First Published: March 14, 2023

About Secure Firewall Migration Tool

The Secure Firewall migration tool enables you to migrate your firewall configurations to a supported Secure Firewall Threat Defense managed by a management center. The migration tool supports migration from Secure Firewall ASA, ASA with FirePOWER Services (FPS), FDM-managed devices as well as third-party firewalls from Check Point, Palo Alto Networks, and Fortinet.

This document provides critical and release-specific information about the Secure Firewall migration tool. Even if you are familiar with Secure Firewall releases and have previous experience with the migration process, we recommend that you read and thoroughly understand this document.

New Features

Release Version

New Features
6.0.1

Cisco Secure Firewall ASA to Threat Defense Migration

You can now optimize network and port objects when you migrate configurations from Secure Firewall ASA to threat defense. Review these objects in their respective tabs in the Optimize, Review and Validate Configuration page and click Optimize Objects and Groups to optimize your list of objects before migrating them to the target management center.

See Optimize, Review, and Validate the Configuration in the Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information.

FDM-Managed Device to Cisco Secure Firewall Threat Defense Migration

You can now migrate DHCP, DDNS, and SNMPv3 configurations from your FDM-managed device to a threat defense device. Ensure you check the DHCP checkbox and Server, Relay, and DDNS checkboxes on the Select Features page.

See Optimize, Review, and Validate the Configuration in the Migrating an FDM-Managed Device to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information.

Fortinet Firewall to Cisco Secure Firewall Threat Defense Migration

You can now migrate URL objects from a Fortinet firewall to your threat defense device. Review the URL Objects tab in the Objects tab in Optimize, Review and Validate Configuration page during migration.

See Optimize, Review, and Validate the Configuration in the Migrating Fortinet Firewall to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information.

Palo Alto Networks Firewall to Cisco Secure Firewall Threat Defense Migration

You can now migrate URL objects from a Palo Alto Networks firewall to your threat defense device. Ensure you review the URL Objects tab in the Objects window in Optimize, Review and Validate Configuration page during migration.

See Optimize, Review, and Validate the Configuration in the Migrating Palo Alto Networks Firewall to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information.

Check Point Firewall to Cisco Secure Firewall Threat Defense Migration

You can now migrate port objects, FQDN objects, and object groups from a Check Point Firewall to your threat defense device. Review the Objects tab in Optimize, Review and Validate Configuration page during migration.

See Optimize, Review, and Validate the Configuration in the Migrating Check Point Firewall to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information.

6.0.0.1

This patch release contains bug fixes.
6.0

Cisco Secure Firewall ASA to Threat Defense Migration

  • You can now migrate WebVPN configurations on your Secure Firewall ASA to Zero Trust Access Policy configurations on a threat defense device. Ensure that you check the WebVPN checkbox in Select Features page and review the new WebVPN tab in the Optimize, Review and Validate Configuration page. The threat defense device and the target management center must be running on Version 7.4 or later and must be operating Snort3 as the detection engine.

  • You can now migrate Simple Network Management Protocol (SNMP) and Dynamic Host Configuration Protocol (DHCP) configurations to a threat defense device. Make sure that you check the SNMP and DHCP checkboxes in the Select Features page. If you have configured DHCP on your Secure Firewall ASA, note that the DHCP server, or relay agent and DDNS configurations can also be selected to be migrated.

  • You can now migrate dynamic virtual tunnel interface (DVTI) configurations from your Secure Firewall ASA to a threat defense device. You can map them in the Map ASA Interfaces to Security Zones, Interface Groups, and VRFs page. Ensure that your ASA Version is 9.19 (x) and later for this feature to be applicable.

  • You can now migrate the equal-cost multipath (ECMP) routing configurations when performing a multi-context ASA device to a single-instance threat defense merged context migration. The Routes tile in the parsed summary now includes ECMP zones also, and you can validate the same under the Routes tab in the Optimize, Review and Validate Configuration page.

See Specify Destination Parameters in the Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense with the Migration Tool guide to know how to select this feature for migration.

