topic Re: Threat Defense Model Migration in Network Security

Threat Defense Model Migration

davparker — Thu, 19 Feb 2026 16:07:38 GMT

Hey all,

Does anyone have experience using the Threat Defense Model Migration? We are migrating from a 2110 in HA to a 3105 in HA. We are debating whether to do this manually or is it less error prone to use the migration utility built into FMC?

Thanks,
David

Re: Threat Defense Model Migration

balaji.bandi — Thu, 19 Feb 2026 17:44:19 GMT

check the model migration guide :

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration.html

Re: Threat Defense Model Migration

davparker — Thu, 19 Feb 2026 17:54:04 GMT

Thanks, I have the guide. I just have not tried this yet. If it works well, it looks like it would be a time saver. If it tends too be buggy, I think I'd rather manually do the migration to avoid delays with opening TAC cases.

Thannks,
David

Re: Threat Defense Model Migration

Rob Ingram — Thu, 19 Feb 2026 17:57:09 GMT

@davparker if the FTD is managed by an FMC you can just configure the basic to establish network connectivity and then apply the same policies already in use on the existing firewall.

Re: Threat Defense Model Migration

davparker — Thu, 19 Feb 2026 18:07:11 GMT

Thanks, it is. I'm leaning this way. Seems like the outcome might be more predictable. I've stood up enough of these lately. Also I can't find much of anything on user's experience using the Migrate tool. If it could migrate certificates I'd take a crack at it, but it looks like we'll need to re-enroll those no matter which way we go.

Re: Threat Defense Model Migration

Rob Ingram — Thu, 19 Feb 2026 18:17:28 GMT

@davparker it's simple enough to export/import the certificates - or better create new if internally signed certificate. Most of the time I prefer manual migrations (any vendor) as it's a good chance to get tweak the implementation and not migrate poor configuration.