topic Re: FTD migration tool and destination zone in Network Security

FTD migration tool and destination zone

lanab — Fri, 28 Apr 2023 10:09:37 GMT

I am using the latest FTD migration tool to move contexts from our old ASA5585 to FMC without FTD.

There is a major problem when doing this conversion as their is no way the tool can apply the destination zone i want and configured it to, it sets it to ANY with no other choice.

This is a problem as we have thousands of ACLs that needs the correct destination zone.

How can we solve this problem, how do we change the destination zone from ANY to XYC for all ACLs?

Re: FTD migration tool and destination zone

Marvin Rhoads — Fri, 28 Apr 2023 11:19:26 GMT

Generally the target zones will be configured and associated with interfaces / interfaces groups on a target FTD managed by the FMC. Is it that you don't have a target FTD available yet?

Re: FTD migration tool and destination zone

lanab — Fri, 28 Apr 2023 11:27:25 GMT

We have no target FTD now as we have like 50 contexts we are migrating from, we want to create the in FMC first.

Re: FTD migration tool and destination zone

lanab — Fri, 28 Apr 2023 12:10:32 GMT

Is there any text file in CLI i could edit and just replace all ANY to the zone we want?

Re: FTD migration tool and destination zone

Marvin Rhoads — Fri, 28 Apr 2023 16:19:54 GMT

There's no cli source file option that I'm aware of being able to use.

We have to migrate to a target device to get zones because anything associated with interfaces is not migrated/populated when we choose to "proceed without FTD" as a target device.

I wonder if you could just spin up a single FTDv and use it (over and over) for the various contexts?

Re: FTD migration tool and destination zone

MHM Cisco World — Fri, 28 Apr 2023 16:40:05 GMT

I full get your request

Map ftd interface will use asa to zone in ftd' but ANY is not interface in ASA and you want way to map it to ftd zone

Am I correct?

Re: FTD migration tool and destination zone

MHM Cisco World — Fri, 28 Apr 2023 17:14:34 GMT

I check the asa to ftd migrate will add zone any for any subnet (source or destination) that is list as any in acl of asa.

Re: FTD migration tool and destination zone

lanab — Sat, 29 Apr 2023 08:15:22 GMT

I tried to spin up an FTDv in the lab but then arise another problem as FTDv does not support portchannels so the migration tool will block and not continue.

Re: FTD migration tool and destination zone

lanab — Sat, 29 Apr 2023 08:18:08 GMT

I have created source and destination zone as wanted in the migration tool but after the conversion is done the tool only populated the source zone correctly and destination zone as ANY.

Re: FTD migration tool and destination zone

MHM Cisco World — Sat, 29 Apr 2023 11:47:36 GMT

I think you hit migration limits here

Migration Limitations

When migrating your ASA configuration, be aware of the following limitations:

ASA Configuration Only

The migration tool converts only ASA configurations. It does not convert existing ASA FirePOWER configurations. You must manually convert an existing ASA FirePOWER configuration to a Firepower Threat Defense configuration.

ACL and ACE Limits

The migration tool can support an ASA configuration file containing up to 2000000 total access rule elements. If the converted configuration file exceeds this limit, the migration fails.

You must consider the sum of all access rules elements in the ASA configuration file, rather than the element count for a single ACL. To view elements for a single ACL, use the ASA CLI command, show access-list | i elements.

Applied Rules and Objects Only

The migration tool only converts ACLs that are applied to an interface; that is, the ASA configuration file must contain paired access-list and access-group commands.

The migration tool only converts objects if they are associated with either actively-applied ACLs or NAT rules; that is, the ASA configuration file must contain appropriately associated object, access-list, access-group, and nat commands. You cannot migrate network and service objects alone.

Unsupported ACL and NAT Configurations

The migration tool supports most ACL and NAT configurations, with certain exceptions. It handles unsupported ACL and NAT configurations as follows:

Converts but Disables—The migration tool cannot fully convert ACEs that use:

Time range objects
Fully-qualified domain names (FQDN)
Local users or user groups
Security group (SGT) objects
Nested service groups for both source and destination ports

It cannot convert certain elements of these rules because there is no Firepower equivalent functionality for the unsupported elements. In these cases, the tool converts rule elements that have Firepower equivalents (for example, source network), excludes rule elements that do not have Firepower equivalents (for example, time range), and disables the rule in the new access control or prefilter policy it creates.

For each disabled rule, the system also appends (unsupported) to the rule name and adds a comment to the rule indicating why the system disabled the rule during migration. After importing the disabled rules on your Firepower Management Center, you can manually edit or replace the rules for successful deployment in the Firepower System.

Re: FTD migration tool and destination zone

lanab — Mon, 01 May 2023 19:37:03 GMT

This is by far the worst product i ever worked with, it's full of bugs.

I had to export the ACP and then manually edit the show-tech file for all interfaces that are portchannels to ordinary ethernet interfaces, then i ran the migration tool it continued fine, but still not working as it should.

Some rules gets a -no lookup after the ACL name which means it sets destination zone to ANY which means i still have to manually change all those ACLs from ANY to the right destination zone i want.

And editing just one ACL takes ages because the slow FMC GUI is not the fastest to work with.

So Cisco does not have any solution to this crap? your answer is to edit several hundreds of ACLs? we don't have that time.

Re: FTD migration tool and destination zone

NetworkMonkey101 — Tue, 27 Aug 2024 13:29:29 GMT

Did you ever resolve this issue I have the same problem? I do not want to have to edit 900 individual policies within FMC to use the correct zone instead of the migrated "any" zone.