FDM-managed Device to Threat Defense Migration

  • You can now migrate the Layer 7 security policies including SNMP and HTTP, and malware and file policy configurations from your FDM-managed device to a threat defense device. Ensure that the target management center Version is 7.4 or later and that Platform Settings and File and Malware Policy checkboxes in Select Features page are checked.

See Specify Destination Parameters in the Migrating an FDM-Managed Device to Secure Firewall Threat Defense with the Migration Tool guide to know how to select this feature for migration.

Check Point Firewall to Threat Defense Migration

  • You can now migrate the site-to-site VPN (policy-based) configurations on your Check Point firewall to a threat defense device. Note that this feature applies to Check Point R80 or later versions, and management center and threat defense Version 6.7 or later. Ensure that the Site-to-Site VPN Tunnels checkbox is checked in the Select Features page. Note that, because this is a device-specific configuration, the migration tool does not display these configurations if you choose to Proceed without FTD.

See Specify Destination Parameters in the Migrating Check Point Firewall to Secure Firewall Threat Defense with the Migration Tool guide to know how to select this feature for migration.

Fortinet Firewall to Threat Defense Migration

  • You can now optimize your application access control lists (ACLs) when migrating configurations from a Fortinet firewall to your threat defense device. Use the Optimize ACL button in the Optimize, Review and Validate Configuration page to see the list of redundant and shadow ACLs and also download the optimization report to see detailed ACL information.

See Optimize, Review, and Validate the Configuration in Migrating Fortinet Firewall to Secure Firewall Threat Defense with the Migration Tool guide for more information.

For information on the history of Secure Firewall migration tool, see:

Supported Configurations

The following configuration elements are supported for migration:

  • Network objects and groups

  • Service objects, except for those service objects configured for a source and destination


    Note
    Although the Secure Firewall migration tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.

  • Service object groups, except for nested service object groups


    Note
    Because nesting is not supported on the management center, the Secure Firewall migration tool expands the content of the referenced rules. The rules, however, are migrated with full functionality.

  • IPv4 and IPv6 FQDN objects and groups

  • IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

  • Access rules that are applied to interfaces in the inbound direction and global ACL

  • Auto NAT, Manual NAT, and object NAT (conditional)

  • Static routes, ECMP routes, and PBR

  • Physical interfaces

  • Secondary VLANs on ASA or ASA with FirePOWER Services interfaces will not migrate to threat defense.

  • Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

  • Port channels

  • Virtual tunnel interface (VTI)

  • Bridge groups (transparent mode only)

  • IP SLA Monitor

    The Secure Firewall migration tool creates IP SLA objects, maps the objects with the specific static routes, and migrates these objects to management center.


    Note
    IP SLA Monitor is not supported for non-threat defense flow.

  • Object Group Search


    Note

    • Object Group Search is unavailable for management center or threat defense version earlier than 6.6.

    • Object Group Search will not be supported for non-threat defense flow and will be disabled.

  • Time-based objects


    Note

    • You must manually migrate timezone configuration from source ASA, ASA with FirePOWER Services, and FDM-managed device to target threat defense.

    • Time-based object is not supported for non-threat defense flow and will be disabled.

    • Time-based objects are supported on management center version 6.6 and above.

  • Site-to-Site VPN Tunnels

    • Site-to-Site VPN—When the Secure Firewall migration tool detects crypto-map configuration in the source ASA and FDM-managed device, the Secure Firewall migration tool migrates the crypto-map to management center VPN as point-to-point topology

    • Site-to-site VPN from Palo Alto Networks and Fortinet firewalls

    • Crypto map (static/dynamic) based VPN from ASA and FDM-managed device

    • Route-based (VTI) ASA and FDM VPN

    • Certificate-based VPN migration from ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewalls.

    • ASA, FDM-managed device, Palo Alto Networks, and Fortinet trustpoint or certificates migration to management center must be performed manually and is part of the pre-migration activity.

  • Dynamic Route objects, BGP, and EIGRP

    • Policy-List

    • Prefix-List

    • Community-List

    • Autonomous System (AS)-Path

    • Route-Map

  • Remote Access VPN

    • SSL and IKEv2 protocol.

    • Authentication methods—AAA only, Client Certificate only, SAML, AAA, and Client Certificate.

    • AAA—Radius, Local, LDAP, and AD.

