We recommend that you do not store any other files in this folder. When you launch the Secure Firewall migration tool, it places the logs, resources, and all other files in this folder.

The above link takes you to the Secure Firewall migration tool under Firewall NGFW Virtual. You can also download the Secure Firewall migration tool from the Firewall Threat Defense device download areas.

Ensure that you download the appropriate executable of the Secure Firewall migration tool for Windows or macOS machines.

When you agree to send statistics to Cisco Success Network, you are prompted to log in using your Cisco.com account. Local credentials are used to log in to the Secure Firewall migration tool if you choose not to send statistics to Cisco Success Network.

The new password must have 8 characters or more and must include upper and lowercase letters, numbers, and special characters.

If you have not completed one or more of the items in the checklist, do not continue until you have done so.

The web browser prompts you for a location to save the configuration file.

The configuration file has a .conf extension.

• Enter Base URL: This is the base URL that you see on your browser when you connect to your Multicloud Defense controller. For example, when you are in the controller dashboard, copy the link on your browser, excluding the /dashboard part. The URL looks like https://xxxx.mcd.apj.cdo.cisco.com

• Enter Tenant Name: The name of your Security Cloud Control tenant. Copy it from the profile drop-down on the top-right corner when you are in the Multicloud Defense window or from Administration > General Settings if you are in the Security Cloud Control window.

• Enter API Key ID: The API Key ID that Multicloud Defense controller generates when you create an API key by navigating to System and Accounts > API Keys. Specify a name for the key, your email address, the role you want the API key to have, and the API key lifetime to generate a key. The default key lifetime is set to 365 days.

• Enter API Key Secret: The API Key Secret that Multicloud Defense controller generates when you create an API key.

  Note	Ensure you copy both the API Key ID and API Key Secret when they are displayed only at the time of creating the API key. If you missed to copy them, delete the API key that you created, generate a new one, and make sure you copy them this time.

Note that other configurations from the source firewall such as interfaces and routes are not supported for this migration.

To check whether your configuration file is successfully uploaded and parsed, download and verify the Pre-Migration Report before you continue with the migration.

A copy of the Pre-Migration Report is also saved in the Resources folder in the same location as the Secure Firewall migration tool.

The Pre-Migration Report includes the following information:

• A summary of the supported configuration elements that can be successfully migrated to Firewall Threat Defense or Multicloud Defense and specific features selected for migration.

• Configuration Lines with Errors—Details of configuration elements that cannot be successfully migrated because the Secure Firewall Migration Tool could not parse them. Correct these errors in the configuration, export a new configuration file, and then upload the new configuration file to the Secure Firewall Migration Tool before proceeding.

• Ignored Configuration—Details of configuration elements that are ignored because they are not supported by the Multicloud Defense or the Secure Firewall Migration Tool. The Secure Firewall Migration Tool does not parse these lines. Review these lines, verify whether each feature is supported in Multicloud Defense, and if not supported, plan to configure the features manually.

• Click Optimize ACL to let the migration tool identify all the shadow and redundant ACLs and choose whether to migrate them as disabled ACLs or to exclude them from being migrated.

  Secure Firewall Migration Tool ACL Optimization Overview

  The Secure Firewall migration tool provides support to identify and segregate ACLs that can be optimized (disabled or deleted) from the firewall rule base without impacting the network functionality.

  The ACL optimization supports the following ACL types:

  • Redundant ACL—When two ACLs have the same set of configurations and rules, then removing the non-base ACL will not impact the network. For example, if any two rule allows FTP and IP traffic on the same network with no rules that are defined for denying access, the first rule can be deleted.

  • Shadow ACL—The first ACL completely shadows the configurations of the second ACL. If two rules have similar traffic, the second rule is not applied to any traffic as it appears later in the access list. If the two rules specify different actions for traffic, you can either move the shadowed rule or edit any one of the rules to implement the required policy. For example, the base rule may deny the IP traffic, and the shadowed rule may allow FTP traffic for a given source or destination.

  The Secure Firewall migration tool uses the following parameters while comparing rules for ACL optimization:

  • The disabled ACLs are not considered during the optimization process.

  • The source ACLs are expanded into the corresponding ACEs (inline values), and then compared for the following parameters:

    • Source and Destination Network

    • Source and Destination Port

  Click Download Report to review the ACL name and the correponding redundant and shadowed ACLs tabulated in an Excel file. Use the Detailed ACL Information sheet to view more ACL information.

  Click Proceed to start the optimization process.

