Migrating an ASA to an FDM-Managed Device Using Cisco Defense Orchestrator

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Migrating an ASA to an FDM-Managed Device Using Cisco Defense Orchestrator

Chapter Title

Migrating ASA to FTD Workflow

Results

Updated:
October 17, 2019

Chapter: Migrating ASA to FTD Workflow

Migrating ASA to FTD Workflow

How to Implement the Migration Process

Do This

Step 1

 Prepare for Migration

Step 2

 Run the Migration

Step 3

View the Migration Actions

Step 4

 Deploy the Configuration

Prepare for Migration

To prepare your devices for migration, ensure that:

  • You have a CDO tenant and you can log into it. See Initial Login for more information.

  • You have onboarded to your tenant the ASA device or ASA configuration file that you want to migrate to an FTD device.

    Your ASA's running configuration file must be less than 4.5 MB and 22,000 lines. See Confirming ASA Running Configuration Size.

  • You have onboard an FTD device to CDO if you want to migrate the ASA configuration to the device directly after the migration process, or if you want to migrate EtherChannel configurations to the FTD. See Onboard an FTD device for more information.

  • The devices must be in synced state.

    This ensures that the running configuration on the device and the running configuration that is stored in CDO are the same.

  • Your ASA is running software version 8.4 or later.

To know more about device support summary, unsupported devices, hardware and software specifics, see Software and Hardware Supported by CDO.

Onboard an ASA Device

Click (+) from the Devices and Services page.

The Onboarding page displays where you can onboard the device.

How to Onboard an ASA Device

Perform the following to onboard an ASA device with any of these options:

  • Onboard a live ASA device.

  • Import configuration for offline management:

    • Enter the Device Name and chose the Device Type as ASA.

    • Click Browse to chose the ASA Configuration file that is a .TXT or a .CFG file.

    • Click Upload.

Optimize Your ASA Policies Before You Migrate

Now that you have all your ASAs onboarded, start using CDO to identify and correct problems with network objects, optimize your existing policies, review your VPN connections, and upgrade your ASAs to the newest releases.

Resolve Network Object Issues

Start to optimize the security policies on your ASAs by resolving issues with network policy objects.

  • Unused objects—CDO identifies network policy objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Find these unused objects and delete them.

  • Duplicate objects—Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. Look for opportunities to standardize names while recognizing that some duplicates may exist for legitimate reasons.

  • Inconsistent objects—Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Consider standardizing the values in these objects or renaming one to identify it as a different object.

Fix Shadow Rules

Now that you have resolved your network object issues, review network policies for shadow rules and fix them. A shadow rule is marked by a half-moon badge on the network policies page. It is a rule in a policy that will never trigger because a rule with higher priority in the policy acts on all the packets before they reach the shadowed rule. If there is a shadowed rule that will never be hit, remove it, or edit the policy to bring that rule "into the light."

Add EtherChannel Configurations to FTD Before Migrating

Before you begin
Review this information:
Procedure
Step 1

Before migrating the EtherChannel configurations, you must create the equivalent number of EtherChannels on the Firepower Threat Defense (FTD) device that you are migrating from ASA. You can use CDO to create the EtherChannels. See Add an EtherChannel Interface to Firepower Threat Defense for instructions.

The minimum configuration for an EtherChannel is an EtherChannel ID and at least one EtherChannel member.

Step 2

Deploy the changes to your FTD.
What to do next

Continue to Run the Migration.

Run the Migration

Select the Device to Migrate

Procedure
Step 1

Log into your CDO tenant.
Step 2

In the navigation bar, click Devices & Services.

Step 3

Click the Devices tab to locate your device.

Step 4

Click the ASA tab and select the ASA device or model you want to migrate to an FTD.

The device details of the selected ASA device like the location, model, serial, and so on, are displayed in the Device Details pane.

Step 5

In the Device Actions pane, click Migrate to FTD.

If there have been previous migrations of this device, you will see the resulting migrations from the selected device.

For more information on filtering, see About Migrations Filters.

If this is a new migration, click Start a new migration for (device name).

Step 6

(Optional) If you want to select a different ASA device or a model to migrate to an FTD template, see About Migrations Filters.

(Optional) Update the Migration Name

Migration name is auto-generated based on the device name and the timestamp.
Procedure
Step 1

In the FTD Migration screen, you can also update the migration name or retain the default name. CDO allows you to search the migration list with the migration name.

Note 
The FTD template name will be the same as the migration name by default.
Step 2

Click Next to trigger the migration.

(Optional) Preserve the Running Configuration


Note
This is applicable only when you chose live ASA from the Devices and Services page.

In Preserve Running Configuration , the Migration tool allows you to save CDO's copy of the ASA's running configuration as an configuration file. This model device configuration is used for migration thus not affecting the live ASA.

The following options are available for migrating a CDO's copy of the ASA's running configuration to FTD:

  • Create an configuration file from the CDO's copy of the ASA's running device


    Note
    Allows you to retain a snapshot (model device) of the ASA configuration at the point of initiating the migration. When you are required to make the configuration changes for migration purposes, you can use the configuration file without affecting/interrupting the CDO's copy of the ASA's running configuration.

