topic Re: Migration Configuration From TWO ASA TO TWO FTD in Network Security

Migration Configuration From TWO ASA TO TWO FTD

foahmed — Wed, 29 Oct 2025 13:45:56 GMT

Dear,

I have FMC manage two ASA box , I need Migration All configuration from two ASA to a new two FTD model (3105 NGFW) , notes the same FMC manage anew FTD boxes and migration with the same IP MGMT .

what is the best way to migration the same configuration to A new FTD boxes with the same IP MGMT at the same FMC ?

Re: Migration Configuration From TWO ASA TO TWO FTD

nspasov — Wed, 29 Oct 2025 19:32:36 GMT

Have you explored the migration tool?

Thank you for rating helpful posts!

Re: Migration Configuration From TWO ASA TO TWO FTD

balaji.bandi — Wed, 29 Oct 2025 21:24:57 GMT

FMC manages ASA (what code is running?)

A migration tool can help you, but there are always limitations.

If this is a small rule base, my suggestion is as follows: if

you want to move the same management IP, it may not work; at some point in time, you need to take the ASA offline and bring the FTD online.

So, it's better to choose a different Management IP for FTD, as it's a good option. And make a rule base (and you get a chance to remove all legacy stuff that's not carried forward).

If ASA is in HA, and FTD is also going to be HA?

Re: Migration Configuration From TWO ASA TO TWO FTD

foahmed — Thu, 30 Oct 2025 07:47:02 GMT

Dear,

If use different MGMT IP and register anew FTD on the same FMC , when I need migration configuration like the same ip of the interface from ASA to FTD , Is effect or conflict occur or not ?

Re: Migration Configuration From TWO ASA TO TWO FTD

balaji.bandi — Thu, 30 Oct 2025 07:59:03 GMT

As mentioned, the best I can think of is that MGMT IP will be new, and you can migrate the rest of the configuration. (either using the Migration tool or Manual config - depends on your comfort.)

Every migration is different, so you need to plan what works for you. I have mentioned two options; please decide which you want to go with.

Even if you want to register FTD with FMC, you cannot use the same IP address for the Live ASA and the new FTD, right?

Re: Migration Configuration From TWO ASA TO TWO FTD

foahmed — Thu, 30 Oct 2025 08:06:24 GMT

Dear,

I planning to use anew MGMT IP for FTD and register it on the same FMC , I need best way or steps to migrate all configuration Manual from ASA to FTD .

If migrate the same ips of the interfaces from ASA to FTD when two devices register on the same fmc , Is face any effect or duplicate or conflict or not?

Re: Migration Configuration From TWO ASA TO TWO FTD

Jonatan Jonasson — Thu, 30 Oct 2025 09:20:48 GMT

you should be able to start configuring the FTD with the same IPs, as long as the FTD doesn't have those interface connected to anything that could cause a conflict.

Migration-wise, the migration tool can be a good starting point, but it really comes down to how big and complex the your configuration is.
It's important to understand one big difference between ASA and FTD, with FTD being a zone-based firewall, and the ASA is not.
Because of this, the policy migration isn't always straightforward, so be sure to review the output from the migration tool.

Re: Migration Configuration From TWO ASA TO TWO FTD

foahmed — Thu, 30 Oct 2025 10:59:39 GMT

I decided use the new MGMT IP for New FTD Devices but you have misunderstanding I have FTD Version 6.6.7 running on ASA Model 5525-X , so I need migrate the all configuration from old boxes to new FTD Model 3105 ,so I need best steps to migrate manual ok.

If I register New FTD on the same FMC manage old ASA device , and configure all interfaces on anew FTD devices by the same name and IP address , will face any conflict of ips or not?

