Hi Guys,

i am relatively new to firewalls (both ASA and FTD) and having few queries related to this migration.

i am migrating from ASA 8.2 to FTD 2130 (via FMC). Since there is no automatic migration path, so i am doing all my migration manually.


1: is that right practice to convert all ASA 8.2 policies to Pre-filter policies?? would that be sufficient for stable migration of existing policies?

2: i deployed one policy to FTD via FMC and noticed that FTD does not take interface security level value is this normal for FTD?

3: in existing ASA 8.2, the outside policy takes public IP address (pre-NAT). below is the one such policy.

"access-list OUTSIDE extended permit tcp any host 203.25.149.14 object-group TCP_1"
  

Not sure, but i read somewhere that 8.3 or above you have to mention real ip of the server?? does this apply to FTD as well?? am i right to convert the above policy to FTD as below.
Src zone: OUTSIDE  Src network: any  dest network: 172.16.2.15 (real ip of server)  Dest port: TCP_1

TCP_1 = is port object group

4: i am correct to convert the 8.2 ACL to FTD pre-filter policy as below.

ASA 8.2 ACL:  "access-list INSIDE extended permit object-group SERVICE_17 object-group NETWORK_15 object-group NETWORK_50 object-group SERVICE_10

"

FTD  policy:   source zone: INSIDE    src network: NETWORK_15  dest network: NETWORK_50    src port: SERVICE_17   dest port: SERVICE_10  
 
object definition:
   SERVICE_17 = port object group (includes different TCP and UDP ports)
   SERVICE_10 = port object group (includes different TCP and UDP ports)
   NETWORK_15 = Network object group (include different internal IPs)
   NETWORK_50 = Network object group (include different internal IPs)

Regards