How to Implement the Migration Process
Do This |
|
---|---|
Step 1 |
Prepare for Migration |
Step 2 |
Run the Migration |
Step 3 |
|
Step 4 |
Deploy the Configuration |
Prepare for Migration
To prepare your devices for migration, ensure that:
-
You have a CDO tenant and you can log into it. See Initial Login for more information.
-
You have onboarded to your tenant the ASA device or ASA configuration file that you want to migrate to an FTD device.
Your ASA's running configuration file must be less than 4.5 MB and 22,000 lines. See Confirming ASA Running Configuration Size.
-
You have onboard an FTD device to CDO if you want to migrate the ASA configuration to the device directly after the migration process, or if you want to migrate EtherChannel configurations to the FTD. See Onboard an FTD device for more information.
-
The devices must be in synced state.
This ensures that the running configuration on the device and the running configuration that is stored in CDO are the same.
-
Your ASA is running software version 8.4 or later.
To know more about device support summary, unsupported devices, hardware and software specifics, see Software and Hardware Supported by CDO.
Onboard an ASA Device
Click (+) from the Devices and Services page.
The Onboarding page displays where you can onboard the device.
How to Onboard an ASA Device
Perform the following to onboard an ASA device with any of these options:
-
Onboard a live ASA device.
-
Import configuration for offline management:
-
Enter the Device Name and chose the Device Type as ASA.
-
Click Browse to chose the ASA Configuration file that is a .TXT or a .CFG file.
-
Click Upload.
-
Optimize Your ASA Policies Before You Migrate
Now that you have all your ASAs onboarded, start using CDO to identify and correct problems with network objects, optimize your existing policies, review your VPN connections, and upgrade your ASAs to the newest releases.
Resolve Network Object Issues
Start to optimize the security policies on your ASAs by resolving issues with network policy objects.
-
Unused objects—CDO identifies network policy objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Find these unused objects and delete them.
-
Duplicate objects—Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. Look for opportunities to standardize names while recognizing that some duplicates may exist for legitimate reasons.
-
Inconsistent objects—Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Consider standardizing the values in these objects or renaming one to identify it as a different object.
Fix Shadow Rules
Now that you have resolved your network object issues, review network policies for shadow rules and fix them. A shadow rule is marked by a half-moon badge on the network policies page. It is a rule in a policy that will never trigger because a rule with higher priority in the policy acts on all the packets before they reach the shadowed rule. If there is a shadowed rule that will never be hit, remove it, or edit the policy to bring that rule "into the light."
Add EtherChannel Configurations to FTD Before Migrating
Before you begin
-
The Guidelines and Limitations for migrating EtherChannels.
Procedure
Step 1 |
Before migrating the EtherChannel configurations, you must create the equivalent number of EtherChannels on the Firepower Threat Defense (FTD) device that you are migrating from ASA. You can use CDO to create the EtherChannels. See Add an EtherChannel Interface to Firepower Threat Defense for instructions. The minimum configuration for an EtherChannel is an EtherChannel ID and at least one EtherChannel member. |
Step 2 |
Deploy the changes to your FTD. |
What to do next
Continue to Run the Migration.
Run the Migration
Select the Device to Migrate
Procedure
Step 1 |
Log into your CDO tenant. |
Step 2 |
In the navigation bar, click Devices & Services. |
Step 3 |
Click the Devices tab to locate your device. |
Step 4 |
Click the ASA tab and select the ASA device or model you want to migrate to an FTD. The device details of the selected ASA device like the location, model, serial, and so on, are displayed in the Device Details pane. |
Step 5 |
In the Device Actions pane, click Migrate to FTD. If there have been previous migrations of this device, you will see the resulting migrations from the selected device. For more information on filtering, see About Migrations Filters. If this is a new migration, click Start a new migration for (device name). |
Step 6 |
(Optional) If you want to select a different ASA device or a model to migrate to an FTD template, see About Migrations Filters. |
(Optional) Update the Migration Name
Procedure
Step 1 |
In the FTD Migration screen, you can also update the migration name or retain the default name. CDO allows you to search the migration list with the migration name.
|
||
Step 2 |
Click Next to trigger the migration. |
(Optional) Preserve the Running Configuration
Note |
This is applicable only when you chose live ASA from the Devices and Services page. |
In Preserve Running Configuration , the Migration tool allows you to save CDO's copy of the ASA's running configuration as an configuration file. This model device configuration is used for migration thus not affecting the live ASA.
