Welcome to Firepower Migration Tool

This document provides critical and release-specific information for Cisco Firepower Migration Tool. Even if you are familiar with Firepower releases and have previous experience with the migration process, make sure that you thoroughly read and understand this document.

New Features in This Release

In this release, the following features have been added:

Table 1. New Features in This Release

Firewall

New Features

ASA and Check Point

  • You can manually map interface groups and security zones.

  • The Migration Tool compares the ACE count for migrated rules with the supported ACE limit on a target platform.

  • The new optimization functionality in the Migration Tool allows you to fetch the migration results quickly using the Search filters.

ASA

  • When the source configuration is ASA 5505, the device-specific configs (Interface and routes) and shared policies (NAT, ACLs, and Objects) can be migrated only when the supported Target FTD platform is Firepower 1010 with Firepower Management Center (FMC) version 6.5 or later.

    Note 
    • You can select only FPR-1010 from the Select Device drop-down list.

    • If the target FTD is not FPR1010 or the target Firepower Management Center (FMC) is before 6.5, ASA 5505 migration support is applicable for shared policies only. Device specifics will not be migrated.

    • L2 switch mode capability is enabled on FPR-1010 from FTD and FMC version 6.5. To migrate ASA 5505 configuration (device-specific configs and shared policies) to FPR-1010, ensure that the FTD and FMC version is 6.5 or later.

    • ASA-SM migration support is for shared policies only. Device specifics will not be migrated.

  • The Migration tool supports the following access control features during migration:

    • Populate Destination Security Zones—Enables mapping of destination zones for the ACL during migration.

    • Migrate Tunneled rules as Prefilter—Mapping of ASA encapsulated tunnel protocol rules to Prefilter tunnel rules.

  • Policy Capacity and Limit Warning support—The Migration tool compares the ACE count for the migrated rules with the supported ACE limit on the target FTD platform. It also displays an indicator and a warning message if the total count of migrated ACEs exceeds the threshold or if it approaches the threshold of the supported limit of the target device.

  • Provides support for ACL rule categories of CSM managed configuration.

Check Point

  • The Firepower Migration Tool allows you to migrate the following supported Check Point configuration elements to Firepower Threat Defense:

    • Interfaces

    • Static Routes

    • Objects

    • Access Control Policy

      • Global Policy—When you select this option, the source, and destination zones for the ACL policy are migrated as Any.

      • Zone-Based Policy—When you select this option, source, and destination zones are derived based on the predicative route-lookup through routing mechanism for the source and destination network objects or groups.

        Note 
        Route-lookup is limited to Static routes and Dynamic routes only (except PBR and NAT) and depending on the nature of the source and destination Network Object-Groups, this operation may result in rule explosion.
      • Network Address Translation

    • Provides support for Check Point OS versions—R75, R76, R77, R77.10, R77.20, and R77.30.

Supported Configurations

The following configuration elements are supported for migration for ASA:

  • Network objects

  • Service Objects (which are referred to as port objects in Firepower Threat Defense)

  • Access lists

  • NAT rules

  • Interfaces (Exceptions: Redundant, Routed Mode-BVI, VTI (Tunnel Interface))


    Note

    If your source ASA has Port Channel interfaces, you must create Port Channel Interfaces on the Firepower Management Center; subinterfaces will be automatically created.


  • Static routes (without SLA track, dynamic routing not supported)

  • Routed and transparent firewall mode

  • Name command reference supported in network objects and groups, ACLs, and routes

The following configuration elements are supported for migration for Check Point:

  • Interfaces (Physical, VLAN, and Bond interfaces)

  • Network objects and groups

  • Service objects

  • Network Address Translation (except Auto NAT rules that hide behind the gateway, Manual NAT having Check Point Security gateway, and IPv6 NAT Rules)

  • IPv6 conversion support (Interface, Static Routes, and Objects) ACL (except zone-based for IPv6) and NAT is not supported

  • Access rules that are applied globally and support to convert Global ACLs to Zone-Based ACLs

  • Static routes, except for those configured with priority configurations other than value 1, scope local, with logical interfaces

  • ACL with additional logging type

Supported Software Versions for Migration

The following are the supported and Firepower Threat Defense versions for migration:

Supported Firepower Threat Defense Versions

The Migration Tool recommends migration to a device that is running Firepower Threat Defense, version 6.2.3 and later.

