First Published: March 14, 2023

Last Updated: October 9, 2025

About Secure Firewall Migration Tool

The Secure Firewall migration tool enables you to migrate your firewall configurations to a supported Secure Firewall Threat Defense managed by a management center. The migration tool supports migration from Secure Firewall ASA, ASA with FirePOWER Services (FPS), FDM-managed devices, as well as third-party firewalls from Microsoft Azure, Check Point, Palo Alto Networks, and Fortinet.

This document provides critical and release-specific information about the Secure Firewall migration tool. Even if you are familiar with Secure Firewall releases and have previous experience with the migration process, we recommend that you read and thoroughly understand this document.

New Features

Release Version

Feature

Descriptions

7.7.10.3

Object Conflict Remediation

Secure Firewall Migration Tool can now identify conflicts caused by duplicate object names or values when deploying the configuration to Firewall Management Center. The tool then prompts the user to take appropriate action to resolve these conflicts.

See: Push the Migrated Configuration to Firewall Management Center

Supported migrations: All

Performance Optimization

The ACL optimization analysis time has been reduced to enhance performance. A banner is displayed on Optimize, Review and Validate Configuration window, when you click Optimize ACL and then Proceed, that shows the approximate time taken for ACL optimization analysis.

See: Optimize, Review and Validate the Configuration

Supported migrations: All

Disabled ACL Rule

You can now view the list of disabled ACLs in the Optimize, Review and Validate Configuration > ACL Optimization window. This enhancement ensures a more efficient migration process.

See: Optimize, Review and Validate the Configuration

Supported migrations: All

Configuration Optimization

To streamline the optimization process during migration, the Secure firewall Migration Tool performs a check to ensure all the attributes are optimized. When you click Validate on Optimize, Review and Validate Configuration window any attribute that is missed is displayed in the Optimize Your Configuration dialog box.

See: Optimize, Review and Validate the Configuration

Supported migrations: All

7.7.10.2

Patch release

This patch release contains bug fixes. See Open and Resolved Issues for more information.

7.7.10.1

Multi-Context Enhancement

The Secure Firewall Migration Tool now provides an option to select transparent-mode and routed-mode firewall contexts separately that allows you to manage and migrate the contexts independently providing greater flexibility and control during the migration process.

See: Select the ASA Security Context

Supported migrations: Secure Firewall Adaptive Security Appliance (ASA)

NAT Objects Enhancement

The Secure Firewall Migration Tool now provides an option to edit the source and destination zones of NAT object on the Optimize, Review and Validate Configuration window.

See: Optimize, Review and Validate the Configuration

Supported migrations: Secure Firewall Adaptive Security Appliance (ASA)

ACE Enhancement

The Secure Firewall Migration Tool now supports migration of Access Control Entry (ACE) with negate parameters.

See: Check Point Configuration Support

Supported migrations: Check Point Firewall

Interface Mapping Enhancement

The Secure Firewall Migration Tool now supports interface mapping to inline security zones, enabling granular policy enforcement and traffic control.

See: Map PAN Interfaces to Security Zones Interface Groups

Supported migrations: Palo Alto Networks Firewall

VLAN Tags Object

You can now migrate VLAN Tag objects and other supported object types to your device by using the Secure Firewall Migration Tool.

See: Optimize, Review and Validate the Configuration

Supported migrations: Palo Alto Networks Firewall

For information on the history of Secure Firewall Migration Tool, see:

Supported Configurations

The following configuration elements are supported for migration:

  • Network objects and groups

  • Service objects, except for those service objects configured for a source and destination


    Note
    Although the Secure Firewall migration tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.

  • Service object groups, except for nested service object groups


    Note
    Because nesting is not supported on the management center, the Secure Firewall migration tool expands the content of the referenced rules. The rules, however, are migrated with full functionality.

  • IPv4 and IPv6 FQDN objects and groups

  • IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

  • Access rules that are applied to interfaces in the inbound direction and global ACL

  • Auto NAT, Manual NAT, and object NAT (conditional)

  • Static routes, ECMP routes, and PBR

  • Physical interfaces

  • Secondary VLANs on ASA or ASA with FirePOWER Services interfaces will not migrate to Firewall Threat Defense.

  • Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

  • Port channels

  • Virtual tunnel interface (VTI)

  • Bridge groups (transparent mode only)

  • IP SLA Monitor

    The Secure Firewall migration tool creates IP SLA objects, maps the objects with the specific static routes, and migrates these objects to Firewall Management Center.


    Note
    IP SLA Monitor is not supported for non-Firewall Threat Defense flow.

  • Object Group Search


    Note

    • Object Group Search is unavailable for Firewall Management Center or Firewall Threat Defense version earlier than 6.6.

    • Object Group Search will not be supported for non-Firewall Threat Defense flow and will be disabled.

  • Time-based objects


    Note

    • You must manually migrate timezone configuration from source ASA, ASA with FirePOWER Services, and FDM-managed device to target Firewall Threat Defense.

    • Time-based object is not supported for non-Firewall Threat Defense flow and will be disabled.

    • Time-based objects are supported on Firewall Management Center version 6.6 and above.

  • Site-to-Site VPN Tunnels

    • Site-to-Site VPN—When the Secure Firewall migration tool detects crypto-map configuration in the source ASA and FDM-managed device, the Secure Firewall migration tool migrates the crypto-map to Firewall Management Center VPN as point-to-point topology

    • Site-to-site VPN from Palo Alto Networks and Fortinet firewalls

    • Crypto map (static/dynamic) based VPN from ASA and FDM-managed device

    • Route-based (VTI) ASA and FDM VPN

    • Certificate-based VPN migration from ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewalls.