  • Migrate the configuration directly from the device


    Note
    The source configuration for the migration is a CDO's copy of the ASA's running configuration. The migration tool considers only the configuration from the time the migration starts. Any changes to that CDO's copy of the ASA's running configuration later, will not be reflected in the resulting migration. The additional migration attempts from the changed CDO's copy of the ASA's running configuration might result in different FTD configurations.
Procedure
Step 1

Enter the model device name under Model Device Name field.

Step 2

Perform one of these actions:

  1. Click Next.

    The model device is created and triggers the migration for that device.

  2. Click Skip to trigger the migration on the live ASA.

Parsing the ASA Configuration


Note
Depending on the size of the configuration files and the number of other devices or services, it may take a while for the configuration to get parsed. For more information, see Confirming ASA Running Configuration Size.

The parsing of the migration continues until it succeeds or fails. The migration process gathers ASA information, parses it, creates an FTD template and enables this FTD template to be applied to a device in CDO. For more information on FTD templates, see Templates. During the parsing phase, the migration process generates a Migration Report and a Migration Log that identify:

  • ASA configuration items that are fully migrated, partially migrated, unsupported for migration, and ignored for migration.

  • ASA configuration lines with errors, listing the ASA CLIs that the migration process cannot recognize; this blocks migration.


Note
Management interface and Static routes that are associated with the management interface are not migrated.
Fix the Migration Errors

When there is a migration error, you can review the Review Migration Report and Review Migration Log in the FTD Migration screen.

Select Download Report and Download Log from the FTD Migration screen to download the migration report and logs.

Reports and logs must be able to print the lines in the ASA configuration that caused the parsing failure. Navigate to the ASA device that you have chosen for migration, update the ASA configuration, and then restart the new migration.

If the parse is successful but the FTD template creation fails, navigate to Template > Workflows or Migration > Workflows to identify any failures and address the issues.

Reparse After Fixing the Migration Errors

You can reparse the ASA configuration after fixing the migration errors. Perform the following:

  • In the FTD Migration screen, click Go to Configuration.

  • Go to the specific configuration and make the configuration changes that caused the conversion failure.

  • Once you make the updates for the correct configuration, click Re-parse the configuration to trigger the migration against the changed configuration.


    Note
    The Re-parse the configuration option is applicable only when you have updated the configuration file and for the configuration with parsing errors only.

Apply Migration

To apply the migration, you can choose one of these options:

As per the CDO apply template feature, the FTD template that is created during migration deploys the changes on the device, only to the following: Interfaces, NAT, ACLs, Objects, and Routes.

The DHCP and Data DNS settings are restored to default, as the interface information would have changed during the migration.

The Other settings like VPN, HA, and so on, remain the same on the device.

Apply Migration Now

Note
Before applying the migration on a device, check whether the device is in synced state.

You can apply the FTD template to any device, review the FTD template, and deploy to the device later by selecting the FTD device.

Procedure
Step 1

Select Apply Migration Now.

  1. From the Select FTD Device drop-down list, select the FTD device for which you want to apply the FTD template.

    The device state must be "Synced" with "Online" connectivity.

  2. Click Select to select the FTD device.

Step 2

Click Next.

Step 3

In the Map Interfaces row, the Migration tool retrieves a list of Template Interfaces and the Devices Interfaces on the Firepower Threat Defense device. By default, the Migration Tool maps the interfaces in ASA and the Firepower Threat Defense device according to their interface identities. Click Continue.

For more information on mapping ASA Interfaces with Firepower Threat Defense devices, see Map ASA Interfaces with Firepower Threat Defense Interfaces.

Step 4

Review the FTD template information to be applied to the FTD device, and then click Apply Template.

Step 5

In the Done row, you can do the following:

You have successfully applied the migrated configuration to the selected FTD device.

  • Click Remove model device used for migration check box.

    Selecting the check box removes the model device that is created from live ASA. This will also remove the model device, deletes the migration logs and the files that are associated with the migration.

    Note 
    This check box is displayed only when the live ASA is selected from the Devices and Services page and only if the user has created the model device.

  • Click the Save migrated configuration as a template check box.

    Note 
    This check box is displayed only when the FTD template is applied successfully and is checked by default.

    If the check box is unchecked, the FTD template is not saved.

    If you encounter any error while applying the FTD template, navigate to Device > Workflows to view the errors and address the issues.

    Note 
    You can access these FTD templates from the Devices & Services page. For more information on the FTD templates, see Templates.
    Note 
    After the FTD template is saved successfully, you can perform the following actions:

Take one of these actions:

  • Click Preview and Deploy to deploy the configuration.

    You can verify the list of objects that will be deployed in the Preview and Deploy page.

  • Click Go to Devices that provides you an option to deploy the configuration.

(Optional) Post-Migration Tasks

  • Navigate to the FTD template to review the migration results.

  • Optimize the configurations using CDO capabilities.

