topic Re: Migrate cisco FTD from series 2000 to series 3000 in Network Security

Migrate cisco FTD from series 2000 to series 3000

Amr Ali Mohamed — Thu, 17 Oct 2024 10:56:38 GMT

Dears,

we will replace our Cisco FTD box series 2000 with a new one series 3000 managed by FMC is there any document with steps to make this migration

Re: Migrate cisco FTD from series 2000 to series 3000

ahollifield — Thu, 17 Oct 2024 11:22:17 GMT

Here's an extremely high level of how I would do it:

Configure management interface
Assign temporary interface IPs or don't connect data interfaces into the network yet, configure all routing platform settings, etc.
Assign the same policies to the 3100 as the previous box.
Schedule a time to perform a hot cut as appropriate.

Re: Migrate cisco FTD from series 2000 to series 3000

Aref Alsouqi — Thu, 17 Oct 2024 15:44:50 GMT

I don't have any documentation at handy for this, sorry, but I think the latest Cisco firewall migration tool would allow you to migrate from FTD to FTD, you could explore that as an option. However, as mentioned by @ahollifield the easiest way would be to stage the new firewall with all the initial settings, and then register it to the FMC and apply all the required policies to it. One thing to keep in mind is that if you have any packages/profiles such as AnyConnect/Secure Client installers/profiles on the 2000 firewall then you would need to move those to the 3000 firewall. Also, if you have identity certificates on the 2000 then you would need to regenerate those ones for the 3000 firewall.

Re: Migrate cisco FTD from series 2000 to series 3000

Marius Gunnerud — Thu, 17 Oct 2024 19:03:53 GMT

I have done this a few times and it is not difficult. For this process you will only need a unique IP for the management interface. Here is what I did.

Install the FTD in the rack and connect only the management interface to the network. If you will be managing the FTD via the Data interface and have available IPs in that network, then connect that interface also.
Duplicate all policy configuration from the old FTD (ACP, NAT, Health, etc)
Configure all interfaces and assign those interface to their respective security zones.
configure routing
configure VPN (if needed)
associate policies you duplicated earlier to the new FTD.
deploy configuration to the FTD,
move cables from the old FTD to the new FTD.
Test.
if there are issues during testing move cables back to old ftd while fixing to limit downtime.

Re: Migrate cisco FTD from series 2000 to series 3000

Marvin Rhoads — Fri, 18 Oct 2024 12:25:39 GMT

There is a new wizard in FMC 7.4+ that handles 95% of this for you automatically.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration.html