topic Replace Firepower 4110 with Firepower 3130 in Network Security

Replace Firepower 4110 with Firepower 3130

adamscottmaster2013 — Sun, 03 May 2026 23:12:05 GMT

I am going to replace my existing Firepower 4110 appliance running FTD 7.0.9 let call it with the
name fp4110, managed by the FMC running 7.4.7, with a new Firepower 3130 appliance, let call it
fp3130. All existing IP address(es) with the exception of the management IP address of the
appliance will remain the same on both the fp4110 and fp3130. The fp3110 will be running a newer
version 7.4.7. I have not worked with Cisco FTD in years, so I am thinking of doing this below:

a- Rack fp3130 and connect all the cables but the switchport(s) on the switch(es) will be disabled,
b- Enable the management interface on the fp3130,
c- Connect the fp3130 to the FMC,
d- Configure interfaces on the fp3130 with the same IP address(es), and zone(s) as the fp4110, in the FMC,
f- Configure static routing on the fp3130 exactly the same as the fp4110,
g- Assign the same access policy of the fp4110 to the fp3130,
h- Assign the same NAT policy of the fp4110 to the fp3130,
i- Clone the same platform settings of the fp4110 to the fp3130,
j- Deploy the access policy, NAT, and platforms settings to both the fp4110 and fp3130,
k- Confirm both the fp4100 and fp3130 has the same access policy, NAT, and platform settings,
l- Disable switchport(s) on the switch, with the exception of the management interface, that are connected to the fp4110,
m- Enable switchport(s) on the switch that are connected to the fp3130,
n- Clear the arp table on the switch(es),
o- Validate all interfaces on the fp3130 are up and operational,
p- Start the validation,

This will minimize the interruption because this is the Internet firewalls. Comments are welcome.

Thoughts?

Re: Replace Firepower 4110 with Firepower 3130

Aref Alsouqi — Mon, 04 May 2026 09:12:37 GMT

I think you got everything covered here. Just couple things come to mind, if you are using interfaces groups on the 4110 then I think you would need to assign the 3130 interfaces to those groups. The other thing is that if the current 4110 firewalls terminate any remote VPN connections then you might need to generate a new SSL cert and assign it to the 3130 outside interface as well as uploading the Secure Client packages to the 3130s. With regard to clearing the arp table on the switches, I don't think that is necessary as the new 3130s will announce their MAC addresses to the switches when they are inline.

Re: Replace Firepower 4110 with Firepower 3130

Aref Alsouqi — Mon, 04 May 2026 09:15:32 GMT

Actually another thing came to mind is that if you have any RADIUS/TACACS servers that are used by the current 4110 firewalls then you might need to create new clients on those servers with the new management IPs of the 3130s. Also, if you have any monitoring tools that are currently pointing to the 4110 management IPs then those need to be updated to point to the new 3130s management IPs.

Re: Replace Firepower 4110 with Firepower 3130

adamscottmaster2013 — Mon, 04 May 2026 11:16:50 GMT

@Aref Alsouqi - Thank you. We do not use the FP4110 for either SSL or remote VPN connections. We are also not using interfaces group.

Re: Replace Firepower 4110 with Firepower 3130

adamscottmaster2013 — Mon, 04 May 2026 11:17:49 GMT

@Aref Alsouqi - Thank you. We're using neither Radius or TACACS+ servers on the current fp4110.

Re: Replace Firepower 4110 with Firepower 3130

Marvin Rhoads — Mon, 04 May 2026 12:22:00 GMT

The much easier and recommended path would be to use the Secure Firewall Threat Defense model migration wizard.

Also, run version 7.6.5 on FMC and FTD 7.6.4 on the 3130 as those are the current suggested releases. I would upgrade the 4110 first to 7.2.11 so that it can be managed by FMC 7.6.5. (FMC 7.6.x can only manage back to version 7.1.x+)

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration-761.html