    • ASA, FDM-managed device, Palo Alto Networks, and Fortinet trustpoint or certificates migration to Firewall Management Center must be performed manually and is part of the pre-migration activity.

  • Dynamic Route objects, BGP, and EIGRP

    • Policy-List

    • Prefix-List

    • Community-List

    • Autonomous System (AS)-Path

    • Route-Map

  • Remote Access VPN

    • SSL and IKEv2 protocol.

    • Authentication methods—AAA only, Client Certificate only, SAML, AAA, and Client Certificate.

    • AAA—Radius, Local, LDAP, and AD.

    • Connection Profiles, Group-Policy, Dynamic Access Policy, LDAP Attribute Map, and Certificate Map.

    • Standard and Extended ACL.

    • RA VPN Custom Attributes and VPN load balancing

    • As part of pre-migration activity, perform the following:

      • Migrate the ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewall trustpoints manually to the Firewall Management Center as PKI objects.

      • Retrieve AnyConnect packages, Hostscan Files (Dap.xml, Data.xml, Hostscan Package), External Browser package, and AnyConnect profiles from the source ASA and FDM-managed device.

      • Upload all AnyConnect packages to the Firewall Management Center.

      • Upload AnyConnect profiles directly to the Firewall Management Center or from the Secure Firewall migration tool.

      • Enable the ssh scopy enable command on the ASA to allow retrieval of profiles from the Live Connect ASA.

  • ACL optimization

    ACL optimization supports the following ACL types:

    • Redundant ACL—When two ACLs have the same set of configurations and rules, then removing the non-base ACL will not impact the network.

    • Shadow ACL—The first ACL completely shadows the configurations of the second ACL.

    • Disable ACL—The ACL that has been explicitly turned off in the firewall's configuration. The rules exist in the configuration file, but the Secure Firewall Migration Tool ignores them when processing traffic.


    Note

    ACL optimization is currently not available for Palo Alto Networks and ASA with FirePower Services (FPS).

For information on the supported configurations of the Secure Firewall migration tool, see:

Migration Reports

The Secure Firewall migration tool provides the following reports in HTML format with details of the migration:

  • Pre-Migration Report

  • Post-Migration Report

Secure Firewall Migration Tool Capabilities

The Secure Firewall migration tool provides the following capabilities:

  • Validation throughout the migration, including parse and push operations

  • Object re-use capability

  • Object conflict resolution

  • Interface mapping

  • Auto-creation or reuse of interface objects (ASA name if to security zones and interface groups mapping)

  • Auto-creation or reuse of interface objects

  • Auto-zone mapping

  • User-defined security zone and interface-group creation

  • User-defined security zone creation

  • Subinterface limit check for the target threat defense device

  • Platforms supported:

    • ASA Virtual to Threat Defense Virtual

    • FDM Virtual to Threat Defense Virtual

    • Same hardware migration (X to X device migration)

    • X to Y device migration (Y having higher number of interfaces)

  • ACL optimization for source ASA, FDM-managed device, Fortinet, and Checkpoint for ACP rule action.

Infrastructure and Platform Requirements

The Secure Firewall migration tool requires the following infrastructure and platform:

  • Windows 10 64-bit operating system or on a macOS version 10.13 or higher

  • Google Chrome as the system default browser


    Tip

    We recommend that you use full screen mode on the browser when using the migration tool.

  • A single instance of the Secure Firewall migration tool per system

  • Management Center and Threat Defense must be version 6.2.3.3 or later


Note
Remove the previous build before downloading the newer version.

Open and Resolved Issues

Open Issues

Bug ID

Description

CSCwq91811

For Check Point Firewall migration in Secure Firewall Migration Tool, after you apply the configuration to Firewall Management Center, the configuration export fails because same interface mapping appears in both the source and destination interface fields.

Resolved Issues

Bug ID

Description

CSCwq69641

After launching the Firewall Migration Tool from Security Cloud Control to migrate the configuration from Palo Alto Firewall to Firewall Threat Defense, the configuration export fails.

The system displays the following error message:

Blocked - division by zero

CSCwr02764

Palo Alto configuration migration in Firewall Migration Tool fails during configuration push to Firewall Management Center with the error message:

The object name 'object_name_' already exists. Enter a new name.

If the platform that you are migrating from supports spaces in names, the Firewall Migration Tool replaces the space with an underscore. If the Firewall Management Center already has a similar name with an underscore, the tool does not report it as a duplicate during the validation. This causes the migration to fail with error.

CSCwr08989

Migration of Check Point (CP) firewall using the Secure Firewall Migration Tool fails during the extraction of the CP configuration via Live Connect.

CSCwr48003

On macOS, when you create a configuration zip file using the Compress option from Finder UI, the upload to Secure Firewall Migration Tool fails. However, when the same zip file is created using the command-line interface, the upload to Secure Firewall Migration Tool works as expected.

Open and Resolved Caveats

The open caveats for this release can be accessed through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you don’t have one, you can register for an account on Cisco.com. For more information on Bug Search Tool, see Bug Search Tool Help.

Use the Open and Resolved Caveats dynamic query for an up-to-date list of open and resolved caveats in Secure Firewall migration tool.

Related Documentation