https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/3834138#M133536 <P>You gonna have some downtime. Event with import export features it is difficult to have 0 downtime migration.&nbsp;</P><P>Once you start importing the policies to the new FMC, you need to associate the zones from you ACP rules with interfaces. This means you need to connect your FTDs before policy import. If you have identity policy, than you should do the integration before the policy import because ACP rules are using identities from external sources.&nbsp;</P><P>NAT and routing are features without export functions. It is expected (but not pleasant) behavior.&nbsp;</P><P>Since Firepower 6.3 FTD could be backuped. My suggestion is to create backup of the sensors with all the policies they have(routing, NAT, interface conf, flexconfig, etc), and then revert the backup from the new FMC. You cannot revert a backup of FMCv to FMC hardware, but FTD backup is just for the FTD, whatever is the FMC managing it.&nbsp;</P><P>I suppose Edgar did this long time ago, but I am sharing my thought for the rest interested.&nbsp;</P><P>And call TAC only you are facing an issue. If you need assistance for migration, than advanced services is the team you need. Or third party Firepower experts like me <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Mon, 08 Apr 2019 11:30:18 GMT ivanradevradev_ 2019-04-08T11:30:18Z https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/3086012#M133534 <DIV>I<SPAN style="font-family: arial, helvetica, sans-serif;"> need to migrate a virtual Firepower Management Center to a physical Firepower Management Center (Version 6.2.0-362 /&nbsp;<A href="http://patch-6.2.0.1-59.sh/" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=http://patch-6.2.0.1-59.sh/&amp;source=gmail&amp;ust=1501874585510000&amp;usg=AFQjCNH2iW_5rRuu_9Gx0iDa6SFqR9KXkw">Patch-6.2.0.1-59.sh</A>)</SPAN></DIV> <DIV></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;"></SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">Per documentation the backup/restore procedure is not recommended.</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;"><A href="http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/backup_and_restore.html#ID-2200-00000297" target="_blank" data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/backup_and_restore.html%23ID-2200-00000297&amp;source=gmail&amp;ust=1501874585510000&amp;usg=AFQjCNFqTGJibmnGiDy9BZiwXdymYgxiAA">http://www.cisco.com/c/en/us/t<WBR />d/docs/security/firepower/610/<WBR />configuration/guide/fpmc-confi<WBR />g-guide-v61/backup_and_restore<WBR />.html#ID-2200-00000297</A></SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">"Do not restore backups created on virtual Firepower Management Centers to physical Firepower Management Centers — this may stress system resources."</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;"></SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;So, do we need to follow the export/import procedure?</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;We've tried this procedure in a lab environment:</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">- Update physical FMC to the same Patch than Virtual</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">- Export configuration on virtual FMC</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">- Import configuration on physical FMC</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">- Disabled the HA on virtual FMC</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">- Desassociate both FTDs from virtual FMC</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">- Associate both FTDs on physical FMC</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;We noticed that the static routes and NATs are not imported in export/import procedure, both configuration disappears from FTD after associate on physical FMC.</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;</SPAN></DIV> <DIV><SPAN style="font-family: arial, helvetica, sans-serif;">&nbsp;The customer doesn't want downtime, is this the right procedure? Is there any way to keep static routes and NAT?</SPAN></DIV> Tue, 12 Mar 2019 09:46:24 GMT https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/3086012#M133534 Edgar Machado 2019-03-12T09:46:24Z https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/3086013#M133535 <P>I'd recommend opening a TAC case on this one.</P> <P>The static routes and NATs not transferring sounds like a bug.</P> <P>Even with that resolved, I'm pretty sure there is going to be downtime involved.</P> Fri, 04 Aug 2017 02:07:46 GMT https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/3086013#M133535 Marvin Rhoads 2017-08-04T02:07:46Z https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/3834138#M133536 <P>You gonna have some downtime. Event with import export features it is difficult to have 0 downtime migration.&nbsp;</P><P>Once you start importing the policies to the new FMC, you need to associate the zones from you ACP rules with interfaces. This means you need to connect your FTDs before policy import. If you have identity policy, than you should do the integration before the policy import because ACP rules are using identities from external sources.&nbsp;</P><P>NAT and routing are features without export functions. It is expected (but not pleasant) behavior.&nbsp;</P><P>Since Firepower 6.3 FTD could be backuped. My suggestion is to create backup of the sensors with all the policies they have(routing, NAT, interface conf, flexconfig, etc), and then revert the backup from the new FMC. You cannot revert a backup of FMCv to FMC hardware, but FTD backup is just for the FTD, whatever is the FMC managing it.&nbsp;</P><P>I suppose Edgar did this long time ago, but I am sharing my thought for the rest interested.&nbsp;</P><P>And call TAC only you are facing an issue. If you need assistance for migration, than advanced services is the team you need. Or third party Firepower experts like me <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Mon, 08 Apr 2019 11:30:18 GMT https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/3834138#M133536 ivanradevradev_ 2019-04-08T11:30:18Z https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/5156413#M1114897 <P>Hi Marvin you know if you can&nbsp;use a backup file of physical FMC on a virtual FMC?</P> Tue, 06 Aug 2024 11:31:40 GMT https://community.cisco.com/t5/network-security/i-need-to-migrate-a-virtual-firepower-management-center-to-a/m-p/5156413#M1114897 CiscoBrownBelt 2024-08-06T11:31:40Z