critical and release-specific information for the Secure Firewall migration tool. Even if you are familiar with Secure Firewall releases and have previous experience with the migration process, make sure that you read and thoroughly understand this document.

New Features

Firewall Release Version

New Features

4.0

Secure Firewall migration tool 4.0 supports:

  • Migration of FDM-managed device to management center provided the destination management center version is 7.3 or later and the source device manager version is 7.2 or later.

    The version of the device manager must be equal to or lower than the version of the destination management center.

    The following options are available for the migration:

    1. Migrate Firepower Device Manager (Shared Configurations only): This option allows you to migrate staged migrations. In this case, you can initially migrate all shared configurations and migrate the device configurations at a later stage as per your requirements. During the migration process, only the shared configurations are migrated to the targeted management center. The configuration bundle obtained from the device manager can be uploaded or the device manager credentials can be provided for the tool to fetch the configuration details. Automated fetching of the configuration details is the preferred method.

    2. Migrate Firepower Device Manager (Includes Device and Shared configurations): This option allows you to migrate both, the device and the shared configurations from the device manager to the targeted management center. Once the source device and its configuration are migrated to the targeted management center, the FDM-managed device becomes the targeted management center device. For the tool to fetch the configuration details, you must provide the device manager credentials. Only an automated fetching of the configurations is allowed for this migration option.

    3. Migrate Firepower Device Manager (Includes Device and Shared Configurations) to FTD Device (New Hardware): This option allows you to migrate both, the device and the shared configuration to a threat defense device managed by the targeted management center. In this case, during the migration process, the source device is not migrated and only the device configuration is migrated to the new threat defense device. The configuration bundle obtained from the device manager can be uploaded or the device manager credentials can be provided for the tool to fetch the configuration details. Automated fetching of the configuration details is the preferred method.

  • Migration of Policy Based Routing (PBR) from ASA if the destination management center and threat defense version are 7.3 and later.

    Note 

    For PBR migration, the existing flex configuration must be removed from the management center before proceeding with the migration.

  • Migration of Equal Cost Multi-Path (ECMP) routes from ASA if the destination management center is 7.1 and later and the threat defense version is 6.5 and later.

  • Migration of Remote Access VPN custom attributes and VPN load balancing from ASA if the destination management center is 7.3 or later.

    You can perform Remote Access VPN migration with or without a firewall. However, if you chose to perform the migration with a firewall, then the threat defense version must be 7.0 and later.

For information on the history of the Secure Firewall migration tool, see:

Supported Configurations

The following configuration elements are supported for migration:

  • Network objects and groups

  • Service objects, except for those service objects configured for a source and destination


    Note

    Though the Secure Firewall migration tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.
  • Service object groups, except for nested service object groups


    Note

    Since nesting is not supported on the management center, the Secure Firewall migration tool expands the content of the referenced rules. The rules however are migrated with full functionality.
  • IPv4 and IPv6 FQDN objects and groups

  • IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

  • Access rules that are applied to interfaces in the inbound direction and global ACL

  • Auto NAT, Manual NAT, and object NAT (conditional)

  • Static routes, ECMP routes, and PBR

  • Physical interfaces

  • Secondary VLANs on ASA or ASA with FirePOWER Services interfaces will not migrate to threat defense.

  • Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

  • Port channels

  • Virtual tunnel interface (VTI)

  • Bridge groups (transparent mode only)

  • IP SLA Monitor

    The Secure Firewall migration tool creates IP SLA objects, maps the objects with the specific static routes, and migrates these objects to management center.


    Note

    IP SLA Monitor is not supported for non-threat defense flow.
  • Object Group Search


    Note

    • Object Group Search is unavailable for management center or threat defense version earlier than 6.6.

    • Object Group Search will not be supported for non-threat defense flow and will be disabled.


  • Time-based objects


    Note

    • You must manually migrate timezone configuration from source ASA, ASA with FirePOWER Services, and FDM-managed device to target threat defense.

    • Time-based object is not supported for non-threat defense flow and will be disabled.

    • Time-based objects are supported on management center version 6.6 and above.