• For each entry in the table, review the mappings and verify that they are correct.

  A migrated Access Policy Rule uses the ACL name as prefix and appends the ACL rule number to it to make it easier to map back to the configuration file. For example, if an ACL is named "inside_access," then the first rule (or ACE) line in the ACL will be named as "inside_access_#1." If a rule must be expanded because of TCP or UDP combinations, an extended service object, or some other reason, the Secure Firewall migration tool adds a numbered suffix to the name. For example, if the allow rule is expanded into two rules for migration, they are named "inside_access _#1-1" and " inside_access_#1-2".

  For any rule that includes an unsupported object, the Secure Firewall migration tool appends an "_UNSUPPORTED" suffix to the name.

• If you do not want to migrate or want to migrate a few ACLs as disabled, check the checkboxes against the row, click Actions, and choose the relevant option. Check the Select all entries checkbox to perform bulk changes.

• To edit an access control list policy, select the row by checking the check box for the policy, and choose Actions > Edit.

  All rules that are not applicable are grayed out in the table.

Choose the following tabs and review the mappings:

• Network Objects

• Port Objects

• FQDN Objects

• URL Objects

If you want to rename an object, check the checkbox against the object row, click Actions, and choose Rename. Check the Select all entries checkbox to perform bulk changes.

During validation, the Secure Firewall migration tool connects to Multicloud Defense, reviews the existing objects, and compares those objects to the list of objects to be migrated. If an object already exists in Multicloud Defense, the Secure Firewall migration tool does the following:

• If the object has the same name and configuration, the Secure Firewall migration tool reuses the existing object and does not create a new object in Multicloud Defense.

• If the object has the same name but a different configuration, the Secure Firewall migration tool reports an object conflict.

You can view the validation progress in the console.

The Secure Firewall migration tool displays a summary of the progress of the migration. You can view detailed, line-by-line progress of which the components that are being pushed to Multicloud Defense in the console.

A copy of the Post-Migration Report is also saved in the Resources folder in the same location as the Secure Firewall migration tool.

You can also contact the support team for troubleshooting.

Migration Failure Support

If the migration is unsuccessful, contact Support.

1. On the Complete Migration screen, click the Support button.

   The Help support page appears.

2. Check the Support Bundle check box and then select the configuration files to download.

   Note	The Log and dB files are selected for download by default.

3. Click Download.

   The support bundle file is downloaded as a .zip to your local path. Extract the zip folder to view the log files, DB, and the configuration files.

4. Click Email us to email the failure details for the technical team.

   You can also attach the downloaded support files to your email.

5. Click Visit TAC page to create a TAC case in the Cisco support page.

   Note	You can open a TAC case at any time during the migration from the support page.

1. Migration Summary—A summary of the configuration that was successfully migrated from your source firewall to Multicloud Defense.

   You can also view a comparison chart that illustrates the difference between the count of pre-migration and post-migration states.

2. Object Conflict Handling—Details of the objects that were identified as having conflicts with existing objects in Multicloud Defense. If the objects have the same name and configuration, the Secure Firewall migration tool reused the Multicloud Defense object. If the objects have the same name but a different configuration, you renamed those objects. Review these objects carefully and verify that the conflicts were appropriately resolved.

3. Access Control Rules That You Chose Not to Migrate—Details of the rules that you choose not to migrate with the Secure Firewall migration tool. Review these rules that were disabled by the Secure Firewall migration tool and were not migrated. Review these lines and verify that all the rules you choose are listed in this section. If desired, you can configure these rules manually.

4. Partially Migrated Configuration—Details of the rules that were only partially migrated, including rules with advanced options where the rule could be migrated without the advanced options. Review these lines, verify whether the advanced options are supported in Multicloud Defense, and if so, configure these options manually.

5. Expanded Access Control Policy Rules—Details of the source firewall access control policy rules that were expanded from a single point rule into multiple Multicloud Defense rules during migration.

6. Actions Taken on Access Control Rules

   • Access Rules You Chose Not to Migrate—Details of the access control rules that you choose not to migrate with the Secure Firewall migration tool. Review these lines and verify that all the rules you choose are listed in this section. If desired, you can configure these rules manually in Multicloud Defense.

   • Access Rules with Rule Action Change—Details of all Access Control Policy Rules that had ‘Rule Action’ changed using the Secure Firewall migration tool. The Rule Action values are - Allow, Trust, Monitor, Block, Block with reset. Review these lines and verify that all the rules you choose are listed in this section. If desired, you can configure these rules manually in Multicloud Defense.