A. 

The following features are supported with release 2.2:

• Object Group Search

• IP SLA Monitor

• Time-based Objects

A. 

The Firepower Migration Tool can migrate policies from supported ASA platform to FTD platform. For more information, see Supported Source ASA Platforms.

A. 

To perform the tasks as part of your plan for migrating from ASA to Firepower Threat Defense, see Migrating ASA to Firepower Threat Defense 2100 - An Example.

A. 

You can use the Firepower Migration Tool to migrate an ASA configuration to the standalone or container instance of the Firepower Threat Defense platforms for FMC 6.2.3 or later. For more information on the list of supported devices, see Supported Target Firepower Threat Defense Platforms.

A. 

The Firepower Migration Tool supports migration of L3/L4 ASA configuration to FTD. It also allows enabling L7 features like IPS, file policy, and so on, during the migration process.

The Firepower Migration Tool can fully migrate the following ASA configurations:

• Network objects and groups (except discontiguous masks)

• Service objects, except for those service objects configured for a source and destination

  Note	Though the Firepower Migration Tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.

• Service object groups, except for nested service object groups

  Note	Since nesting is not supported on the Firepower Management Center, the Firepower Migration Tool expands the content of the referenced rules. The rules however, are migrated with full functionality.

• IPv4 and IPv6 FQDN objects and groups

• IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

• Access rules that are applied to interfaces in the inbound direction and global ACL

• Auto NAT, Manual NAT, and object NAT (conditional)

• Static routes, except for those configured with the track option which are partially migrated and ECMP routes which are not migrated

• Physical interfaces

• Subinterfaces

• Port channels

• Bridge groups (transparent mode only)

• Tunneling protocol-based access control policy rules (migrated as Prefilter tunnel rules)

• Category-based rule for CSM managed configurations

• IP SLA Monitor

• Object Group Search

• Time-based Objects

A. 

The following features are supported with release 2.0:

• Destination Zone mapping for Access Rules

• Prefilter tunnel rules

• Category-based rules

• Policy Limit and Capacity Warning

• ASA 5505 and ASA-SM migration support

A. 

Yes. The following features are supported with target FMC 6.5 and later:

• Migrate tunnel Rules as Prefilter

• Category-based rules

• ASA 5505 Migration

  Note	Requires FMC version 6.5 and later to migrate to target FTD FPR-1010 platform.

The following features are supported with target FMC 6.6 and later:

• Object Group Search

• IP SLA Monitor

• Time-based Objects

A. 

No. For migrations that are opted with Migrate Tunnel rules as Prefilter, the Firepower Migration Tool identifies tunneling protocol-based access rules and migrates them as tunnel rules.

A. 

The Firepower Migration Tool does not support the following ASA configurations for migration. If these configurations are supported in Firepower Management Center, you can configure them manually after the migration is complete.

• SGT-based access control policy rules

• SGT-based objects

• User-based access control policy rules

• NAT rules that are configured with the block allocation option

• Objects with unsupported ICMP type and code

• Tunneling protocol-based access control policy rules

• NAT rules that are configured with SCTP

• NAT rules that are configured with host ‘0.0.0.0’

• Tunneling protocol-based access control policy rules (supported from Firepower Migration Tool 2.0 with target FMC 6.5 and later)

For more information, see Guidelines and Limitations for ASA Configurations.

A. 

You can use the Firepower Migration Tool to migrate the configuration from single or multi-context ASA platforms (software version 8.4 or later). For more information on the list of devices, see Supported Source ASA Platforms.

A. 

Yes. The Firepower Migration Tool can handle migration of multi-context ASA. At any given point in time, one can migrate one context of the ASA (except for System context) to either FTD container or native instances on the target FMC.

A. 

The Firepower Migration Tool is integrated with Cisco Success Network. If there are errors or issues, contact Cisco TAC. For troubleshooting, see Troubleshooting Migration Issues.

A. 

The time that is taken during migration depends on numerous factors like latency on network, load on FMC, config size, number of objects, ACL, and so on. In internal testing, it was observed that a config file of 2.0 MB with 7000+ Access Control List, 7000+ NAT Translations, and 3000+ Network Objects takes around 6 minutes to successfully complete the migration.