  • Site-to-Site VPN Tunnels

    • Site-to-Site VPN—When the Secure Firewall migration tool detects crypto map configuration in the source ASA and FDM-managed device, the Secure Firewall migration tool migrates the crypto map to management center VPN as point-to-point topology.

    • Crypto map (static/dynamic) based VPN from ASA and FDM-managed device.

    • Route-based (VTI) ASA and FDM VPN

    • Certificate-based VPN migration from ASA and FDM-managed device.

    • ASA and FDM-managed device trustpoint or certificates migration to management center must be performed manually and is part of the pre-migration activity.

  • Dynamic Route objects, BGP, and EIGRP

    • Policy-List

    • Prefix-List

    • Community-List

    • Autonomous System (AS)-Path

    • Route-Map

  • Remote Access VPN

    • SSL and IKEv2 protocol.

    • Authentication methods—AAA only, Client Certificate only, SAML, AAA, and Client Certificate.

    • AAA—Radius, Local, LDAP, and AD.

    • Connection Profiles, Group-Policy, Dynamic Access Policy, LDAP Attribute Map, and Certificate Map.

    • Standard and Extended ACL.

    • RA VPN Custom Attributes and VPN load balancing

    • As part of pre-migration activity, perform the following:

      • Migrate the ASA and FDM-managed device trustpoints manually to the management center as PKI objects.

      • Retrieve AnyConnect packages, Hostscan Files (Dap.xml, Data.xml, Hostscan Package), External Browser package, and AnyConnect profiles from the source ASA and FDM-managed device.

      • Upload all AnyConnect packages to the management center.

      • Upload AnyConnect profiles directly to the management center or from the Secure Firewall migration tool.

      • Enable the ssh scopy enable command on the ASA to allow retrieval of profiles from the Live Connect ASA.

  • ACL optimization

    ACL optimization supports the following ACL types:

    • Redundant ACL—When two ACLs have the same set of configurations and rules, then removing the non-base ACL will not impact the network.

    • Shadow ACL—The first ACL completely shadows the configurations of the second ACL.


    Note

    ACL optimization is currently not available for Palo Alto Networks and ASA with FirePower Services (FPS).


For information on the supported configurations of the Secure Firewall migration tool, see:

Migration Reports

The Secure Firewall migration tool provides the following reports in HTML format with details of the migration:

  • Pre-Migration Report

  • Post-Migration Report

Secure Firewall Migration Tool Capabilities

The Secure Firewall migration tool provides the following capabilities:

  • Validation throughout the migration, including parse and push operations

  • Object re-use capability

  • Object conflict resolution

  • Interface mapping

  • Subinterface limit check for the target threat defense device

  • Platforms supported

    —FDM Virtual to Threat Defense Virtual

    —Same hardware migration (X to X device migration)

    —X to Y device migration (Y having higher number of interfaces)

  • ACL optimization for source ASA, FDM-managed device, Fortinet, and Checkpoint for ACP rule action.

Infrastructure and Platform Requirements

The Secure Firewall migration tool has the following infrastructure and platform requirements:

  • Windows 10 64-bit operating system or on a macOS version 10.13 or higher

  • Google Chrome as the system default browser

  • A single instance of the Secure Firewall migration tool per system

  • Management Center and Threat Defense must be version 6.2.3.3 or later


Note

Remove the previous build before downloading the newer version.

Open and Resolved Issues

Resolved Issues

Bug ID

Description

CSCwd47999

Push failure occurs if source configuration with port channel and target threat defense is Secure Firewall 3100.

CSCwd42203

Unable to modify EtherChannel interface for Secure Firewall 3100 series hardware.

CSCwd23773

RA VPN push encounters authorization error if space in DAP record name is replaced with underscore.

CSCwd44628

Management Center should change RAVPN payload for SAML and push supported API values.

Open and Resolved Caveats

The open caveats for this release can be accessed through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you don’t have one, you can register for an account on Cisco.com. For more information on Bug Search Tool, see Bug Search Tool Help.

Use the Open and Resolved Caveats dynamic query for an up-to-date list of open and resolved caveats in Secure Firewall migration tool.

Related Documentation