Solved: Adding an FTD with existing Config to an FMC

Smak231334 · ‎11-07-2024

Hi,

I have a pair of 2110 FTD firewalls in HA that are currently managed locally VIA FDM and have config (rules, routing) on them. I am required to add the FTD firewalls to an FMC, so they can be managed through the FMC. How do i move the configs(rules, routing etc) on the firewalls to the FMC?

The only way i can think of doing this is to delete the configs from the FTD, Add the ftd to the FMC and then re-add the configurations through the FMC which will cause some downtime. Anyone know of any other way to get this done?

thanks

Marvin Rhoads · ‎11-07-2024

FMT (as suggested by @manabans ) is the least disruptive way. You can get most everything moved over but there will still be downtime. To minimize downtime, you could disconnect the data interfaces from the standby unit, break HA and then register it to FMC. You would then have a mostly blank 2110 registered to FMC while the remaining active unit has all the desired config. Then run FMT, with the former standby as the target device. Once you have everything on it, plan to cutover traffic to it and validate. Once validated, then add the former active unit to FMC and add it back into HA (now in the secondary role).

I would suggest getting your FMC and 2110s to 7.4.2.1 first (if you are not already running that current suggested release).

If anybody else wants to do this but does not need to retain the current configuration, it can now be done directly from within FDM:

https://www.cisco.com/c/en/us/td/docs/security/firepower/740/fdm/fptd-fdm-config-guide-740/fptd-fdm-system.html#Cisco_Task.dita_1fda6e84-11bf-4aa6-abbf-56c081e41692

View solution in original post

manabans · ‎11-07-2024

The Secure Firewall migration tool converts supported FDM-managed device configurations to a supported Secure Firewall Threat Defense platform. The Secure Firewall migration tool allows you to automatically migrate the supported FDM-managed device features and policies to threat defense. You must manually migrate all unsupported features.
Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-fdm/fdm-to-threat-defense-using-the-migraton-tool/m-fdm-managed-device-to-threat-defense-workflow.html

Marvin Rhoads · ‎11-07-2024

FMT (as suggested by @manabans ) is the least disruptive way. You can get most everything moved over but there will still be downtime. To minimize downtime, you could disconnect the data interfaces from the standby unit, break HA and then register it to FMC. You would then have a mostly blank 2110 registered to FMC while the remaining active unit has all the desired config. Then run FMT, with the former standby as the target device. Once you have everything on it, plan to cutover traffic to it and validate. Once validated, then add the former active unit to FMC and add it back into HA (now in the secondary role).

I would suggest getting your FMC and 2110s to 7.4.2.1 first (if you are not already running that current suggested release).

If anybody else wants to do this but does not need to retain the current configuration, it can now be done directly from within FDM:

https://www.cisco.com/c/en/us/td/docs/security/firepower/740/fdm/fptd-fdm-config-guide-740/fptd-fdm-system.html#Cisco_Task.dita_1fda6e84-11bf-4aa6-abbf-56c081e41692