Before you push the migrated ASA configuration to Firepower Management Center, review the configuration carefully and validate that it is correct and matches how you want to configure the Firepower Threat Defense device.
Here, the Migration Tool fetches the Intrusion Prevention System (IPS) Policies and File Policies which are already present
on the Firepower Management Center and allows you to associate those to the Access Control Rules you are migrating.
A file policy is a set of configurations that the system uses to perform Advanced Malware Protection for networks and file
control, as part of your overall access control configuration. This association ensures that before the system passes a file
in traffic that matches an access control rule’s conditions, it first inspects the file.
Similarly, you can use an IPS policy as the system’s last line of defense before traffic is allowed to proceed to its destination.
Intrusion policies govern how the system inspects traffic for security violations and, in inline deployments, can block or
alter malicious traffic. Whenever the system uses an intrusion policy to evaluate traffic, it uses an associated variable
set. Most variables in a set represent values commonly used in intrusion rules to identify source and destination IP addresses
and ports. You can also use variables in intrusion policies to represent IP addresses in rule suppressions and dynamic rule
To search for specific configuration items on a tab, enter the item name in the field at the top of the column. The table
rows are filtered to display only items that match the search term.
The source ASA device may be managed by CSM or ASDM. When you enter more than one item (object or inline values) in the source
or destination address, or source or destination service, CSM/ASDM automatically creates an object group. The naming conventions
for these object groups used by CSM and ASDM are CSM_INLINE and DM_INLINE respectively.
When you opt to clear the inline grouping CSM or ASDM managed configurations, the predefined objects are replaced with the
actual object or member name. If you do not clear the CSM or ASDM managed configurations, the predefined object names will
be retained for migration.
For example, 10.21.44.189 and 10.21.44.190 are members of an object group and are renamed with the predefined names such as
object-group DM_INLINE_NETWORK_1 and object-group DM_INLINE_NETWORK_2.
By default, the option of Inline Grouping is enabled.
If you close the Migration Tool at the Review and Validate Configuration screen, it saves your progress and allows you to resume the migration later. If you close the Migration Tool before this
screen, your progress is not saved. If there is a failure after parsing, relaunching the tool resumes from the Interface Mapping screen.