For detailed information about the Cisco Firepower software and hardware compatibility, including operating system and hosting environment requirements, for Firepower Threat Defense, see the Cisco Firepower Compatibility Guide.

Migration Workflow


Note

Beginning with release 2.0, the Migration Tool supports migrating Check Point configuration to FTD. Please note this important tip as part of the Migration workflow.

You can obtain ASA configuration items for migration by following one of the following methods:

  • Manual Upload Method: In a single context mode, use the show run command to obtain the ASA configuration. In multi-context mode, use the show tech command to obtain ASA configuration

  • Connect to the ASA from the Migration Tool: In a multi-context ASA, select the context to migrate after connecting to the ASA and select a target Firepower Threat Defense device. When you complete migration of the first context, repeat the steps to migrate other contexts - connect to the ASA, select the context to be migrated, and select a target Firepower Threat Defense device.

You can obtain Check Point configuration items for migration only through the manual upload method. To collect the Check Point configuration through a manual upload method, do the following:

  • Export Configuration using the Check Point Web Visualization Tool (WVT): Open the command prompt window to the directory where WVT is saved and extracted, and execute the following command to obtain the Check Point configuration:

    C:\Web_Visualisation_Tool> cpdb2web.exe [-s management_server] [-u admin_name | -a certificate_file] [-p password] [-o output_file_path] [-t table_names] [-c | -m gateway | -l package_names] [-gr] [-go] [-w Web_Visualization_Tool_installation_directory]

  • Export Device configuration using the FMT-CP-Config-Extractor_v1.0 Tool: Open the FMT-CP-Config-Extractor_v1.0 Tool, which is a Windows executable file (.exe), on the workstation that has access to the Check Point Security Gateway.

  • Zip the Exported Files: Select all the eight files (seven from the Web VisualizationTool (WVT) and one .txt file from the FMT-CP-Config-Extractor_v1.0 Tool) and compress them to a zip file.

If you must extract information from a Check Point using the Migration Tool, proceed to Export the Check Point Configuration Files.

Firepower Migration Tool Features

The Firepower Migration Tool provides the following features:

  • Validation throughout the migration, including parse and push operations

  • Object re-use capability

  • Object conflict resolution

  • Interface mapping

  • Auto-creation or reuse of interface objects (ASA nameif to security zones and interface groups mapping)

  • Support to create user-defined security zone and interface-group

  • Subinterface limit check for the target Firepower Threat Defense device

  • Platforms supported

    — Virtual ASA to Virtual FTD

    — Same hardware migration (X to X device migration)

    — X to Y device migration (Y having higher number of interfaces)

Migration Reports

The Firepower Migration Tool provides the following reports in HTML format with details of the migration:

  • Pre-Migration Report

  • Post-Migration Report

Platform Requirements for the Firepower Migration Tool

The Migration Tool has the following infrastructure and platform requirements:

  • Windows 10 operating system or on a macOS version 10.13 or higher

  • Google Chrome as the system default browser

  • A single instance of the tool per system

  • Firepower Management Center and Firepower Threat Defense must be version 6.2.3.3 or later

Documentation

The following documentation is provided with this release:

  • Firepower Migration Tool Release Notes

  • Migrating ASA to Firepower Threat Defense with the Firepower Migration Tool

  • Migrating Check Point to Firepower Threat Defense with the Firepower Migration Tool

  • Open Source Used in Cisco Firepower Migration Tool

Open and Resolved Bugs

The open bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account on Cisco.com. For more information on Bug Search Tool, see Bug Search Tool Help.

Use these dynamic queries for an up-to-date list of open and resolved caveats in Firepower Migration Tool: