Migrating another firewall to Cisco Firepower Threat Defense (FTD) can be a daunting task. Depending on the role of the firewall, it can have thousands of ACL entries, network and service objects and network address translations (NAT). Fortunately, for anyone that is migrating to Cisco FTDs that are managed by Cisco Firepower Management Center (FMC), Cisco provides a firewall migration tool (FMT). This article focuses on migration Cisco’s ASA to Cisco FTD.
Note: Currently, there is no migration tool for FTDs that are using the local management FDM.
The migration tool supports the following major firewall vendors as listed below. Unfortunately, there is no support for Juniper firewalls.
There are a few requirements for using the FMT.
You will need the following:
The FMT executable.
Check the version of the ASA:
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 9.12(4)52
SSP Operating System Version 2.6(1.256)
Device Manager Version 7.18(1)152
Compiled on Fri 19-Aug-22 06:13 GMT by builders
System image file is "disk0:/asa9-12-4-52-smp-k8.bin"
Config file at boot was "startup-config"
Next, select the ASA version and proceed.
Once the configuration is extracted a summary will be provided what was parsed by the FMT
Here you are presented with two options:
Or
This example is for a Target FTD.
Select what to migrate and proceed.
The migration tool lets you create the Security Zone and Interface Groups
The migration tool is not perfect. After using the migration tool for a couple of ASA migrations. I found the tool is best used for migrating the shared configurations (ACP, NAT and Objects) as those are the most time consuming if you are migrating manually. During the migration, I had issues with L2L VPNs, dynamic routing such as BGP and OSPF and their associated policies that used ACLs. For the VPN, there were some discrepancies with the encryption and integrity algorithms and supported Diffie-Hellman groups. This is due to the FTD/FMC not supporting outdated and low security algorithms and DH groups in IKEv1. The FMT also migrated some VPNs but not others, but the reports did not give a reason why. The migrated VPNs also cause a configuration deployment to error out until the encryption, integrity and DH group issues are resolved. I found that it was just easier to migrate the L2L VPNs over manually. Keep in mind that any changes to the VPN requires changes to the peer configuration or VPN will break. Also, the migration tool did not detect any of the dynamic routing protocols. BGP was used in the ASAs but the FMT did not detect it or allow me to select it for migration. OPSF was not a selectable option for migration.
The FMT is not an all-in-one tool. It still requires some configurations to be migrated over manually. Features that were migrated over still need to be validated manually to avoid headaches during cutover. It’s not perfect but it helps cut down on tedious task that would otherwise require manual import and avoid human error such typos.
As always if you have any questions on Cisco FTD for you and your business and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!