topic Re: Firepower migration tool in Network Security

Firepower migration tool

Antonio Macia — Tue, 12 Mar 2019 14:01:56 GMT

Hello,

After migrating the firewall policy from an ASA to Firepower most of the objects in the rules were automatically grouped and named using the "DM_INLINE_NETWORK" or "DM_INLINE_SERVICE" naming convention. This difficult a lot the understanding and visibility of the policy. Is it possible to disable the grouping so the rules appear as they used to in the ASA?

Regards.

Re: Firepower migration tool

Marvin Rhoads — Mon, 15 Oct 2018 11:21:14 GMT

You can't disable the grouping as far as I know.

However if you start with an ASA config that has well-defined named groups (network objects, object groups etc.) they should be retained in the Firepower configuration.

Re: Firepower migration tool

Antonio Macia — Mon, 15 Oct 2018 15:14:58 GMT

Thanks, Marvin,

The ASA policy does have well-defined objects. For instance, an original ASA ACE that has 4 individuals objects as a destination get grouped under the "DM_INLINE_NETWORK_54" group when migrated. Same occurs for ports.

Only those ACEs where there is just a single object do not get grouped.

This is very frustrating because although the rules are there, the policy changes make it unmanageable.

Regards.

Re: Firepower migration tool

Rahul Govindan — Mon, 15 Oct 2018 15:47:59 GMT

Unfortunately, there is no way around this. The "DM_INLINE" objects are created by the ASDM when you edit or create network/service object groups on the GUI. The ASDM somehow understands the mapping and shows you the right groups separately, but the CLI still has the DM_INLINE references. Since you use the CLI config to migrate to the Firepower, this gets carried over. I really wish they did something about this in a later version of the migration tool.

Re: Firepower migration tool

Marvin Rhoads — Mon, 15 Oct 2018 15:53:08 GMT

Hey Rahul - correct me if I'm wrong but if you create well-named Network objects and groups in ASDM and then use those in your NAT rules, ACL entries etc. they will carry over as-is in the converted configuration - correct?

Only if you just click to add them graphically in ASDM directly (without first creating groups) will you get DM_INLINE objects.

Re: Firepower migration tool

Rahul Govindan — Mon, 15 Oct 2018 16:17:15 GMT

Yes @Marvin Rhoads, that is correct. If you use just a single pre-defined object group, then this is ok. But if you add more than 1 object/object-group in a single ACE, then the ASDM automatically bunches them into another object group with the DM_INLINE reference.

The problem is that ASDM has no indicator that DM_INLINE object-groups are being created, this is all in the backend (or use the preview commands feature of ASDM). So, if an administrator has been using ASDM in the past, there is most likely a bunch of rules with that reference that they don't know about until they look at the CLI.

Re: Firepower migration tool

Antonio Macia — Tue, 16 Oct 2018 06:49:51 GMT

Thanks @Rahul Govindan and @Marvin Rhoads for giving some light into this. I'm afraid manual work will be necessary to get rid of these DM_INLINE objects...

Re: Firepower migration tool

Munib Shah — Thu, 25 Oct 2018 13:18:20 GMT

@Antonio Macia With Firepower Migration Tool R1.1 you should be able to rename objects (bulk supported) within the tool itself. Here is the link to download the tool: https://www.cisco.com/c/en/us/products/security/firewalls/firepower-migration-tool.html

ASA rule optimization features explained here: https://www.youtube.com/watch?v=o2EIOh8s1Lo&t=1s

Re: Firepower migration tool

Rahul Govindan — Thu, 25 Oct 2018 19:14:12 GMT

@Munib Shah: Great to hear that this is fixed in the new version of the tool.

Re: Firepower migration tool

Antonio Macia — Mon, 29 Oct 2018 16:05:15 GMT

Thanks Munib. Sounds great!

I'll give it a try.

Re: Firepower migration tool

TM13 — Thu, 14 Feb 2019 06:23:02 GMT

Migration tool can be used only copying Objects and Services to FMC?

Re: Firepower migration tool

Munib Shah — Thu, 14 Feb 2019 06:32:37 GMT

Yes definitely. Just choose only Network and Port objects in the Selective Policy section (Step 2)

Re: Firepower migration tool

TM13 — Thu, 14 Feb 2019 06:37:06 GMT

Nice, thanks, but it taking 30mins so far with

Parsing in progress. Please refer to console logs for more details

Re: Firepower migration tool

Munib Shah — Thu, 14 Feb 2019 06:47:29 GMT

May i know your FMC and tool version?

From FMC 6.2.3.3 onward objects are pushed in bulk (1000 in one call) which should be much faster than it was before.

You can use the console window of the tool to verify which ones are currently being pushed.

Re: Firepower migration tool

TM13 — Thu, 14 Feb 2019 06:49:53 GMT

FMC is FMC Version: 6.2.3 (build 83)

Tool is Firepower_Migration_Tool_v1.2.0.2-2518.exe

Re: Firepower migration tool

Munib Shah — Thu, 14 Feb 2019 07:11:32 GMT

FMC 6.2.3 does not support bulk push for objects. While the migration should work, it may be quite slow. I would recommend to upgrade the FMC to atleast 6.2.3.3 patch for a faster migration experience.

Re: Firepower migration tool

TM13 — Thu, 14 Feb 2019 07:42:07 GMT

It is VM and latest one is 6.3.0.84 but i hadn't even clicked the next of ASA section.

Re: Firepower migration tool

TM13 — Thu, 14 Feb 2019 07:42:48 GMT

Re: Firepower migration tool

Munib Shah — Thu, 14 Feb 2019 08:43:00 GMT

Your tool is the latest already. I would recommend to upgrade the FMC to 6.2.3.3 patch so that the tool can push bulk objects. That would be much faster.