FTD impact of migrating FMC from VMWare to AWS

szymonsikorski — Tue, 15 Apr 2025 20:21:10 GMT

Hey,

We have a production FMC running in VMWare that needs migrating to AWS. Having looked through a bunch of docos and peoples posts on this community and Reddit, it seems migrating FMC is just as painful as the actual product itself. As far as I could find I have three option:
1) Import and export - Not suitable as doesn't export objects, certificates, remote access config and much more.
2) Backup restore - apparently only to be used for disaster recovery and doesn't work cross model (VMWare and AWS are different models)
3) Model migration script - Doesn't support migrating from VMWare to AWS

As none of the above seemed suitable for our use case, I searched the web and seen that people said tricking an FMC to think its a different model allows to restore from backup so I didnt he following:

1) Deployed FMC on AWS
2) Blocked it from talking to the FTDs on the management port as to avoid any issues with having 2 FMCs online
3) Ran the '/var/sf/etc/model-info/configure-model.sh' script and tricked the AWS model to think its VMWare model.
4) Backed up the production VMWare FMC
5) Uploaded the WMware FMC backup to the AWS FMC which thinks its VMWare
6) Restored AWS FMC from backup
7) Changed the AWS FMC back to AWS model by running the script again
😎Changed the AWS FMC back to its AWS allocated IP address instead of the one restored from backup

I don't have much experience with FTD and FMC so I'm not sure what happens when I allow the AWS FMC to talk to the FTDs and shut down the VMWare one. It's technically been restored from backup but obviously I messed around with the models and on top of that the FMC has a different IP address (unfortunately it has to). I'm wondering if anybody has done a similar thing and noticed if they need to reregister the firewall or whether there was any downtime observed.

Our FMC version is 7.2.5

Any help would be hugely appriciated!

Re: FTD impact of migrating FMC from VMWare to AWS

ahollifield — Wed, 16 Apr 2025 13:37:17 GMT

Why 7.2 and not 7.4 or 7.6? Also yes, there are ways to "hack" the migration scripts. Just note they have no support from Cisco.

Re: FTD impact of migrating FMC from VMWare to AWS

Marvin Rhoads — Mon, 21 Apr 2025 15:11:13 GMT

I did this about 2 years ago when moving from an op-premise FMC 4500 to an AWS FMCv300. In my case we removed the device from the on-prem FMC and registered it anew on the AWS instance and restored a device backup. It may have been a bit more than necessary, but we wanted to make doubly sure that nothing was missed as we were moving over about 50 production firewalls.

Re: FTD impact of migrating FMC from VMWare to AWS

Sheraz.Salim — Mon, 21 Apr 2025 18:15:45 GMT

Please consider following the advice of @Marvin Rhoads. He has assisted many, including myself, with the migration of the FMC100 and brings valuable expertise to this community.

topic FTD impact of migrating FMC from VMWare to AWS in Network Security

FTD impact of migrating FMC from VMWare to AWS

Re: FTD impact of migrating FMC from VMWare to AWS

Re: FTD impact of migrating FMC from VMWare to AWS

Re: FTD impact of migrating FMC from VMWare to AWS