  • Deploy the FTD template to the device.
Support for FTD with Management Access Interface Migration

Note
The Apply Template feature is not supported for a target device that has management access interface. Modify the FTD template manually before applying it on the target FTD device.
When you apply any migrated FTD template on a target device that has management access interface configured, the apply template feature fails due to mismatch in the mapped interfaces. On the target FTD, the management access interface configuration and the corresponding static routes must be preserved to ensure the connectivity with CDO. Therefore, to avoid connectivity failures, you must manually configure the management access interfaces along with required static routes by following these steps, and then apply the FTD template. This section provides the procedure that you must follow to ensure successful migration.

If there are multiple management access interfaces and the interfaces are configured incorrectly or unused, you must update the target FTD to maintain only the relevant management access interface configured, so that the unused interfaces can be used for the migrated configuration.

Procedure
Step 1

Update the physical interface in the template by modifying the IP address and subnet mask of the data interfaces so that it is the same as that of the management access interface.

Note 
The management access interface of the Target FTD must be mapped with the management access interface in the FTD template. The IP address and subnet mask of the FTD template must be the same as that of the target FTD.

  1. Navigate to the Devices & Services page.

  2. Click the Template tab.

  3. Click the FTD tab and select the FTD template.

  4. Choose Interface from the Management pane.

  5. Click Edit in the Editing Physical Interface dialog box.

  6. Enter the IP Address and the Subnet Mask.

  7. Click Save.

Step 2

Add the data interface as management access interface in the template settings:

  1. Navigate to the Devices & Services page.

  2. Click the Template tab.

  3. Click the FTD tab and select the FTD template.

  4. Navigate to Settings on the right side of the Management pane.

  5. In the Data Interface pane, click + to add an interface as management access interface.

    Note 
    Ensure that the data interface has a name, state, and the IP address.

  6. Click Save.

Step 3

Add or update the static routes with the interfaces associated on the device. When you map the management access interface to an additional interface, set the routing configuration for the selected FTD.

For more information to add or update the static routes, see Configure Static for Firepower Devices.

Apply Migration Later
Procedure
Step 1

Select Apply Migration Later.

A migration template is saved. You can save the created template and apply the template to the FTD device later.

Note 
You can access the FTD templates from the Devices & Services page.

Once the FTD template is saved successfully, you can perform the following actions:

  • Navigate to the FTD template to review the migration results.

  • Optimize the FTD template using CDO capabilities.

  • Navigate to the destination FTD device and select the FTD template that has to be applied.

  • Deploy the FTD template to the device.
Step 2

Click Done.

The Devices & Services page is displayed with the preselected FTD template.

CDO allows you to perform all the template-related actions like review policies, configurations, and so on.
Step 3

When you are ready to apply the FTD template:

  1. Select the target FTD device from the Devices & Services page.

  2. Click Apply Template from the Device Actions pane.

    The Apply Device Configuration screen is displayed.

  3. Select an FTD template that you want to apply on the device.

  4. Click Apply.

Note 
The Management Interface IP that is running on the device remains unchanged.

View the Migration Actions

The Migration Table screen displays the following:

  • The Migration Name. By default, CDO generates the migration name that is based on the device name. You can also customize this name. See Update the Migration Name.

  • The timestamp of the last migration activity performed on the device.

  • Displays the migration state of the device. For more information on the migration states, see Migration States and Description.

  • Allows you to perform various actions like rename, download log, and so on. For more information on the actions, see Actions and Descriptions.

Table 1. Migration States and Description

Migration States

Description

Parsing

Migration in progress.

Parse Error

The parsing is complete, with errors.

Conversion Error

The conversion is complete with errors.

Template Created

The migration is complete. The FTD template is successfully created, but with validation errors.

For more information on fixing the migration errors, see Fix the Migration Errors.

Table 2. Actions and Description

Action

Description

Resume

Resumes from the step where the migration process stopped.

For example, if the migration is complete, then the process resumes from applying the FTD template.

Rename

Rename the migration name.

Workflows

Displays the workflow screen.

Download Log

Allows you to download the log files in the TXT format. This is a parsing log.

Download Report

Allows you to download the report details in the HTML format.

Configuration

Allows you to view the ASA configuration against which the migration was performed.

Remove

Removes the migration and its associated files like the log files.

About Migrations Filters:

If you want to select a different ASA device or a model to migrate to an FTD template, use any of the following options:

  • Filter by Device

  • Filter by Clear option

Filter by Device

You can use many different filters on the Migrations page to find objects you are looking for. The migrations filter allows you to filter by device, state, and time range.

Table 3. Filter Attributes and the Descriptions

Filter Attribute

Description

Filter by Device

Allows you to select a specific device for migration.

State

  • Error—Displays the migration list that is based on the parsing errors.

  • Done—Displays the migration list that is based on the FTD template that is successfully created.

Time Range

Start, End—Displays the list of devices based on the selected start and end dates of migration.

Filter by Clear option

  1. Click Clear to clear the filter bar.

  2. Click the (+) icon.

  3. Select a device from the list or search for it by name and select it.

  4. Click Select.

    The FTD Migration screen is displayed.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco