Solved: Re: Proper way to move managed devices to another FMC

Ben Lau · ‎05-27-2018

Hi all,

I am not sure if this has been discussed or not. I am looking for recommendations on how to move some new Firepower service modules, which run on various ASA 5500-X's and performing only monitoring, from their currently registered virtual FMC to a new physical FMC. None of these ASA's is running FTD yet. My biggest concern is the classic licenses of those managed devices.

Is it going to be a simple two steps: 1) "delete device" from current vFMC; and 2) "register device" with the new FMC? I suppose there is no additional work to be done using the classic license portal.

Thanks for your help in advance!!

yogdhanu · ‎05-27-2018

Hi

Yes, the steps are correct.

Licenses would need be re-issued using the license key of new FMC where the devices would be registered.

You can do the license step before or after registration on new FMC. I would suggest to do it before so the new FMC already has licenses (classic) once modules are registered to it.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200376-Obtain-the-License-Key-for-a-Firepower-D.html

To bind the licenses again with the new license key/ FMC, either an email can be sent to licensing@cisco.com or you can issue licenses yourself at https://www.cisco.com/go/license but you would need your PAK no. for the licenses of modules along with the license key from new FMC.

Hope it helps,

Yogesh

View solution in original post

yogdhanu · ‎05-27-2018

Hi

Yes, the steps are correct.

Licenses would need be re-issued using the license key of new FMC where the devices would be registered.

You can do the license step before or after registration on new FMC. I would suggest to do it before so the new FMC already has licenses (classic) once modules are registered to it.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200376-Obtain-the-License-Key-for-a-Firepower-D.html

To bind the licenses again with the new license key/ FMC, either an email can be sent to licensing@cisco.com or you can issue licenses yourself at https://www.cisco.com/go/license but you would need your PAK no. for the licenses of modules along with the license key from new FMC.

Hope it helps,

Yogesh

Ben Lau · ‎05-30-2018

Thanks Yogesh. I will follow your suggestions and share my experience with the community later.

Ben Lau · ‎06-12-2018

Just to share my experience and one note with you, about moving the classic licenses from one FMC to another.

It is very important, at least for us, to keep track of the actual associations of PAK's and managed devices. i.e. which managed device has which PAK's. Several reasons but main one is, we have managed devices around the world and those managed devices were purchased at different time, and with different duration of AMP and/or URL subscriptions. When it comes to re-host a license, it is very important to be able to pick the right license (which was generated using a specific PAK), for the managed device that is being moved. Reason is, not all devices are the same model and having the same features, and service subscriptions, and we could not move all at the same time. :)

Hope these notes could help someone else who is in the same situation.