The following options are available for migrating a CDO's copy of the ASA's running configuration to FTD:
-
Create an configuration file from the CDO's copy of the ASA's running device
Note
Allows you to retain a snapshot (model device) of the ASA configuration at the point of initiating the migration. When you are required to make the configuration changes for migration purposes, you can use the configuration file without affecting/interrupting the CDO's copy of the ASA's running configuration.
-
Migrate the configuration directly from the device
Note
The source configuration for the migration is a CDO's copy of the ASA's running configuration. The migration tool considers only the configuration from the time the migration starts. Any changes to that CDO's copy of the ASA's running configuration later, will not be reflected in the resulting migration. The additional migration attempts from the changed CDO's copy of the ASA's running configuration might result in different FTD configurations.
Procedure
Step 1 |
Enter the model device name under Model Device Name field. |
Step 2 |
Perform one of these actions: |
Parsing the ASA Configuration
Note |
Depending on the size of the configuration files and the number of other devices or services, it may take a while for the configuration to get parsed. For more information, see Confirming ASA Running Configuration Size. |
The parsing of the migration continues until it succeeds or fails. The migration process gathers ASA information, parses it, creates an FTD template and enables this FTD template to be applied to a device in CDO. For more information on FTD templates, see Templates. During the parsing phase, the migration process generates a Migration Report and a Migration Log that identify:
-
ASA configuration items that are fully migrated, partially migrated, unsupported for migration, and ignored for migration.
-
ASA configuration lines with errors, listing the ASA CLIs that the migration process cannot recognize; this blocks migration.
Note |
Management interface and Static routes that are associated with the management interface are not migrated. |
Fix the Migration Errors
When there is a migration error, you can review the Review Migration Report and Review Migration Log in the FTD Migration screen.
Select Download Report and Download Log from the FTD Migration screen to download the migration report and logs.
Reports and logs must be able to print the lines in the ASA configuration that caused the parsing failure. Navigate to the ASA device that you have chosen for migration, update the ASA configuration, and then restart the new migration.
If the parse is successful but the FTD template creation fails, navigate to Template > Workflows or Migration > Workflows to identify any failures and address the issues.
Reparse After Fixing the Migration Errors
You can reparse the ASA configuration after fixing the migration errors. Perform the following:
-
In the FTD Migration screen, click Go to Configuration.
-
Go to the specific configuration and make the configuration changes that caused the conversion failure.
-
Once you make the updates for the correct configuration, click Re-parse the configuration to trigger the migration against the changed configuration.
Note
The Re-parse the configuration option is applicable only when you have updated the configuration file and for the configuration with parsing errors only.
Apply Migration
To apply the migration, you can choose one of these options:
As per the CDO apply template feature, the FTD template that is created during migration deploys the changes on the device, only to the following: Interfaces, NAT, ACLs, Objects, and Routes.
The DHCP and Data DNS settings are restored to default, as the interface information would have changed during the migration.
The Other settings like VPN, HA, and so on, remain the same on the device.
Apply Migration Now
Note |
Before applying the migration on a device, check whether the device is in synced state. |
You can apply the FTD template to any device, review the FTD template, and deploy to the device later by selecting the FTD device.
