topic Re: FMC 1000 to HA FMC 1600: Upgrade Strategy & CUFA to ISE-PIC Mi in Network Security

FMC 1000 to HA FMC 1600: Upgrade Strategy & CUFA to ISE-PIC Migration

GHOZLANE Haroun — Wed, 05 Mar 2025 18:21:41 GMT

Hi Dears,

I’m currently managing a Cisco FMC 1000 running version 6.6.4, which oversees 6 Cisco Firepower 2110 firewalls (also on 6.6.4) in an active-standby setup.

I’m planning to:

Replace the existing FMC 1000 with two FMC 1600 in a high-availability (HA) configuration.
Upgrade both the FMC and firewalls to the recommended version 7.4.2.
Replace CFUA with Cisco ISE-PIC for user identity services.

I’d appreciate any best practices, recommendations, or lessons learned from those who have performed similar migrations. Specifically, I’d like guidance on:

The smoothest approach to setting up FMC HA while minimizing disruption.
Best upgrade path for the firewalls to 7.4.2.
Considerations when transitioning from CUFA to ISE-PIC.

Thanks in advance for your support .

Re: FMC 1000 to HA FMC 1600: Upgrade Strategy & CUFA to ISE-PIC Mi

Marvin Rhoads — Wed, 05 Mar 2025 17:49:30 GMT

Plot out a compatibility course following the information here: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/compatibility/management-center-compatibility.html#id_37880

Depending on what it shipped with, you may need to reimage the FMC 1600 since 6.6.4 devices can only be managed with FMC 7.2.x or lower.

We would follow the FMC model migration guide detailed here: https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/m_fmc_migration_workflow.html

As always, we first upgrade FMC (subject to the compatibility matrix) and then managed devices.

Your 6.6 devices would have to go to 7.2 first and then to 7.4.1. Finally, you can patch to 7.4.2.2 (current latest release for the 2110s).

I would wait until the end to make your FMC HA as that will be quickest overall.

Once FMC and the firewalls are upgraded, you can install and integrate ISE-PIC. Make sure it is getting good identity information before integrating it into FMC.

Re: FMC 1000 to HA FMC 1600: Upgrade Strategy & CUFA to ISE-PIC Mi

GHOZLANE Haroun — Wed, 05 Mar 2025 18:29:50 GMT

Dear @Marvin Rhoads ,

Thanks very much , What’s the update on the CFUA migration to ISE-PIC? When is it expected to be done?

CFUA is already end-of-life and no longer supported.

Re: FMC 1000 to HA FMC 1600: Upgrade Strategy & CUFA to ISE-PIC Mi

Marvin Rhoads — Thu, 06 Mar 2025 06:49:57 GMT

CFUA is not really a migration per se. The new version of FMC will not have any feature to enable CFUA. Instead, you just create a new integration for your ISE-PIC.

It has no relation to anything that was setup in CFUA except for the fact that it does the same job - provide username to IP address mapping to FMC for visibility and (optionally) use in policy enforcement when integrated with an AD or LDAP realm.