cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6479
Views
13
Helpful
38
Replies

i have to do this for

i have to do this for multiple sites,  also, enabling logging on all 300 rules is the manual process , I think  No tool help with this,  logging is also required to see the logs at FMC.

Wondering, why Cisco migration tool is not doing this ...

Rising star

Re: i have to do this for

You can use the FMC REST API to update the configuration of multiple ACP rules. I frequently use it to enable logging for all ACP rules missing the logging configuration.

Highlighted

Re: i have to do this for

Hey Mate,

thanks for reply.

 

Do you able to share steps or documents that can help me on this ? Telling me how to use REST API for this configuraiton..

 

Also, Do you have any python script that can help to clean-up ASA configuration?

Rising star

Re: i have to do this for

If you are interested I wrote a blog post yesterday on how to use the fmc rest api. I created a small script to enable syslog alerts for access-control-policy rules. You can find it here: http://dependencyhell.net/2017/08/27/Automating-ACP-Bulk-Changes/

In case anything is unclear let me know.

p.s. what do you mean by cleaning up ASA configuration. What is it that you want to clean up?

regards
Oliver

Not applicable

i was having the same issue,

i was having the same issue, contacted Tac tried the following things and it worked:

Removed any header and trailer contents on the running config output, as I have seen this in past.

 

The file looked like the example below: 

 

ASA Version 9.4(2)11 

hostname CPXXXXXXXXX 

domain-name cisco.com 

… 

prompt hostname state priority 

no call-home reporting anonymous 

Cryptochecksum:a3a5cbd25d6xxxxxxxxxxd7ae9522691

 

Also make sure the ASA configuration file is not encoded in unsupported format, as only UTF8 is supported ( for me it worked in ANSI mode) 

hope it helps

Re: i was having the same issue,

This did the trick for me - Thanks

Tip: "ASA Version" needs to be at the top in the document - no carriage return or line breaks before it.

Re: i was having the same issue,

I am also planning to upgrade my ASA 5520 to Firepower appliance. Can anyone please assist if we can create sub interfaces on FIrePOWER ?
my firewall has many sub interfaces under FE0/1.
Will tool automatically convert the ASA configuration to FTD compatible script including sub interface details ?
Regards,
Saurabh

Re: i was having the same issue,

Are you planning to upgrade to FTDs?

If so, tool would not help you to create interfaces.

 

You need to create interface /sub-interface by own, this has to be done at FMC once you have your FTDs regiesterd. 

 

Tool is only helpful to migrate firewall rules, you need to tune the existing rules before uplaoding the configurtation to the FMC tool.

Let me know if you have any questions, I have done this in the past and could able to guide/help.

Re: i was having the same issue,

You can create sub-interface on the Firepower.

Script will just help you to convert the firewall policies. Any other settings inlcuding interface creation need to be done manually.