The following configuration elements are supported for migration of ASA with FPS firewall:

• Network objects and groups

• Service objects, except for those service objects configured for a source and destination

  Note	Though the Firepower Migration Tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.

• Service object groups, except for nested service object groups

  Note	Since nesting is not supported on the Firepower Management Center, the Firepower Migration Tool expands the content of the referenced rules. The rules however, are migrated with full functionality.

• IPv4 and IPv6 FQDN objects and groups

• IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

• Access rules that are applied to interfaces in the inbound direction and global ACL

• Auto NAT, Manual NAT, and object NAT (conditional)

• Static routes, ECMP routes which are not migrated

• Physical interfaces

• Secondary VLANs on ASA or ASA with FPS interfaces will not migrate to FTD.

• Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

• Port channels

• Virtual tunnel interface (VTI)

• Bridge groups (transparent mode only)

• IP SLA Monitor

  The Firepower Migration Tool creates IP SLA Objects, maps the objects with the specific static routes, and migrates the objects to FMC.

  Note	IP SLA Monitor is not supported for non-FTD flow.

• Object Group Search

  Note	Object Group Search is unavailable for FMC or FTD version earlier than 6.6. Object Group Search will not be supported for non-FTD flow and will be disabled.

• Time-based objects

  Note	You must manually migrate timezone configuration from source ASA or ASA with FPS to target FTD. Time-based object is not supported for non-FTD flow and will be disabled. Time-based objects are supported on FMC version 6.6 and above.

• Site-to-Site VPN Tunnels

  • Site-to-Site VPN—When the Firepower Migration Tool detects crypto map configuration in the source ASA, the Firepower Migration Tool migrates the crypto map to FMC VPN as point-to-point topology.

  • Crypto map (static/dynamic) based VPN from ASA

  • Route-based (VTI) ASA VPN

  • Certificate-based VPN migration from ASA

  • ASA trustpoint or certificates migration to FMC must be performed manually and is part of the pre-migration activity.

For more information on the Supported Configurations of the Firepower Migration Tool, see:

• Supported ASA Configurations

• Supported ASA with FPS Configurations

• Supported Check Point Configurations

• Supported PAN Configurations

• Supported Fortinet Configuration

For more information on the Migration Workflow of the Firepower Migration Tool, see:

• Export the ASA Configuration File

• Export the ASA with FPS Configuration File

• Export the Check Point Configuration Files

• Export the Configuration from Palo Alto Networks Firewall

• Export the Configuration from Fortinet Firewall

The Firepower Migration Tool provides the following reports in HTML format with details of the migration:

• Pre-Migration Report

• Post-Migration Report

The Firepower Migration Tool provides the following features:

• Validation throughout the migration, including parse and push operations

• Object re-use capability

• Object conflict resolution

• Interface mapping

• Subinterface limit check for the target Firepower Threat Defense device

• Platforms supported

  —Same hardware migration (X to X device migration)

  —X to Y device migration (Y having higher number of interfaces)