Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1528
Views
5
Helpful
2
Replies

ASA to FTD Migration

Go to solution
feras.j.d
Level 1
Level 1

‎07-12-2020 04:14 AM

Hello Community,

we are in process of migrating our ASA's to FTDs and manage them through FMC but we have noticed that the current "Cisco Firepower Migration Tool" is just transforming the codes as is without any optimization or intelligence. for example, there might but a duplicate lines in the policies or lines that will never be reached. is there any other tools that we can use providing that we have FTD 4K and virtual FMC300?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
oalkhatib
Level 1
Level 1

‎07-12-2020 04:30 AM

Hi Feras,

actually, you can utilize Cisco Defense orchestrator (CDO) migration tool as it gives exactly what you need. you can have the CDO just in the migration phase and then roll back the FTD to the FMC for management. you can purchase the CDO subscription for a couple of months as the price is relatively cheap

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/ASA2FTD_with_FP_Migration_Tool_cdo_chapter_0101.html

quoted from the link above:
---------
Resolve Network Object Issues
Start to optimize the security policies on your ASAs by resolving issues with network policy objects.
• Unused objects—CDO identifies network policy objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Find these unused objects and delete them.
• Duplicate objects—Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. Look for opportunities to standardize names while recognizing that some duplicates may exist for legitimate reasons.
• Inconsistent objects—Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Consider standardizing the values in these objects or renaming one to identify it as a different object.
--------

View solution in original post

2 Replies 2

Go to solution
oalkhatib
Level 1
Level 1

‎07-12-2020 04:30 AM

Hi Feras,

actually, you can utilize Cisco Defense orchestrator (CDO) migration tool as it gives exactly what you need. you can have the CDO just in the migration phase and then roll back the FTD to the FMC for management. you can purchase the CDO subscription for a couple of months as the price is relatively cheap

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/ASA2FTD_with_FP_Migration_Tool_cdo_chapter_0101.html

quoted from the link above:
---------
Resolve Network Object Issues
Start to optimize the security policies on your ASAs by resolving issues with network policy objects.
• Unused objects—CDO identifies network policy objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Find these unused objects and delete them.
• Duplicate objects—Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. Look for opportunities to standardize names while recognizing that some duplicates may exist for legitimate reasons.
• Inconsistent objects—Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Consider standardizing the values in these objects or renaming one to identify it as a different object.
--------

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to oalkhatib

‎07-12-2020 07:14 AM

CDO is a very good option - even as an intermediate step as proposed here. It will also pickup shadowed rules.

An alternative I have used that will pickup unused objects and ACLs in the free config cleanup tool at tunnelsup.com.

https://www.tunnelsup.com/config-cleanup/

Not as full-featured as CDO but it's absolutely free - you don't even need to register.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card