Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2406
Views
0
Helpful
2
Replies

I need to migrate a virtual Firepower Management Center to a physical Firepower Management Center

Edgar Machado
Level 1
Level 1

‎08-03-2017 12:28 PM - edited ‎03-12-2019 02:46 AM

I need to migrate a virtual Firepower Management Center to a physical Firepower Management Center (Version 6.2.0-362 / Patch-6.2.0.1-59.sh)
Per documentation the backup/restore procedure is not recommended.
 
"Do not restore backups created on virtual Firepower Management Centers to physical Firepower Management Centers — this may stress system resources."
 
 So, do we need to follow the export/import procedure?
 
 We've tried this procedure in a lab environment:
 
- Update physical FMC to the same Patch than Virtual
- Export configuration on virtual FMC
- Import configuration on physical FMC
- Disabled the HA on virtual FMC
- Desassociate both FTDs from virtual FMC
- Associate both FTDs on physical FMC
 
 We noticed that the static routes and NATs are not imported in export/import procedure, both configuration disappears from FTD after associate on physical FMC.
 
 The customer doesn't want downtime, is this the right procedure? Is there any way to keep static routes and NAT?
Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-03-2017 07:07 PM

I'd recommend opening a TAC case on this one.

The static routes and NATs not transferring sounds like a bug.

Even with that resolved, I'm pretty sure there is going to be downtime involved.

0 Helpful

ivanradevradev_
Level 1
Level 1

‎04-08-2019 04:30 AM

You gonna have some downtime. Event with import export features it is difficult to have 0 downtime migration. 

Once you start importing the policies to the new FMC, you need to associate the zones from you ACP rules with interfaces. This means you need to connect your FTDs before policy import. If you have identity policy, than you should do the integration before the policy import because ACP rules are using identities from external sources. 

NAT and routing are features without export functions. It is expected (but not pleasant) behavior. 

Since Firepower 6.3 FTD could be backuped. My suggestion is to create backup of the sensors with all the policies they have(routing, NAT, interface conf, flexconfig, etc), and then revert the backup from the new FMC. You cannot revert a backup of FMCv to FMC hardware, but FTD backup is just for the FTD, whatever is the FMC managing it. 

I suppose Edgar did this long time ago, but I am sharing my thought for the rest interested. 

And call TAC only you are facing an issue. If you need assistance for migration, than advanced services is the team you need. Or third party Firepower experts like me :P

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card