    • Connection Profiles, Group-Policy, Dynamic Access Policy, LDAP Attribute Map, and Certificate Map.

    • Standard and Extended ACL.

    • RA VPN Custom Attributes and VPN load balancing

    • As part of pre-migration activity, perform the following:

      • Migrate the ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewall trustpoints manually to the management center as PKI objects.

      • Retrieve AnyConnect packages, Hostscan Files (Dap.xml, Data.xml, Hostscan Package), External Browser package, and AnyConnect profiles from the source ASA and FDM-managed device.

      • Upload all AnyConnect packages to the management center.

      • Upload AnyConnect profiles directly to the management center or from the Secure Firewall migration tool.

      • Enable the ssh scopy enable command on the ASA to allow retrieval of profiles from the Live Connect ASA.

  • ACL optimization

    ACL optimization supports the following ACL types:

    • Redundant ACL—When two ACLs have the same set of configurations and rules, then removing the non-base ACL will not impact the network.

    • Shadow ACL—The first ACL completely shadows the configurations of the second ACL.


    Note

    ACL optimization is currently not available for Palo Alto Networks and ASA with FirePower Services (FPS).

For information on the supported configurations of the Secure Firewall migration tool, see:

Migration Reports

The Secure Firewall migration tool provides the following reports in HTML format with details of the migration:

  • Pre-Migration Report

  • Post-Migration Report

Secure Firewall Migration Tool Capabilities

The Secure Firewall migration tool provides the following capabilities:

  • Validation throughout the migration, including parse and push operations

  • Object re-use capability

  • Object conflict resolution

  • Interface mapping

  • Auto-creation or reuse of interface objects (ASA name if to security zones and interface groups mapping)

  • Auto-creation or reuse of interface objects

  • Auto-zone mapping

  • User-defined security zone and interface-group creation

  • User-defined security zone creation

  • Subinterface limit check for the target threat defense device

  • Platforms supported:

    • ASA Virtual to Threat Defense Virtual

    • FDM Virtual to Threat Defense Virtual

    • Same hardware migration (X to X device migration)

    • X to Y device migration (Y having higher number of interfaces)

  • ACL optimization for source ASA, FDM-managed device, Fortinet, and Checkpoint for ACP rule action.

Infrastructure and Platform Requirements

The Secure Firewall migration tool requires the following infrastructure and platform:

  • Windows 10 64-bit operating system or on a macOS version 10.13 or higher

  • Google Chrome as the system default browser


    Tip

    We recommend that you use full screen mode on the browser when using the migration tool.

  • A single instance of the Secure Firewall migration tool per system

  • Management Center and Threat Defense must be version 6.2.3.3 or later


Note
Remove the previous build before downloading the newer version.

Open and Resolved Issues

Open Issues

Bug ID

Description

CSCwi97232

NAT configuration in Fortinet firewall is not getting parsed.

CSCwi93856

A configuration push error in Fortinet migration occurs because of a special character.

Resolved Issues

Bug ID

Description

CSCwj25133

Error while pushing ASA VPN object - local variable payload.

CSCwj23453

PAN preparsing summary shows 0 entries for all features.

CSCwj10882

FDM migration to new hardware fails at push stage.

CSCwj13908

Fortinet firewall VPN configurations are mapped with the same interfaces.

CSCwi89163

Fortinet firewall migration fails with object group error at parsing.

CSCwi76132

RA VPN tab in Fortinet firewall migration is not flashing as expected and the AnyConnect tab is blank.

CSCwi75821

SNMP tab in ASA migration is not showing next page information even when more than 50 objects are migrated.

CSCwi63611

Fortinet firewall migration fails with ACL parsing errors.

CSCwi37184

FDM shared configuration migration fails with push failure for geolocation object.

CSCwi83826

Fortinet RA VPN configuration object reuse is not working.

Open and Resolved Caveats

The open caveats for this release can be accessed through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you don’t have one, you can register for an account on Cisco.com. For more information on Bug Search Tool, see Bug Search Tool Help.

Use the Open and Resolved Caveats dynamic query for an up-to-date list of open and resolved caveats in Secure Firewall migration tool.

Related Documentation