Welcome to Firepower Migration Tool

This document provides critical and release-specific information for Cisco Firepower Migration Tool. Even if you are familiar with Firepower releases and have previous experience with the migration process, make sure that you read and thoroughly understand this document.

New Features in This Release

In this release, the following features have been added:

Table 1. New Features in This Release

Firewall

New Features

2.5

The Firepower Migration Tool 2.5 now provides support to identify and segregate ACLs that can be optimized (disabled or deleted) from the firewall rule base without impacting the network functionality.

The ACL Optimization supports the following ACL types:

  • Redundant ACL—When two ACLs have the same set of configurations and rules, then removing the non-base ACL will not impact the network.

  • Shadow ACL—The first ACL completely shadows the configurations of the second ACL.

Note 

Optimization is available for the Source ASA only for ACP rule action.

Support for discontinuous network mask (Wildcard mask) objects if the destination FMC is 7.1 or later.

For more information on the history of the Firepower Migration Tool, see:

Supported Configurations

The following configuration elements are supported for migration of ASA with FPS firewall:

  • Network objects and groups

  • Service objects, except for those service objects configured for a source and destination


    Note

    Though the Firepower Migration Tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.
  • Service object groups, except for nested service object groups


    Note

    Since nesting is not supported on the Firepower Management Center, the Firepower Migration Tool expands the content of the referenced rules. The rules however, are migrated with full functionality.
  • IPv4 and IPv6 FQDN objects and groups

  • IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

  • Access rules that are applied to interfaces in the inbound direction and global ACL

  • Auto NAT, Manual NAT, and object NAT (conditional)

  • Static routes, ECMP routes which are not migrated

  • Physical interfaces

  • Secondary VLANs on ASA or ASA with FPS interfaces will not migrate to FTD.

  • Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

  • Port channels

  • Virtual tunnel interface (VTI)

  • Bridge groups (transparent mode only)

  • IP SLA Monitor

    The Firepower Migration Tool creates IP SLA Objects, maps the objects with the specific static routes, and migrates the objects to FMC.


    Note

    IP SLA Monitor is not supported for non-FTD flow.
  • Object Group Search


    Note

    • Object Group Search is unavailable for FMC or FTD version earlier than 6.6.

    • Object Group Search will not be supported for non-FTD flow and will be disabled.


  • Time-based objects


    Note

    • You must manually migrate timezone configuration from source ASA or ASA with FPS to target FTD.

    • Time-based object is not supported for non-FTD flow and will be disabled.

    • Time-based objects are supported on FMC version 6.6 and above.


  • Site-to-Site VPN Tunnels

    • Site-to-Site VPN—When the Firepower Migration Tool detects crypto map configuration in the source ASA, the Firepower Migration Tool migrates the crypto map to FMC VPN as point-to-point topology.

    • Crypto map (static/dynamic) based VPN from ASA

    • Route-based (VTI) ASA VPN

    • Certificate-based VPN migration from ASA

    • ASA trustpoint or certificates migration to FMC must be performed manually and is part of the pre-migration activity.

For more information on the Supported Configurations of the Firepower Migration Tool, see:

Migration Reports

The Firepower Migration Tool provides the following reports in HTML format with details of the migration:

  • Pre-Migration Report

  • Post-Migration Report

Firepower Migration Tool Features

The Firepower Migration Tool provides the following features:

  • Validation throughout the migration, including parse and push operations

  • Object re-use capability

  • Object conflict resolution

  • Interface mapping

  • Subinterface limit check for the target Firepower Threat Defense device

  • Platforms supported

    —Same hardware migration (X to X device migration)

    —X to Y device migration (Y having higher number of interfaces)

Platform Requirements for the Firepower Migration Tool

The Firepower Migration Tool has the following infrastructure and platform requirements:

  • Windows 10 64-bit operating system or on a macOS version 10.13 or higher

  • Google Chrome as the system default browser

  • A single instance of the Firepower Migration Tool per system

  • Firepower Management Center and Firepower Threat Defense must be version 6.2.3.3 or later


Note

Remove the previous build before downloading the newer version.

Documentation

The following documentation is provided with this release:

  • Firepower Migration Tool Release Notes

  • Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool

  • Migrating ASA with FirePOWER Services (FPS) Firewall to Firepower Threat Defense with the Firepower Migration Tool

  • Migrating Check Point Firewall to Firepower Threat Defense with the Firepower Migration Tool

  • Migrating Palo Alto Networks Firewall to Firepower Threat Defense with the Firepower Migration Tool

  • Migrating Fortinet Firewall to Firepower Threat Defense with the Firepower Migration Tool

  • Navigating the Cisco Firepower Migration Tool Documentation

  • Cisco Firepower Migration Tool Compatibility Guide

  • Cisco Firepower Migration Tool Error Messages

  • Open Source Used in Cisco Firepower Migration Tool

Open and Resolved Bugs

The open bugs for this release can be accessed through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account on Cisco.com. For more information on Bug Search Tool, see Bug Search Tool Help.

Use these dynamic queries for an up-to-date list of open and resolved caveats in Firepower Migration Tool: