Introduction

Migrating another firewall to Cisco Firepower Threat Defense (FTD) can be a daunting task. Depending on the role of the firewall, it can have thousands of ACL entries, network and service objects and network address translations (NAT). Fortunately, for anyone that is migrating to Cisco FTDs that are managed by Cisco Firepower Management Center (FMC), Cisco provides a firewall migration tool (FMT).   This article focuses on migration Cisco’s ASA to Cisco FTD.

Note: Currently, there is no migration tool for FTDs that are using the local management FDM.

The migration tool supports the following major firewall vendors as listed below. Unfortunately, there is no support for Juniper firewalls.

Prerequisites

There are a few requirements for using the FMT.

You will need the following:

• CCO account to download FMT and run FMT.
• A copy of the firewall configuration file in ascii text format from one of the supported vendors or CLI access to the firewall
• Access to FMC to import the migrated configuration.

Migrating Cisco ASA to FTD managed by FMC.

1. The first step is to download the FMT from Cisco using a CCO account. Mac and Windows versions are supported.

2. Run the migration tool.   It will prompt for a login. Log in using a valid CCO account and the FMT GUI interface will appear on the web browser.

The FMT executable.

Check the version of the ASA:

ASA# sh ver

Cisco Adaptive Security Appliance Software Version 9.12(4)52

SSP Operating System Version 2.6(1.256)

Device Manager Version 7.18(1)152

Compiled on Fri 19-Aug-22 06:13 GMT by builders

System image file is "disk0:/asa9-12-4-52-smp-k8.bin"

Config file at boot was "startup-config"

Next, select the ASA version and proceed.

3. Two options are available for importing the configuration.   You can upload the configuration file manually or connect to the ASA directly and let the migration tool pull the configuration.
   
4. Select the context if the ASA has multiple contexts and select Start Extraction

Once the configuration is extracted a summary will be provided what was parsed by the FMT

5. Next, connect to the FMC.

Here you are presented with two options:

• Select FTD device. This will migrate everything from the source firewall that the firewall migration tool supports. This will include device specific configuration such as interfaces, VPNs and route information as well as the hared configuration such objects, ACLs and NAT configuration.

Or

• Proceed without FTD: This will migrate only the shared configurations such Access Control and NAT policy and network and service objects.
  
  
  

This example is for a Target FTD.

Select what to migrate and proceed.

6. Start the conversion. Once conversion is finished, a pre-migration report will be provided outlining what is supported. After reviewing the report click Next to proceed.

7. Next, we need to map the existing interfaces from the ASA to the target FTD and assign the interfaces to a security Zone and Interface Group.  
   

The migration tool lets you create the Security Zone and Interface Groups

8. Validate the configuration to fix any issues such as existing objects or object groups with the same name. Resolve issues and re-validate and then proceed.

9. After validation push the configuration to the Target FTD.

10. Once migration is complete, a post-migration report will be created. Review the report.

11. The last step is to deploy the configuration in FMC.

Conclusion

The migration tool is not perfect. After using the migration tool for a couple of ASA migrations. I found the tool is best used for migrating the shared configurations (ACP, NAT and Objects) as those are the most time consuming if you are migrating manually.   During the migration, I had issues with L2L VPNs, dynamic routing such as BGP and OSPF and their associated policies that used ACLs. For the VPN, there were some discrepancies with the encryption and integrity algorithms and supported Diffie-Hellman groups. This is due to the FTD/FMC not supporting outdated and low security algorithms and DH groups in IKEv1. The FMT also migrated some VPNs but not others, but the reports did not give a reason why. The migrated VPNs also cause a configuration deployment to error out until the encryption, integrity and DH group issues are resolved. I found that it was just easier to migrate the L2L VPNs over manually. Keep in mind that any changes to the VPN requires changes to the peer configuration or VPN will break. Also, the migration tool did not detect any of the dynamic routing protocols. BGP was used in the ASAs but the FMT did not detect it or allow me to select it for migration. OPSF was not a selectable option for migration.

The FMT is not an all-in-one tool. It still requires some configurations to be migrated over manually. Features that were migrated over still need to be validated manually to avoid headaches during cutover.   It’s not perfect but it helps cut down on tedious task that would otherwise require manual import and avoid human error such typos.

As always if you have any questions on Cisco FTD for you and your business and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!