Re: Migration Configuration From TWO ASA TO TWO FTD

Marius Gunnerud — Thu, 30 Oct 2025 11:39:30 GMT

To manage the ASA and FTD in the same FMC you would need to upgrade the FMC to 7.0.x and most likely have the 3105 FTD delivered with 7.0.x or have to down grade it manually as they will most likely be shipped with version 7.6.2 if you do not request anything else. I DO NOT RECOMMEND DOING THIS. 7.0.x has a ton of bugs which can cause more problems that the actual migration.

Depending on if the FMC is a physical device or virtual device, the course of action might change a little.

If your FMC is a virtual device, your best course of action is to setup a new virtual FMC running a 90 day trial license and associate the new FTDs to this (just be sure the mgmt IPs are different and that the data interfaces are not connected to the network or at least in admin shutdown). Then migrate the configuration, either manually or via script/API. Depending on how much config is to be migrated might determine if you go for manual or script migration.

From one point of view this migration comes with little risk, that is to say if something does not work during the cutover you can just move back to the old ASAs, fix the FTD config and try again (very little down time).

Now, if this is a physical FMC this becomes a bit more risky. In this case, unless you are replacing the FMC, you would need to disconnect the FMC from the production network so that the ASAs lose connectivity to the FMC (as if the FMC has failed). That way the ASAs see the FMC as failed and will continue to operate as usual (DO NOT UNREGISTER / REMOVE THE ASAs FROM THE FMC). Before continuing make sure you have screenshots / notes of the interface configuration, routing configuration, all VPN configuration, and NAT configuration (possibly). Basically any configuration that references a physical interface name in case something goes wrong and all that configuration is removed.

Then in a staging network, upgrade the FMC to v7.6.2+ or whichever version is running on the FTD3105s or higher and then register the FTDs to the FMC. Now configure the interfaces, routing and VPNs, associate the interfaces to the relevant security zones and / or groups and you should be all set.

Re: Migration Configuration From TWO ASA TO TWO FTD

foahmed — Thu, 30 Oct 2025 11:51:07 GMT

I dont need to deploy Anew FMC , I have already Virtual FMC ,SO I need register anew FTD on the same FMC and migrate configuration from old boxes ASA to Anew FTD .

the question , when migrate the configuration like same name and ip for interface from old device to anew ftd , did face any conflict of ips or name or not? note: The same fmc mange old devices and new ftd device and migrate at the same time .

Re: Migration Configuration From TWO ASA TO TWO FTD

balaji.bandi — Thu, 30 Oct 2025 13:37:03 GMT

Once the new MGMT IP is configured on FTD and onboarded to FMC, the remaining configuration can be created as long as the interfaces are not connected to the Live network. This can be a Migration tool or manual work.

Other post suggested here—make sure you have the same version of FTD running if you want to restore the config. Also, make sure FMC and FTD Are Upgraded to the latest code to mitigate many security breaches caused by the old code.

Note : always read the release notes before upgrade, and take backups out of the box in case need to restore required.

Re: Migration Configuration From TWO ASA TO TWO FTD

Marius Gunnerud — Thu, 30 Oct 2025 13:40:50 GMT

IPs can be the same so long as the interfaces on the new FTDs are in "shutdown". As for the naming, you would need new names for the physical interfaces, temporarily, and then once the ASA5525s are removed from the FMC you can update the names accordingly if needed.

Just keep in mind that the highest FMC version you can have is 7.2 to still be able to manage the ASAs running 6.6.7. Depending on what image the FTD3105s have been shipped with, you might need to downgrade them for the migration.

Re: Migration Configuration From TWO ASA TO TWO FTD

Marvin Rhoads — Thu, 30 Oct 2025 15:28:42 GMT

Are your ASAs actually running FTD image or just ASA base + Firepower service module?

If it is #1 then I would recommend just manually building a new FMC with 7.6.3 and recreate the Access Control Policy, NAT, device configuration etc. manually on it.

If it is #2 you can use the Firewall Migration Tool (FMT) as suggested by @nspasov . I would still build a new FMC since an old 6.6.7 FMC is not very useful except to inspect any policies that need to be rebuilt on the new FMC.