Procedure
Step 1 |
Select Apply Migration Now. |
||||||||
Step 2 |
Click Next. |
||||||||
Step 3 |
In the Map Interfaces row, the Migration tool retrieves a list of Template Interfaces and the Devices Interfaces on the Firepower Threat Defense device. By default, the Migration Tool maps the interfaces in ASA and the Firepower Threat Defense device according to their interface identities. Click Continue. For more information on mapping ASA Interfaces with Firepower Threat Defense devices, see Map ASA Interfaces with Firepower Threat Defense Interfaces. |
||||||||
Step 4 |
Review the FTD template information to be applied to the FTD device, and then click Apply Template. |
||||||||
Step 5 |
In the Done row, you can do the following: You have successfully applied the migrated configuration to the selected FTD device.
Take one of these actions:
(Optional) Post-Migration Tasks
|
Support for FTD with Management Access Interface Migration
Note |
The Apply Template feature is not supported for a target device that has management access interface. Modify the FTD template manually before applying it on the target FTD device. |
If there are multiple management access interfaces and the interfaces are configured incorrectly or unused, you must update the target FTD to maintain only the relevant management access interface configured, so that the unused interfaces can be used for the migrated configuration.
Procedure
Step 1 |
Update the physical interface in the template by modifying the IP address and subnet mask of the data interfaces so that it is the same as that of the management access interface.
|
||
Step 2 |
Add the data interface as management access interface in the template settings: |
||
Step 3 |
Add or update the static routes with the interfaces associated on the device. When you map the management access interface to an additional interface, set the routing configuration for the selected FTD. For more information to add or update the static routes, see Configure Static for Firepower Devices. |
Apply Migration Later
Procedure
Step 1 |
Select Apply Migration Later. A migration template is saved. You can save the created template and apply the template to the FTD device later.
Once the FTD template is saved successfully, you can perform the following actions:
|
||
Step 2 |
Click Done. The Devices & Services page is displayed with the preselected FTD template. CDO allows you to perform all the template-related actions like review policies, configurations, and so on. |
||
Step 3 |
When you are ready to apply the FTD template:
|
View the Migration Actions
The Migration Table screen displays the following:
-
The Migration Name. By default, CDO generates the migration name that is based on the device name. You can also customize this name. See Update the Migration Name.
-
The timestamp of the last migration activity performed on the device.
-
Displays the migration state of the device. For more information on the migration states, see Migration States and Description.
-
Allows you to perform various actions like rename, download log, and so on. For more information on the actions, see Actions and Descriptions.
Migration States |
Description |
---|---|
Parsing |
Migration in progress. |
Parse Error |
The parsing is complete, with errors. |
Conversion Error |
The conversion is complete with errors. |
Template Created |
The migration is complete. The FTD template is successfully created, but with validation errors. |
For more information on fixing the migration errors, see Fix the Migration Errors.
Action |
Description |
---|---|
Resume |
Resumes from the step where the migration process stopped. For example, if the migration is complete, then the process resumes from applying the FTD template. |
Rename |
Rename the migration name. |
Workflows |
Displays the workflow screen. |
Download Log |
Allows you to download the log files in the TXT format. This is a parsing log. |
Download Report |
Allows you to download the report details in the HTML format. |
Configuration |
Allows you to view the ASA configuration against which the migration was performed. |
Remove |
Removes the migration and its associated files like the log files. |
About Migrations Filters:
If you want to select a different ASA device or a model to migrate to an FTD template, use any of the following options:
-
Filter by Device
-
Filter by Clear option
Filter by Device
You can use many different filters on the Migrations page to find objects you are looking for. The migrations filter allows you to filter by device, state, and time range.
Filter Attribute |
Description |
---|---|
Filter by Device |
Allows you to select a specific device for migration. |
State |
|
Time Range |
Start, End—Displays the list of devices based on the selected start and end dates of migration. |
Filter by Clear option
-
Click Clear to clear the filter bar.
-
Click the (+) icon.
-
Select a device from the list or search for it by name and select it.
-
Click Select.
The FTD Migration screen is displayed.
Deploy the Configuration
The final step is to deploy the configuration changes you made to the device.
For more information, see Deploy the Device Configuration.
See Managing Firepower Threat Defense with Cisco Defense Orchestrator to learn about how CDO can manage the different aspects of an FTD device and its security policies.