Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2059
Views
15
Helpful
5
Replies

ASA + fiepower to FTD

Go to solution
Mohammed Abdul Rahman
Level 1
Level 1

‎11-25-2017 07:41 AM - edited ‎02-21-2020 06:49 AM

Hi ALL,

 

I have to  migrate from Cisco ASA + Firepower (5585 ) to FTD 4110, can you please guide with me steps to follow. I didnot see any documentation to migrate the firepower polices to FTD , only ASA to FTD migration documentation available.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mohammed Abdul Rahman

‎11-25-2017 07:06 PM

If you're new to it and have been given the responsibility for migrating a 5585-X for FTD then you really should push for some training. That would be regarded as a pretty important migration with a lot of potential impact in any organization I've worked with. If they won't fund instructor-led training then look into any of the many fine free materials - Cisco Live presentation, labminutes.com, network-node.com, Youtube videos from the Cisco TMEs etc.

 

The policies all reside on the Firepower Management Center. They are deployed to sensors (ASA Firepower service module, FTD device or classic NGIPS appliance) from there. Which sensor gets which policy set depends on the selection made in your FMC as shown below:

 

FMC Policy Assignment.PNG

 

 

View solution in original post

Go to solution
pablo.costa
Level 1
Level 1

‎11-27-2017 04:03 AM

Hi,

This is a simple cenario. You just need to applay yours polices in your new device. The easiest way to do this is using Firepower Management Center.

Just use the same FAP ( Firepower Access Police ) In your new device. Select and applay.

There is some others configurations when you use Firepower new devices ( like NAT Polices, Qos Polices etc ).

If you need some help fell free to contact me.

best regards
Pablo Costa ( pablo.costa (at) hotmail.com )

 

( please mark as response this threat ;)

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-25-2017 08:15 AM

The ASA-FTD migration guide and tool will take care of migrating most of the ASA running configuration.

 

Your Firepower Access Control policy (currently applied to the ASA 5585 Firepower module(s)) and its child policies can be used mostly as they are already configured - simply add the new FTD device as a target for those policies.

 

The whole process will need some good old fashioned human review of the source ASA configuration mappings to the destination FTD configuration -  section-by-section. There's no substitute for that.

Go to solution
Mohammed Abdul Rahman
Level 1
Level 1
In response to Marvin Rhoads

‎11-25-2017 08:30 AM

Hi MArvin,

 

Appreciate your reply, for the firepower to add FTD as destination . As per my requirement I will sunset / take out the old 5585 device now all the policies should be running on FTD4110.

 

As what I understand you mean I can copy all the firepower policies to FTD by adding the FTD IP address in the firepower of 5585. Is there any documentation ? Am a newbie to this FTD,Firepower

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mohammed Abdul Rahman

‎11-25-2017 07:06 PM

If you're new to it and have been given the responsibility for migrating a 5585-X for FTD then you really should push for some training. That would be regarded as a pretty important migration with a lot of potential impact in any organization I've worked with. If they won't fund instructor-led training then look into any of the many fine free materials - Cisco Live presentation, labminutes.com, network-node.com, Youtube videos from the Cisco TMEs etc.

 

The policies all reside on the Firepower Management Center. They are deployed to sensors (ASA Firepower service module, FTD device or classic NGIPS appliance) from there. Which sensor gets which policy set depends on the selection made in your FMC as shown below:

 

FMC Policy Assignment.PNG

 

 

Go to solution
pablo.costa
Level 1
Level 1

‎11-27-2017 04:03 AM

Hi,

This is a simple cenario. You just need to applay yours polices in your new device. The easiest way to do this is using Firepower Management Center.

Just use the same FAP ( Firepower Access Police ) In your new device. Select and applay.

There is some others configurations when you use Firepower new devices ( like NAT Polices, Qos Polices etc ).

If you need some help fell free to contact me.

best regards
Pablo Costa ( pablo.costa (at) hotmail.com )

 

( please mark as response this threat ;)

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card