topic Re: Questions on migrating active/standby ASA pair from ASA image to F in Network Security

Questions on migrating active/standby ASA pair from ASA image to FTD

spfister336 — Tue, 01 Feb 2022 21:13:13 GMT

We have two Cisco Firepower 4115s in active/standby mode, in a routed configuration. These have been running fine for a little over a year now. We currently run the ASA image (the previous firewall was a pair for ASA 5585Xs). Lately, we have been considering moving to the ftd image. I have a few questions:

- What is the best method to migrate to the new image, with minimal downtime?
- We are interested initially, in automatically blocking certain known problem ip addresses with something like abuseipdb. Is there a way to do this easily without going to the ftd image?
- Will new licensing be needed? How do we know if we already have it?
- I've heard mention that ACLs that use FQDNs may have problems being transitioned. Is that the case? Any way to analyze the current configuation for problem areas like this?
- For a single pair of devices, is FDM sufficient? Any need to go to FMC in this situation?

Thank you!

Re: Questions on migrating active/standby ASA pair from ASA image to F

balaji.bandi — Wed, 02 Feb 2022 07:50:36 GMT

here are my suggestions :

- What is the best method to migrate to the new image, with minimal downtime? - use ASA to Migration tool, if not big rules, its time to clean up old rules and move with a fresh rule base (so you can get rid of organically grown rules).

You can do offline testing all the rule base migrated and once you are happy with the audit, you need to have small downtime for OLD to new cutover with the same IP address you like to use.

- We are interested initially, in automatically blocking certain known problem ip addresses with something like abuseipdb. Is there a way to do this easily without going to the ftd image? - ASA any way going to End of Life, so you have no other option than moving to FTD, cisco Force, or suggest you that way.

- Will new licensing be needed? How do we know if we already have it? - depends on what you purchased, the old ASA License no Longer used here you need a new License, and what other options like IPS...so on

- I've heard mention that ACLs that use FQDNs may have problems being transitioned. Is that the case? Any way to analyze the current configuration for problem areas like this? - yes FTD supports this.

- For a single pair of devices, is FDM sufficient? Any need to go to FMC in this situation? - if you like full-blown management, FMC is the only option i can think of here.

Re: Questions on migrating active/standby ASA pair from ASA image to F

Sheraz.Salim — Wed, 02 Feb 2022 06:49:38 GMT

Just to put my thought on this.

- What is the best method to migrate to the new image, with minimal downtime?

Migration tool is a great start with. however the migration tool has caveats. for example outbound access-list is not supported in the migration tool 2.4. hence if you have a small depoyment (not large configure) than you should be fine. but if you have a big deployment in that case first stage this up once using the migration tool (with approach test and work)here is the documentation to start with. and here cisco migration tool give you an example of moving ASA into FTD image (2100 series) concept would be same for your appliance 4100.

- We are interested initially, in automatically blocking certain known problem ip addresses with something like abuseipdb. Is there a way to do this easily without going to the ftd image?

I do not think ASA software will go EOL. but yes the ASA hardware is gone EOL and cisco encourage to take the FTD appliance route. with FTD you can use the security intelligence which is a build in fuction and connected to cisco Taloas network.

- Will new licensing be needed? How do we know if we already have it?

FTD appliance using FTD image need a cisco smart licence here and here a good start with. but if you have a cisco support contract in place or have a cisco portal licensing you should be easily convert your traditional lic into a smart lic. otherwise TAC licensing team is very helpful to sort this out for you.

- I've heard mention that ACLs that use FQDNs may have problems being transitioned. Is that the case? Any way to analyze the current configuation for problem areas like this?

Cisco is very commited with firewall migration tool. new relase of migration tool keep coming up with enchanced features. there are some caveats but it all depends on your migration configuration what you running on. migration tool does support IPv4 and IPv6 FQDN objects and groups.

- For a single pair of devices, is FDM sufficient? Any need to go to FMC in this situation?

This is a more of personal company choice. if you have resoruce (virtual resources) run the FMC as virtual appliance and make most out of it. plus if you want to run your 4100 in muti-instance than why not use a FMC and manage all the firewall in at one pane of glass. less headache jumping/moving from one GUI to another.

Re: Questions on migrating active/standby ASA pair from ASA image to F

spfister336 — Mon, 07 Feb 2022 21:05:44 GMT

A quick follow up to this... Does the Firepower 4115 require any additional hardware to run the FTD image?

Re: Questions on migrating active/standby ASA pair from ASA image to F

Sheraz.Salim — Mon, 07 Feb 2022 21:26:39 GMT

Nope FTD 4115 is the beast. here the Data Sheet and also remember the FTD 4000 series run the FXOS under lay and on top you can run FTD or the ASA code.

no additional hardware require as the 4115 come as multi-instance. means you can setup a different container according to your requirments.